Table of Contents
UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
FORM 10-K
☒
☐
Annual Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934
Transition Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934
For the Annual Period Ended December 31, 2021
or
For the transition period from to
Commission file number 001-35662
QUALYS, INC.
(Exact name of registrant as specified in its charter)
Delaware
(State or other jurisdiction of
incorporation or organization)
77-0534145
(I.R.S. Employer
Identification Number)
919 E. Hillsdale Boulevard, 4th Floor, Foster City, California 94404
(Address of principal executive offices, including zip code)
(650) 801-6100
(Registrant’s telephone number, including area code)
Title of each class
Common stock, $0.001 par value per share
Securities registered pursuant to section 12(b) of the Act:
Trading Symbol(s)
QLYS
Name of exchange on which registered
NASDAQ Stock Market
Securities registered pursuant to section 12(g) of the Act: None
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes ☒ No ☐
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act. Yes ☐ No ☒
Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934
during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing
requirements for the past 90 days. Yes ☒ No ☐
Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of
Regulation S-T during the preceding 12 months (or for such shorter period that the registrant was required to submit such files). Yes ☒ No ☐
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an
emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company,” and “emerging growth company”
in Rule 12b-2 of the Exchange Act.
☒
Large accelerated filer
Non-accelerated filer
Accelerated filer
☐
☐
Smaller reporting company
Emerging growth company
☐
☐
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or
revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐
Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control
over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued
its audit report. ☒
Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act). Yes ☐ No ☒
As of June 30, 2021, the aggregate market value of voting shares of common stock held by non-affiliates of the registrant was $2,961 million based on the
last reported sale price of the registrant's common stock on June 30, 2021. Shares of common stock held by each executive officer and director and by each
person who owns 10% or more of the outstanding common stock have been excluded in that such persons may be deemed to be affiliates. This determination
of affiliate status is not necessarily a conclusive determination for other purposes.
The number of shares of the registrant's common stock outstanding as of February 16, 2022 was 39,029,415 shares.
DOCUMENTS INCORPORATED BY REFERENCE
Portions of the registrant's Proxy Statement for its 2022 Annual Meeting of Stockholders are incorporated by reference in Part III of this Annual Report on
Form 10-K where indicated. Such proxy statement will be filed with the Securities and Exchange Commission within 120 days of the registrant's fiscal year
ended December 31, 2021.
�Table of Contents
Risk Factor Summary
Note Regarding Forward-Looking Statements
Business
Item 1.
Item 1A. Risk Factors
Item 1B. Unresolved Staff Comments
Item 2.
Item 3.
Item 4. Mine Safety Disclosures
Properties
Legal Proceedings
Qualys, Inc.
TABLE OF CONTENTS
PART I
PART II
[Reserved]
Item 5. Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities
Item 6.
Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations
Item 7A. Quantitative and Qualitative Disclosures About Market Risk
Item 8.
Item 9.
Item 9A. Controls and Procedures
Item 9B. Other Information
Item 9C. Disclosure Regarding Foreign Jurisdictions that Prevent Inspections
Financial Statements and Supplementary Data
Changes in and Disagreements with Accountants on Accounting and Financial Disclosure
Item 10. Directors, Executive Officers and Corporate Governance
Item 11. Executive Compensation
Item 12. Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters
Item 13. Certain Relationships and Related Transactions, and Director Independence
Item 14. Principal Accounting Fees and Services
PART III
Item 15. Exhibits and Financial Statement Schedules
Signatures
PART IV
2
Page
3
4
5
17
35
35
35
35
36
38
39
47
48
79
79
79
80
80
80
80
80
81
83
�Table of Contents
RISK FACTOR SUMMARY
Our business is subject to significant risks and uncertainties that make an investment in us speculative and risky. Below we summarize what we
believe are the principal risk factors but these risks are not the only ones we face, and you should carefully review and consider the full discussion of our
risk factors in the section titled “Risk Factors,” together with the other information in this Annual Report on Form 10-K. If any of the following risks
actually occurs (or if any of those listed elsewhere in this Annual Report on Form 10-K occur), our business, reputation, financial condition, results of
operations, revenue, and future prospects could be seriously harmed. Additional risks and uncertainties that we are unaware of, or that we currently
believe are not material, may also become important factors that adversely affect our business.
•
•
•
•
•
•
The continued spread of Coronavirus Disease 2019 (COVID-19), or any similar widespread infectious disease outbreak, could harm our
business, financial condition and results of operations.
Our quarterly operating results may vary from period to period, which could result in our failure to meet expectations with respect to operating
results and cause the trading price of our stock to decline.
If we do not successfully anticipate market needs and opportunities or are unable to enhance our solutions and develop new solutions that meet
those needs and opportunities on a timely or cost-effective basis, we may not be able to compete effectively and our business and financial
condition may be harmed.
If we fail to continue to effectively scale and adapt our platform to meet the performance and other requirements of our customers, our
operating results and our business would be harmed.
If we are unable to renew existing subscriptions for our IT, security and compliance solutions, sell additional subscriptions for our solutions
and attract new customers, our operating results would be harmed.
If the market for cloud solutions for IT, security and compliance does not evolve as we anticipate, our revenues may not grow and our
operating results would be harmed.
Our current research and development efforts may not produce successful products or enhancements to our platform that result in significant
revenue, cost savings or other benefits in the near future.
Our platform, website and internal systems may be subject to intentional disruption or other security incidents that could result in liability and
adversely impact our reputation and future sales.
Our sales cycle can be long and unpredictable, and our sales efforts require considerable time and expense. As a result, revenues may vary
from period to period, which may cause our operating results to fluctuate and could harm our business.
Adverse economic conditions or reduced IT spending may adversely impact our business.
Our IT, security and compliance solutions are delivered from eleven shared cloud platforms, and any disruption of service at these facilities would
interrupt or delay our ability to deliver our solutions to our customers which could reduce our revenues and harm our operating results.
• We face competition in our markets, and we may lack sufficient financial or other resources to maintain or improve our competitive position.
If our solutions fail to detect vulnerabilities or incorrectly detect vulnerabilities, our brand and reputation could be harmed, which could have
•
an adverse effect on our business and results of operations.
If we are unable to continue the expansion of our sales force, sales of our solutions and the growth of our business would be harmed.
•
• We rely on third-party channel partners to generate a substantial amount of our revenues, and if we fail to expand and manage our distribution
•
•
•
•
•
•
•
•
•
•
•
channels, our revenues could decline and our growth prospects could suffer.
A significant portion of our customers, channel partners and employees are located outside of the United States, which subjects us to a number
of risks associated with conducting international operations, and if we are unable to successfully manage these risks, our business and
operating results could be harmed.
Our business and operations have experienced significant growth, and if we do not appropriately manage any future growth, or are unable to
improve our systems and processes, our operating results may be negatively affected.
A portion of our revenues are generated by sales to government entities, which are subject to a number of challenges and risks.
Undetected software errors or flaws in our solutions could harm our reputation, decrease market acceptance of our solutions or result in
liability.
Our solutions could be used to collect and store personal information of our customers’ employees or customers, and therefore privacy and
other data handling concerns could result in additional cost and liability to us or inhibit sales of our solutions.
Our solutions contain third-party open source software components, and our failure to comply with the terms of the underlying open source
software licenses could restrict our ability to sell our solutions.
• We use third-party software and data that may be difficult to replace or cause errors or failures of our solutions that could lead to lost customers
•
•
or harm to our reputation and our operating results.
Failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.
Assertions by third parties of infringement or other violations by us of their intellectual property rights could result in significant costs and
harm our business and operating results.
3
�Table of Contents
NOTE REGARDING FORWARD-LOOKING STATEMENTS
In addition to historical information, this Annual Report on Form 10-K contains "forward-looking" statements within the meaning of Section 21E of the
Securities Exchange Act of 1934, as amended, or the Exchange Act. Forward-looking statements generally relate to future events or our future financial or
operating performance. In some cases, it is possible to identify forward-looking statements because they contain words such as "anticipates," "believes,"
"contemplates," "continue," "could," "estimates," "expects," "future," "intends," "likely," "may," "plans," "potential," "predicts," "projects," "seek," "should,"
"target," or "will," or the negative of these words or other similar terms or expressions that concern our expectations, strategy, plans or intentions. Forward-
looking statements contained in this Annual Report on Form 10-K include, but are not limited to, statements about:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
our financial performance, including our revenues, costs, expenditures, growth rates, operating expenses and ability to generate positive cash
flow to fund our operations and sustain profitability;
anticipated technology trends, such as the use of cloud solutions;
our ability to adapt to changing market conditions;
the impact of the ongoing COVID-19 pandemic and related public health measures on our business;
economic and financial conditions, including volatility in foreign exchange rates;
our ability to diversify our sources of revenues, including selling additional solutions to our existing customers and our ability to pursue new
customers;
the effects of increased competition in our market;
our ability to innovate and enhance our cloud solutions and platform and introduce new solutions;
our ability to effectively manage our growth;
our anticipated investments in sales and marketing, our infrastructure, new solutions, research and development, and acquisitions;
maintaining and expanding our relationships with channel partners;
our ability to maintain, protect and enhance our brand and intellectual property;
costs associated with defending intellectual property infringement and other claims;
our ability to attract and retain qualified employees and key personnel, including sales and marketing personnel;
our ability to successfully enter new markets and manage our international expansion;
our expectations, assumptions and conclusions related to our income tax provision, our deferred tax assets and our effective tax rate; and
other factors discussed in this Annual Report on Form 10-K in the sections titled "Risk Factors," "Management's Discussion and Analysis of
Financial Condition and Results of Operations" and "Business."
We have based the forward-looking statements contained in this Annual Report on Form 10-K primarily on our current expectations and projections
about future events and trends that we believe may affect our business, financial condition, results of operations and prospects. The results, events and
circumstances reflected in these forward-looking statements are subject to risks, uncertainties, assumptions, and other factors including those described in
Part I, Item 1A (Risk Factors) of this Annual Report and those discussed in other documents we file with the U.S. Securities and Exchange
Commission (SEC). Moreover, we operate in a very competitive and rapidly changing environment. New risks and uncertainties emerge from time to time,
and it is not possible for us to predict all risks and uncertainties that could have an impact on the forward-looking statements used herein. We cannot provide
assurance that the results, events, and circumstances reflected in the forward-looking statements will be achieved or occur, and actual results, events or
circumstances could differ materially from those described in the forward-looking statements.
You should not rely on forward-looking statements as predictions of future events. Except as required by law, neither we nor any other person assumes
responsibility for the accuracy and completeness of the forward-looking statements, and we undertake no obligation to update any forward-looking
statements to reflect events or circumstances after the date of such statements.
Qualys, the Qualys logo and other trademarks and service marks of Qualys appearing in this Annual Report on Form 10-K are the property of Qualys.
This Annual Report on Form 10-K also contains trademarks and trade names of other businesses that are the property of their respective holders. We have
omitted the ® and ™ designations, as applicable, for the trademarks used in this Annual Report on Form 10-K.
4
�Table of Contents
Item 1.
Business
Overview
PART I
We are a pioneer and leading provider of a cloud-based platform delivering information technology (IT), security and compliance solutions. Our
integrated suite of IT, security and compliance solutions delivered on our Qualys Cloud Platform enables our customers to: 1) identify and manage their IT
assets across on-premises, endpoints, cloud, containers, and mobile environments; 2) collect and analyze large amounts of IT security data; 3) discover and
prioritize vulnerabilities; 4) recommend and implement remediation actions; and 5) verify the implementation of such actions. This helps organizations
protect their systems and applications from ever-evolving cyber-attacks and helps achieve compliance with internal policies and external regulations.
Our cloud solutions address the growing IT, security and compliance complexities and risks that are amplified by the dissolving boundaries between
internal and external IT infrastructures and web environments, the rapid adoption of cloud computing, containers and serverless IT models, and the
proliferation of geographically dispersed IT assets. Organizations use our integrated suite of solutions to cost-effectively obtain a unified view of their IT
asset inventory as well as security and compliance posture across globally-distributed IT infrastructures as our solution offers a single platform for
information technology, information security, application security, endpoint, developer security and cloud teams.
IT infrastructures are more complex and globally-distributed today than ever before, as organizations of all sizes increasingly rely upon a myriad of
interconnected information systems and related IT assets, such as servers, databases, web applications, routers, switches, desktops, laptops, other physical
and virtual infrastructure, and numerous external networks and cloud services. In this environment, new and evolving digital technologies intended to
improve organizations’ operations can also increase vulnerability to cyber-attacks, which can expose sensitive data, damage IT and physical infrastructures,
and result in serious financial or reputational consequences. In addition, the rapidly increasing amount of data and devices in IT environments makes it more
difficult to identify and remediate vulnerabilities in a timely manner. The predominant approach to IT security has been to implement multiple disparate
security products that can be costly and difficult to deploy, integrate and manage and may not adequately protect organizations. As a result, we believe there
is a large and growing opportunity for comprehensive cloud-based IT, security and compliance solutions delivered in a single platform.
We designed our Qualys Cloud Platform to transform the way organizations secure and protect their IT infrastructures and applications. Our cloud
platform offers an integrated suite of solutions that automates the lifecycle of asset discovery and management, security assessments, and compliance
management for an organization’s IT infrastructure and assets, whether such infrastructure and assets reside inside the organization, on their network
perimeter, on endpoints or in the cloud. Since inception, our solutions have been designed to be delivered through the cloud and to be easily and rapidly
deployed on a global scale, enabling faster implementation and lower total cost of ownership than traditional on-premises enterprise software products. Our
customers, ranging from some of the largest global organizations to small businesses, are served from our globally-distributed cloud platform, enabling us to
rapidly deliver new solutions, enhancements and security updates.
We believe that our cloud platform provides our customers with unique advantages, including:
•
•
•
•
•
•
No hardware to buy or manage. There is no infrastructure or software to buy and maintain thus reducing our customers’ operating costs; all
services are accessible in the cloud via web interface. Qualys operates and maintains the platform.
Real-time visibility in one place, anytime and anywhere. Our customers can conveniently see their security and compliance posture across their
global IT asset inventory in one browser window, without plugins or a virtual private network (VPN), whenever and wherever Internet access is
available.
Easy global scanning. Our customers can easily perform scans on geographically distributed and segmented networks at the perimeter, behind
the firewall, on dynamic cloud environments and on endpoints.
Seamless scaling. Our cloud platform is a scalable, comprehensive, and end-to-end solution for the IT, security and compliance needs of our
customers. Our customers can seamlessly add new coverage, users and services after they have deployed our platform.
Up to date resources. Qualys has one of the largest knowledge bases of vulnerability signatures in the industry. All security updates are made in
real-time.
Data stored securely. Data is securely stored and processed in a multi-tiered architecture of load-balanced servers. Our encrypted databases are
physically and logically secured.
5
�Table of Contents
We were founded and incorporated in December 1999 with a vision of transforming the way organizations secure and protect their IT infrastructure and
applications and initially launched our first cloud solution, Vulnerability Management (VM), in 2000. As VM gained acceptance, we introduced additional
solutions to help customers manage increasing IT, security and compliance requirements. Today, the suite of solutions that we offer on our cloud platform
and refer to as the Qualys Cloud Apps helps our customers protect a range of assets across on-premises, endpoints, cloud, containers, and mobile
environments. These Cloud Apps address and include:
•
•
IT Security: Vulnerability Management (VM), Vulnerability Management, Detection and Response (VMDR), Threat Protection (TP),
Continuous Monitoring (CM), Patch Management (PM), Multi-Vector Endpoint Detection and Response (EDR), Certificate Assessment (CRA),
SaaS Detection and Response (SaaSDR), Secure Enterprise Mobility (SEM);
Compliance: Policy Compliance (PC), Security Configuration Assessment (SCA), PCI Compliance (PCI), File Integrity Monitoring (FIM),
Security Assessment Questionnaire (SAQ), Out of-Band Configuration Assessment (OCA);
• Web Application Security: Web Application Scanning (WAS), Web Application Firewall (WAF);
•
•
Asset Management: Global Asset View (GAV), Cybersecurity Asset Management (CSAM), Certificate Inventory (CRI); and
Cloud/Container Security: Cloud Inventory (CI), Cloud Security Assessment (CSA), Container Security (CS).
We provide our solutions through a software-as-a-service model, primarily with renewable annual subscriptions. These subscriptions require customers
to pay a fee in order to access each of our cloud solutions. We generally invoice our customers for the entire subscription amount at the start of the
subscription term, and the invoiced amounts are treated as deferred revenues and are recognized ratably over the term of each subscription. We continue to
experience revenue growth from our existing customers as they renew and purchase additional subscriptions, as well as from the addition of new customers
to our cloud platform.
Our Qualys Cloud Platform is currently used by over 10,000 customers worldwide, including a majority of each of the Forbes Global 100 and Fortune
100. Our revenues increased to $411.2 million in 2021 from $363.0 million in 2020 and $321.6 million in 2019.
Our Platform
Our cloud platform consists of a suite of IT security, compliance, web application security, asset management and cloud and container security
solutions, which we refer to as the Qualys Cloud Apps, that leverages our shared and extensible core services and our highly scalable multi-tenant cloud
infrastructure. We also provide open application program interfaces, or APIs, and other developer tools that allow third parties to embed our technology into
their solutions and build applications on our cloud platform.
Our cloud platform utilizes physical and virtual sensors, and cloud agents that provide our customers with continuous visibility enabling customers to
respond to threats immediately. Customers can extend visibility to all known IT infrastructure using our Out-of-Band Configuration Assessment sensor for
systems that are air-gapped or otherwise difficult to assess.
The Qualys Cloud Platform automatically gathers and analyzes security and compliance data in a scalable, state-of-the-art backend. The technology
underlying our cloud infrastructure enables us to ingest, process, analyze and store a high volume of sensor data coming from our agents, scanners and
passive analyzers, and correlate information at very high speeds in a distributed manner for millions of devices.
6
�Table of Contents
Our cloud platform is delivered to our customers via our eleven global shared cloud platforms, or via our private platform offering, Qualys Private
Cloud Platform (PCP), for customers or partners that want the platform to reside within the customer's data center. The PCP is a standalone version of our
multi-layer, multi-tenant services architecture and is a fully integrated turnkey solution, making it more scalable, cost effective and faster to deploy within a
customer's data center. Solutions delivered through our PCP are typically on the same subscription basis as solutions delivered through our shared platform.
Our PCP utilizes hardware and software owned by us and is physically located on the customer's premises. The customer is not permitted to take possession
of the software or access the software code. We also offer our PCP as a subscription-based platform services to the customer using a virtual version of our
software. This virtualized PCP allows us to extend our security and compliance solutions without the complexity and cost associated with deploying
traditional enterprise software. We also offer Private Cloud Platform Appliance (PCPA), an on-premises IT, security and compliance solution packaged in a
form-factor for medium-sized companies.
Qualys Core Services
Our core services enable integrated workflows, management and real-time analysis and reporting across all of our IT, security and compliance solutions
for our customers inside their organizations, on the perimeter, on endpoints or in the cloud.
Our core services constitute dynamic and customizable dashboards and centrally managed, self-updating integrated Cloud Apps, through a natively
integrated unified platform. Our interactive, dynamic dashboards and cloud platform allow our customers to aggregate and correlate all of their IT, security
and compliance data in one place, drill down into details, and generate reports customized for different audiences. Our cloud platform’s powerful
Elasticsearch clusters enable customers to instantly find detailed data on any asset.
7
�Table of Contents
Our core services include:
•
•
•
•
•
•
Asset Tagging and Management. Enables customers to easily identify, categorize and manage large numbers of assets in highly dynamic IT
environments and automates the process of inventory management and hierarchical organization of IT assets. Built on top of this core service is
the Qualys GAV framework, which is a global asset inventory service enabling our customers to search for information on any IT asset, scaling
to millions of assets for customers of all sizes, helping IT and security personnel to search IT assets and maintain an up-to-date inventory on a
continuous basis.
Reporting and Dashboards. A highly configurable reporting engine that provides customers with reports and dashboards based on their roles
and access privileges.
Questionnaires and Collaboration. A configurable workflow engine that enables customers to easily build questionnaires and capture existing
business processes and workflows to evaluate controls and gather evidence to validate and document compliance.
Remediation and Workflow. An integrated workflow engine that allows customers to automatically generate helpdesk tickets for remediation
and to manage compliance exceptions based on customer-defined policies, enabling subsequent review, commentary, tracking and escalation.
This engine automatically distributes remediation tasks to IT administrators upon scan completion, tracks remediation progress and closes open
tickets once patches are applied and remediation is verified in subsequent scans.
Big Data Correlation and Analytics Engine. Provides Elasticsearch capabilities for indexing, searching and correlating large amounts of
security and compliance data with other security incidents and third-party security intelligence data. Embedded workflows enable customers to
quickly assess risk and access information for remediation, incident analysis and forensic investigations.
Alerts and Notifications. Creates email notifications to alert customers of new vulnerabilities, malware infections, scan completion, open
trouble tickets and system updates.
Qualys Cloud Apps
Many organizations have an array of heterogeneous point tools that do not interoperate well and are difficult and costly to maintain and integrate,
making it difficult for Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) to obtain a single, unified view of their
organization’s security and compliance posture. The Qualys Cloud Platform and its Cloud Apps help organizations escape this tool-fragmentation dilemma
by drastically simplifying their security stacks and regaining unimpeded visibility across their IT environment.
The Cloud Apps are self-updating, centrally managed and tightly integrated, and cover a broad range of functionality in areas such as IT security,
compliance, web application security, asset management and cloud and container security solutions.
From inception through December 31, 2020, we have added the following Cloud Apps: VM, PC, PCI, WAS, WAF, CM, SAQ, TP, FIM,
GAV (including a free version), SCA, CS, CI, CSA, CRI, CRA, OCA, PM, VMDR, and EDR. In 2021, we introduced SaaSDR, SEM, and CSAM.
We believe that our applications are easy to use and provide our customers with a high level of control because our applications are part of one
platform, share a common user interface, utilize the same scanners and agents, access the same collected data, and leverage the same user permissions.
Our customers can subscribe to one or more of our IT, security and compliance Apps based on their initial needs and expand their subscriptions over
time to new areas within their organization or to additional Qualys solutions. For VMDR, we offer four editions of our Qualys Cloud App: Enterprise for
large enterprises, Express for medium-sized businesses, Express Lite for small-sized businesses, and Scan-on-Behalf for Scan-on-Behalf customers. For all
other Qualys Cloud Apps, we offer four editions: Enterprise for large enterprises, Express for medium-sized businesses, Express Lite for small-sized
businesses, and Consulting Edition for consultants, consulting organizations and Managed Service Providers (MSPs).
Many of our customers use multiple Cloud Apps to develop a more complete understanding of their respective environment’s IT, security and
compliance posture. The Qualys Cloud Platform currently provides the following Cloud Apps to our customers:
8
�Table of Contents
IT Security
Vulnerability Management (VM): VM is an industry leading and award-winning solution that automates network auditing and vulnerability
management across an organization, including network discovery and mapping, asset management, vulnerability reporting and remediation tracking. Driven
by our comprehensive knowledge base of known vulnerabilities, VM enables cost-effective protection against vulnerabilities without substantial resource
deployment.
Vulnerability Management, Detection and Response (VMDR): VMDR enables organizations to automatically discover every asset in their environment,
including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets. VMDR continuously assesses
these assets for the latest vulnerabilities and applies the latest threat intel analysis to prioritize actively exploitable vulnerabilities. Finally, VMDR
automatically detects the latest superseding patch for the vulnerable asset and easily deploys it for remediation. By delivering all this in a single app
workflow, VMDR automates the entire process and significantly accelerates an organization’s ability to respond to threats, thus preventing possible
exploitation.
Threat Protection (TP): Thousands of new vulnerabilities are disclosed annually. With TP, customers can pinpoint their most critical threats and identify
what they need to remediate first. TP continuously correlates external threat information against a customer's vulnerabilities and IT asset inventory, so
customers know which threats pose the greatest risk to their organization at any given time. As Qualys engineers continuously validate and rate new threats
from internal and external sources, TP’s live feed displays the latest vulnerability disclosures and maps them to customers’ impacted IT assets. Customers
can see the assets affected by each threat, and drill down into details.
Continuous Monitoring (CM): Built on top of VM, CM is a next-generation cloud service that can detect network threats and unexpected changes
before they turn into breaches. Whenever CM spots an anomaly in a network, it immediately sends targeted, informative alerts to the right people for each
situation and each machine. CM tracks what happens throughout public perimeters, internal networks, and cloud environments - anywhere in the world.
Patch Management (PM): PM provides automated patch deployment capabilities by correlating vulnerabilities and patches. It continuously gathers and
uploads telemetry about installed software, open vulnerabilities and missing patches to the Qualys Cloud Platform. The resulting shared visibility of assets
and their posture enables IT and security teams to collaborate using common vulnerability-centric terminology and provides a consistent data set to analyze,
prioritize, deploy and verify patches more efficiently.
Multi-Vector Endpoint Detection and Response (EDR): Traditional endpoint detection and response solutions focus only on endpoint activity to detect
attacks. As a result, they lack the full context to analyze attacks accurately. This leads to an incomplete picture and a high rate of false positives and
negatives, requiring organizations to use multiple point solutions and large incident response teams. Qualys fills the gaps by bringing a new multi-vector
approach and the unifying power of its highly scalable Cloud Platform to EDR, providing vital context and comprehensive visibility to the entire attack
chain, from prevention to detection to response. EDR unifies different context vectors like asset discovery, rich normalized software inventory, end-of-life
visibility, vulnerabilities and exploits, misconfigurations, in-depth endpoint telemetry, and network reachability with a powerful backend to correlate it all for
accurate assessment, detection and response.
Certificate Assessment (CRA): CRA assesses digital certificates and Transport Layer Security (TLS) configurations. CRA generates certificate instance
grades using a straightforward methodology that allows administrators to assess often overlooked server SSL/TLS configurations without having to become
SSL experts. It also identifies out-of-policy certificates with weak signatures or key length and shows how many unique Certificate Authorities were found in
the environment and how many certificates each one issued.
SaaS Detection and Response (SaaSDR): SaaSDR leverages the Qualys Cloud platform to provide continuous visibility into SaaS applications such as
Office 365, Salesforce and Zoom for configuration posture management, activity monitoring and data security insights.
Secure Enterprise Mobility (SEM): SEM extends the power of VMDR for in-depth inventory of mobile devices and their data, real time vulnerability
and misconfiguration detection, and built-in remediation with patch orchestration for all Android and iOS/iPadOS devices across the enterprise.
Compliance
Policy Compliance (PC): PC performs automated security configuration assessments on IT systems throughout a network, helping to reduce risk and
continuously ensure compliance with internal policies and external regulations. PC leverages out-of-the-box library content to fast-track compliance
assessments using industry-recommended best practices. PC also provides a centralized, interactive console for specifying baseline standards for different
hosts. By automating requirement evaluation against multiple standards for operating systems, network devices, databases and server applications, PC
enables the quick identification of security issues and works to prevent configuration drift. PC works to prioritize and track remediation and exceptions,
while demonstrating a repeatable auditable process for compliance management.
Security Configuration Assessment (SCA): SCA provides automatic assessment of IT assets’ configurations using the latest Center for Internet Security
(CIS) Benchmarks for operating systems, databases, applications and network devices. SCA provides intuitive workflows for assessing, monitoring,
reporting and remediating security-related configuration issues. SCA’s CIS assessments are provided via a web-based user interface and delivered from the
Qualys Cloud Platform, enabling centralized management with minimal deployment overhead. SCA users can automatically create downloadable reports and
view dashboards.
9
�Table of Contents
PCI Compliance (PCI): PCI streamlines and automates compliance with PCI DSS (Payment Card Industry Data Security Standard) requirements for
protecting the collection, storage, processing and transmission of cardholder data. As an Approved Scanning Vendor, Qualys has been authorized by the PCI
Security Standards Council to conduct the required quarterly scans. PCI scans all Internet-facing networks and systems with Six Sigma (99.9996%) accuracy,
generates reports and provides detailed patching instructions. An auto-submission feature completes the compliance process once remediation is completed.
File Integrity Monitoring (FIM): FIM logs and centrally tracks file change events on common enterprise operating systems in organizations of all sizes.
FIM provides customers with a simple way to achieve centralized cloud-based visibility of activity resulting from normal patching and administrative tasks,
change control exceptions or violations, or malicious activity - then reports on that system activity as part of compliance mandates. FIM collects the critical
details needed to quickly identify changes and root out activity that violates policy or is potentially malicious. FIM helps customers to comply with change
control policy enforcement and change monitoring requirements.
Security Assessment Questionnaire (SAQ): SAQ automates and streamlines third-party and internal risk assessment processes, obviating the need to
perform such processes manually via email and spreadsheets. SAQ easily designs surveys to assess procedural controls of IT and security policies and
practices. SAQ automates the launch and monitoring of assessment campaigns, making the process agile, accurate, comprehensive, centralized, scalable and
uniform across an organization. SAQ also provides tools for displaying, analyzing and acting on collected data, enabling the assessment of compliance with
industry standards, regulations and internal policies of third parties, like vendors and partners, and of employees.
Out-of-Band Configuration Assessment (OCA): The OCA sensor and Cloud App allows customers to achieve complete visibility of all known IT
infrastructure by pushing vulnerability and configuration data to the Qualys Cloud Platform from systems that are otherwise difficult to assess, such as highly
locked-down systems, systems on disconnected or “air gap” networks, or in environments that are highly sensitive to scans. OCA’s expanded data collection
approach significantly broadens the types of technologies supported by the Qualys Cloud Platform and provides deeper assessment of configuration so that
customers have better visibility into potentially critical vulnerabilities and misconfigurations across their entire environment.
Web Application Security
Web Application Scanning (WAS): WAS continuously discovers and catalogs web applications – including new and unknown ones – and detects
vulnerabilities and misconfigurations in web apps and APIs. Scaling to thousands of scans, it conducts incisive, thorough and precise testing of browser-
based web apps, mobile app backends, and Internet of things (IoT) services. Its seamless integration with the Qualys Web Application Firewall (WAF)
enables verification of attack protection, ticket creation and one click mitigation of vulnerabilities. WAS' powerful API enables integration with other systems
and allows teams to detect issues within DevOps environments early in the application development process. Bundled malware detection capability with
WAS uses reputational, behavioral, antivirus, and heuristic analyses to identify and alert on malware infecting a user's websites. By Integrating WAS with
manual testing tools and bug bounty solutions, customers can build a comprehensive web application vulnerability testing program.
Web Application Firewall (WAF): WAF permits the reduction of application security cost and complexity with a unified platform to prevent any
attempt to exploit vulnerabilities. Simple, scalable and adaptive, WAF enables the quick blocking of attacks, prevents disclosure of sensitive information, and
controls when and where customer applications are accessed. WAF and WAS work together seamlessly. Customers scan web apps with WAS, deploy one-
click virtual patches if needed in WAF, and manage it all from a centralized cloud-based portal. WAF can be deployed in minutes on prem or in the cloud, as
a virtual machine or a container, supports load-balancing as well as TLS offloading, and does not require special hardware.
Asset Management
Global Asset View (GAV): GAV constantly gathers information on all assets, including system and hardware details, running services, open ports,
installed software and user accounts. Asset discovery and inventory collection is done through a combination of Qualys network scanners, Cloud Agents and
passive scanners, which together collect comprehensive data from on-premises or cloud infrastructure as well as remote endpoints. In order to create
consistent and uniform asset data, GAV normalizes raw discovery data to standardize every manufacturer name, product name, model and software version
using Qualys’ ever-evolving technology catalog as a reference. This catalog automatically extends IT asset inventory with non-discoverable metadata such as
hardware and software release dates, end of life dates, and license categories. This new data layer allows teams to detect issues such as unauthorized
software, outdated hardware or end-of-life software, which can help properly tag, support, and secure business-critical assets. Additionally, customers can
sync their asset information with ServiceNow CMDB.
10
�Table of Contents
Cybersecurity Asset Management (CSAM): CSAM is an all-in-one solution that leverages the power of the Qualys Cloud Platform with its multiple
native sensors and CMDB synchronization to continuously inventory known and unknown assets, discover installed applications, and overlay business and
risk context to establish asset criticality. It identifies unauthorized or end-of-life and end-of-service software and the absence of required security tools, and
assesses the health of the attack surface. Further, CSAM enables response options with threat alerts and software removal and delivers regulatory reporting in
support of FedRAMP, PCI-DSS and other mandates.
Certificate Inventory (CRI): CRI continuously scans global IT assets from a single console to discover internal and external certificates issued from any
certificate authority across all enterprise IT assets, both on premise and in the cloud. As a result, certificates can be renewed before they expire, which stops
certificate-related outages and improves availability. It collects all certificate, vulnerability and configuration data required for certificate inventory and
analysis. CRI also reveals how many certificates are out of compliance or do not follow organizational policies for key length, for signature algorithms or for
the use of trusted and approved Certificate Authorities through the use of highly customizable dashboards and provides users a comprehensive overview of
Qualys SSL Labs-caliber certificate grades for internal and externally facing certificates.
Cloud / Container Security
Cloud Inventory (CI): CI delivers continuous visibility into public cloud accounts. In one single-pane view, it inventories virtual machines, storage
buckets, databases, security groups, Access Control Lists (ACLs), Elastic Load Balancers (ELBs) and users – across all regions, multiple accounts and
multiple cloud platforms. CI continuously tracks assets and enables users to quickly understand the topography of their cloud environment and uncover the
root cause of incidents.
Cloud Security Assessment (CSA): CSA provides a continuous assessment of the security posture of an organization’s cloud resources against
misconfigurations, malicious behavior, and nonstandard deployments. CSA evaluates resources against CIS benchmarks and best practices to identify
misconfigured storage buckets, security groups, Relational Database Service, exposing data and the resource for public exploitation. CSA correlates host
vulnerabilities and compliance data into intelligent insights which allow users to quickly detect risks throughout their complex cloud environments.
With CSA, users gain real-time visibility into their up-to-date security and compliance posture of public clouds in one single-pane view.
Container Security (CS): CS delivers container-native visibility and protection throughout the entire lifecycle of containerized applications. It
incorporates scanning of container images for software composition and enforcement of hardened container stack configurations for continuous
policy compliance, whether the images are on the build machines, in the container registries or in the runtime cluster nodes. CS uses a unique 'layered-in'
approach to provide deep visibility into all the application activities and automatically creates a behavior profile, which is enforced on each container for
runtime protection. By integrating with continuous integration and continuous delivery pipelines and toolchains, CS enables DevSecOps processes and
transparent enforcement of security and compliance without compromising the speed and agility of containers and serverless deployment models. This leads
to significant cost benefits for enterprises compared to certain legacy security solutions.
Free Services
We also offer organizations of all sizes free security and compliance services based on the Qualys Cloud Platform:
•
Qualys Global Asset View app automatically creates a continuous, real-time inventory of known and unknown assets throughout a user's global IT
footprint across on-premises, endpoints, multi-cloud, mobile, containers, operational technology and IoT. The app also automatically normalizes
and categorizes assets to ensure clean, reliable, and consistent data. In-depth asset details provide fine-grained visibility on the system, services,
installed software, network, and users. It also detects any device that connects to a user's networks, via passive scanning technology. Upon an
unknown device detection, users can install a light-weight Qualys self-updating agent (3MB) to turn the device into a managed device or launch a
vulnerability scan.
•
•
•
Qualys Community Edition automatically gathers and analyzes security and compliance data from hybrid IT environments to provide a complete,
continuously updated, and instant view of monitored IT assets on-premises or in the cloud, as well as web apps, from a single-pane-of-glass
interface. The Community Edition is limited to one user with data retention for three months.
Qualys CloudView continuously discovers and tracks assets and resources across public cloud deployments to provide users both real-time and
historical views of cloud inventory. It collects metadata about cloud assets and resources to help users understand the relationships between public
cloud assets and resources across different dimensions and then discover their threat posture based on those attributes and relationships.
CloudView is limited to three accounts per public cloud platform.
Qualys CertView inventories and assesses all Internet-facing certificates to generate SSL/TLS configuration grades, identifies the certificate issuer
and tracks certificate expirations to help stop expired and expiring certificates from interrupting critical business functions.
11
�Table of Contents
Our Growth Strategy
We intend to strengthen our leadership position as a trusted provider of cloud-based IT, security and compliance solutions. The key elements of our
growth strategy are:
•
•
•
•
Continue to innovate and enhance our cloud platform and suite of solutions. We intend to continue to make significant investments in research
and development to extend our cloud platform’s functionality by developing new security solutions and capabilities and further enhancing our
existing suite of solutions. From inception through December 31, 2020, we have added the following Cloud Apps: PC, PCI, WAS, WAF, CM,
SAQ, TP, FIM, GAV (including a free version), SCA, CS, CI, CSA, CRI, CRA, OCA, PM, VMDR, and EDR. In 2021, we introduced SaaSDR,
SEM, and CSAM.
Expand the use of our suite of solutions by our large and diverse customer base. With more than 10,000 customers, across many industries and
geographies, we believe we have a significant opportunity to sell additional solutions to our customers and expand their use of our suite of
solutions. Because our customers typically initially deploy one or two of our solutions in select parts of their IT infrastructures, our existing
customers serve as a strong source of new sales as they expand their scope and increase their subscriptions or choose to adopt additional solutions
from our integrated suite of IT, security and compliance offerings. In this regard, we continue to expand our sales execution and marketing
functions to increase adoption of our newly developed solutions among our existing customers.
Drive new customer growth and broaden our global reach. We are pursuing new customers by targeting key accounts, releasing free IT, security
and compliance services and expanding both our sales and marketing organization and network of channel partners. We will continue to seek to
make significant investments to encourage organizations to replace their existing security products with our cloud solutions. We intend to expand
our relationships with key security consulting organizations, managed security service providers and value-added resellers to accelerate the
adoption of our cloud platform. We seek to strengthen existing relationships as well as establish new relationships to increase the distribution and
market awareness of our cloud platform and target new geographic regions. We also plan to partner with such security providers that can host our
private cloud offering within their data centers, helping us expand our reach in new markets and new geographies.
Selectively pursue technology acquisitions to bolster our capabilities and leadership position. We may explore acquisitions that are
complementary to and can expand the functionality of our cloud platform. We may also seek to acquire development teams to supplement our
own personnel and acquire technology to increase the breadth of our cloud-based IT, security and compliance solutions. In 2021, we acquired
certain intangible assets of Kandor Soft Labs Private Ltd. (TotalCloud), strengthening our cloud security solution by allowing customers to build
user-defined workflows for custom policies and execute them on-demand for simplified security and compliance. In 2020, we acquired certain
intangible assets of Spell Security Private Limited (Spell Security), expanding our endpoint behavior detection, threat hunting, malware research
and multi-layered response capabilities for our EDR application. In 2019, we acquired Adya Inc. (Adya), enabling us to provide companies of all
sizes with the ability to consolidate administration of their Software as a Service (SaaS) applications into one console, manage license costs across
SaaS applications, set and enforce security policies in one place and report and audit on all activity with a single tool.
Our Customers
We market and sell our solutions to enterprises, government entities and small and medium-sized businesses across a broad range of industries,
including education, financial services, government, healthcare, insurance, manufacturing, media, retail, technology and utilities. As of December 31, 2021,
we had over 10,000 customers worldwide, including a majority of each of the Forbes Global 100 and Fortune 100. In each of 2021, 2020 and 2019, no one
customer accounted for more than 10% of our revenues. In 2021, 2020 and 2019, 61%, 63% and 64%, respectively, of our revenues were derived from
customers in the United States based on our customers' billing addresses. We sell our solutions to enterprises and government entities primarily through our
field sales force and to small and medium-sized businesses through our inside sales force. We generate a significant portion of sales through our channel
partners, including managed security service providers, value-added resellers and consulting firms in the United States and internationally.
Sales and Marketing
Sales
We market and sell our IT, security and compliance solutions to customers directly through our sales teams as well as indirectly through our network of
channel partners.
12
�Table of Contents
Our global sales force is organized into a field sales team, which focuses on enterprises, generally including organizations with more than 5,000
employees, and an inside sales team, which focuses on small to medium-sized businesses, which generally include organizations with less than 5,000
employees. Both our field and inside sales teams are divided into three geographic regions, the Americas; Europe, Middle East and Africa; and Asia-Pacific.
We also further assign each of our sales teams into groups that focus on adding new customers or managing relationships with existing customers.
Our channel partners maintain relationships with their customers throughout the territories in which they operate and provide their customers with
services and third-party solutions to help meet those customers’ evolving security and compliance requirements. As such, these partners offer our IT, security
and compliance solutions in conjunction with one or more of their own products or services and act as a conduit through which we can connect with these
prospective customers to offer our solutions. Our channel partners include security consulting organizations, managed service providers and resellers, such as
Accenture, BT Managed Security, Cognizant Technology Solutions, Deutsche Telekom, DXC Technology, Fujitsu, Hindustan Computers Limited (HCL)
Technologies, International Business Machines (IBM), Infosys, Nippon Telegraph and Telephone Corporation (NTT), Optiv, SecureWorks, Tata
Communications, Verizon, Wipro and TD SYNNEX Corporation (TD SYNNEX). Qualys has also established strategic partnerships with leading cloud
providers like Amazon Web Services, Microsoft Azure and the Google Cloud Platform.
For sales involving a channel partner, the channel partner engages with the prospective customer directly and involves our sales team as needed to assist
in developing and closing an order. When a channel partner secures a sale, we sell the associated subscription to the channel partner who in turn resells the
subscription to the customer, with the channel partner earning a fee based on the total value of the order. Once the order is completed, we provide these
customers with direct access to our solutions and other associated back-office applications, enabling us to establish a direct relationship as part of ensuring
customer satisfaction with our solutions. At the end of the subscription term, the channel partner engages with the customer to execute a renewal order, with
our sales team providing assistance as required. In 2021, 2020 and 2019, 41%, 42% and 42%, respectively, of our revenues were generated by channel
partners.
Marketing
Our marketing programs include a variety of online marketing, advertising, conferences, events, public relations activities and web-based seminar
campaigns targeted at key decision makers within our prospective customers.
We have a number of marketing initiatives to build awareness and encourage customer adoption of our solutions. We offer free trials and services to
allow prospective customers to experience the quality of our solutions, to learn in detail about the features and functionality of our cloud platform, and to
quantify the potential benefits of our solutions.
Customer Support
Qualys Support delivers 24x7x365 day customer technical support from global centers located in Foster City, California; Raleigh, North Carolina; and
Pune, India. We recruit senior level technical personnel and trained subject matter experts who work closely with engineering and operations personnel to
resolve issues quickly. Our IT, security and compliance solutions can be deployed easily and are designed to be implemented and operated without the need
for significant professional services. We also offer various training programs as part of our subscriptions to all of our customers. In addition, we leverage the
insights drawn from our customers to further improve the functionality of our IT, security and compliance solutions. Our mission is to ensure customer
satisfaction and play a critical role in retaining and expanding our customer base.
13
�Table of Contents
Research and Development and Operations
We devote significant resources to maintain, enhance and add new functionality to our Qualys Cloud Platform and the integrated suite of solutions that
we offer. Our development organization consists of agile engineering teams with substantial security expertise in specific areas of our solutions. In addition to
our development teams, we also built a sophisticated research team focused on identifying threats and developing signatures for vulnerabilities and
compliance checks so that we can provide our customers with daily updates and enable them to scan their assets for the latest threats. We conduct our
research and development in the United States, France and India, which gives us access to some of the best research and engineering talent in the world. Our
focus remains to attract engineering talent as we continue to add new solutions and improve existing ones.
Our development team works closely with our customers and partners to gain valuable insights into their environments and gather feedback for threat
research, product development and innovations. We typically release updates to our solutions, including enhancements and new features multiple times a
year, and we measure the quality of our scan results on a frequent basis in an effort to maintain the highest level of scan accuracy.
The modular architecture of our cloud platform enables our engineering teams to simultaneously work on different features, accelerating the delivery of
new functionalities to customers. Our research and development team also works collaboratively with our technical support team to ensure customer
satisfaction and with our sales team to accelerate the adoption of our solutions.
Manufacturing Agreement
Our physical appliances are provided by TD SYNNEX, pursuant to a manufacturing services agreement dated March 1, 2011. Under this agreement,
TD SYNNEX manufactures, assembles and tests our physical scanner appliances. This agreement is automatically renewed annually, unless terminated (i) at
any time upon the mutual written agreement of us and TD SYNNEX, (ii) by either party upon 90 days or more written notice, (iii) upon written notice,
subject to applicable cure periods, if the other party has materially breached its obligations under the agreement or (iv) by either party upon the other party
seeking an order for relief under the bankruptcy laws of the United States or similar laws of any other jurisdiction, a composition with or assignment for the
benefit of creditors, or dissolution or liquidation.
Shared Cloud Platform Agreements
Our shared cloud platform operations are provided by large third-party vendors and are located in the United States, Canada, Switzerland, the
Netherlands, United Arab Emirates, Australia, United Kingdom and India. Our shared cloud platform agreements have varying terms through 2025.
Competition
The expanding capabilities of our IT, security and compliance solutions have enabled us to address a growing array of opportunities in the cloud IT,
security and compliance market. We compete with a large and broad array of established and emerging vulnerability management vendors, compliance
vendors and data security vendors in a highly fragmented and competitive environment.
We compete with large and small public companies, such as Belden (Tripwire), Broadcom (Symantec Enterprise Security), CrowdStrike, Palo Alto
Networks, Rapid7, and Tenable Holdings, as well as privately held security providers including Axonius, Checkmarx, Flexera, Ivanti, Netsparker, Tanium,
Trustwave Holdings and Veracode. We also seek to replace IT, security and compliance solutions that organizations have developed internally. As we
continue to extend our cloud platform’s functionality by further developing IT, security and compliance solutions, such as web application scanning and
firewalls, we expect to face additional competition in these new markets. Our competitors may also attempt to further expand their presence in the IT,
security and compliance market and compete more directly against one or more of our solutions.
We believe that the principal competitive factors affecting our markets include product functionality, breadth of offerings, flexibility of delivery models,
ease of deployment and use, total cost of ownership, scalability and performance, customer support and extensibility of platform. We believe that our suite of
solutions generally competes favorably with respect to these factors. However, many of our primary competitors have greater name recognition, longer
operating histories, more established customer relationships, larger marketing budgets and significantly greater resources than we do.
14
�Table of Contents
Intellectual Property
We rely on a combination of trade secrets, copyrights, patents and trademarks, as well as contractual protections, to establish and protect our intellectual
property rights and protect our proprietary technology. As of December 31, 2021, we have twenty-six issued patents, which expire from 2029 to 2039,
several pending U.S. patent applications and an exclusive license to four U.S. patents. The inbound license remains in effect until the licensed patents are no
longer enforceable, unless the applicable license agreement is first terminated by us or terminated by the licensor for a breach of the agreement or if we
undergo certain bankruptcy events. The licenses are currently exclusive and will remain exclusive so long as we make an appropriately-timed written election
and pay an annual fixed royalty for ten years thereafter. These exclusive licenses are subject to the licensor’s reservation of certain rights in the patents and
subject to the U.S. government’s reserved rights in the technology. We have a number of registered and unregistered trademarks. We require our employees,
consultants and other third parties to enter into confidentiality and proprietary rights agreements and control access to software, documentation and other
proprietary information. We view our trade secrets and know-how as a significant component of our intellectual property assets, as we have spent years
designing and developing the Qualys Cloud Platform, which we believe differentiates us from our competitors.
We expect that software and other solutions in our industry may be subject to third-party infringement claims as the number of competitors grows and
the functionality of products in different industry segments overlaps. Any of these third parties might make a claim of infringement against us at any time.
Human Capital Resources
We take a holistic approach to our human capital management strategy, striving to create a culture where talented people want to come to work, develop
their careers, become leaders, and make a difference for all our stakeholders and communities. Doing the right thing for our people, our communities and our
environment upholds the trust of our customers, partners, employees, and stockholders, enabling us to grow our business profitably and meet the diverse
needs of our constituents.
As of December 31, 2021, we had 1,823 full-time employees, including 941 in research and development, 308 in sales and marketing, 402 in operations
and customer support, and 172 in general and administrative. As of December 31, 2021, approximately 75% of our employees were located outside of the
United States, with 67% of our employees located in Pune, India. None of our U.S. employees are covered by collective bargaining agreements. Employees
in certain European countries and Brazil have collective bargaining arrangements at the national level. We believe our employee relations are good, and we
have not experienced any work stoppages.
Diversity and Inclusion
We are proud to be a leader in the promotion and practice of diversity and inclusion. In addition to having offices and employees all over the world, we
take pride in our cultural diversity. Qualys searches the globe for top talent in an effort to recruit and hire diverse individuals with a variety of skills,
experiences, and backgrounds. Our objective is to continue to improve our hiring, development, advancement, and retention of diverse talent and to foster an
inclusive environment.
Our board of directors and executive team are highly diverse. Three out of our current eight member board of directors are women, one is a man from
an underrepresented community, and the board of directors seeks to identify strong candidates who provide a wide range of perspectives, competencies, and
knowledge to complement the skills, diversity and experiences of the board of directors. Further, our executive team is gender and ethnically diverse, with
more than 50% of the executive team from underrepresented communities.
15
�Table of Contents
Health and Safety
We recognize that a healthy environment and safe workplaces are critical to our business, strategy, and communities. We address environmental issues
in an integrated manner to encompass protection of the environment as well as the health and safety of our workforce. For example, in response to COVID-
19 and the significant increases in remote workforces in March 2020, we mandated a work from home policy to protect our employees and our communities.
We also released a free cloud-based remote endpoint protection solution for 60 days that allowed IT and security teams to protect the computers of remote
employees and support the health and safety of our communities.
With the ongoing COVID-19 pandemic, our workforce continues to operate remotely, and our top priority remains providing support for our employees,
partners, and customers. We are fortunate that the nature of our business allows us to successfully operate in this dynamic work-from-home environment. We
have been able to successfully adapt to the current challenges and deliver results despite the pandemic while continuing to protect the health and safety of our
workforce and customers.
We require our employees and managers to participate in myriad training programs directed at maintaining a harassment-free, diverse, and secure
workplace. With our diverse employee population, we uphold the rights to work in an environment that promotes equal opportunity and prohibits
discriminatory practices against race, color, national origin, ancestry, medical condition, religious creed (including religious dress and grooming practices),
marital status, registered domestic partner status, sex, sexual orientation, gender identity and expression, genetic characteristics and information, age, veteran
status, or any other protected characteristic. Creating a respectful workplace and preventing harassment to our employees remain our on-going commitment.
Compensation and Benefits
We provide robust compensation and benefits to our employees. In addition to competitive base salaries, all qualified employees are eligible for variable
pay and equity awards.
To support the health and wellness of our workforce, we offer premium health coverage with minimal out-of-pocket contributions for our global
employees.
Training and Development
We have experience with managing and developing a rapidly growing employee base. We believe every employee makes a difference, so we empower
them in their roles and support them for maximum professional growth. We assist employees in achieving their career goals by helping them improve their
skillsets and transition to other challenging roles. To support career growth inside and outside Qualys, we offer free self-paced or instructor-led certified
training on core Qualys topics giving employees and non-employees an opportunity to achieve certifications.
Available Information
Our principal executive offices are located at 919 E. Hillsdale Blvd., 4th Floor, Foster City, California 94404. The telephone number of our principal
executive offices is (650) 801-6100, and our main corporate website is www.qualys.com. Information contained on, or that can be accessed through, our
website, does not constitute part of this Annual Report on Form 10-K and inclusion of our website address in this Annual Report on Form 10-K is an inactive
textual reference only.
We make available our Annual Reports on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and amendments to those
reports filed or furnished pursuant to Section 13(a) or Section 15(d) of the Securities Exchange Act of 1934, as amended, free of charge on our website,
www.qualys.com as soon as reasonably practicable after they are electronically filed with or furnished to the SEC. Additionally, copies of materials filed by
us with the SEC may be accessed at the SEC's website, www.sec.gov.
16
�Table of Contents
Item 1A.
Risk Factors
An investment in our common stock involves a high degree of risk. You should carefully consider the risks and uncertainties described below, and all
other information contained in this Annual Report on Form 10-K, including our consolidated financial statements and the related notes, before making a
decision to invest in our common stock. Our business, operating results, financial condition, or prospects could be materially and adversely affected by any
of these risks and uncertainties. In that case, the trading price of our common stock could decline, and you might lose all or part of your investment. In
addition, the risks and uncertainties discussed below are not the only ones we face. Our business, operating results, financial performance or prospects could
also be harmed by risks and uncertainties not currently known to us or that we currently do not believe are material.
Risks Related to Our Business and Industry
The continued spread of COVID-19, or any similar widespread infectious disease outbreak, could harm our business, financial condition and results of
operations.
In December 2019, an outbreak of COVID-19 originated in Wuhan, China and has since spread to countries around the world. On March 11, 2020, the
World Health Organization characterized COVID-19 as a pandemic. The continued spread of COVID-19 and the resurgence of infection rates in certain
regions has resulted in authorities imposing, and businesses and individuals implementing, numerous unprecedented measures to try to contain the virus, such
as travel bans and restrictions, quarantines, shelter-in-place/stay-at-home and social distancing orders, and shutdowns. These measures have impacted and
may further impact our workforce and operations, the operations of our customers, and those of our respective vendors, suppliers, and partners. The pandemic
has significantly increased economic and demand uncertainty and disrupted the global supply chain. It is possible that the pandemic could cause an economic
slowdown or a global recession, which could decrease demand for our solutions and negatively impact our operating results. There is a significant degree of
uncertainty and lack of visibility as to the extent and duration of any such slowdown or recession.
The ultimate extent of the impact of COVID-19 on our business, financial position, results of operations and cash flows will depend on future
developments, which are highly uncertain and cannot be predicted at this time, including but not limited to, the duration of the pandemic, its severity, the
actions to contain the virus or treat its impact, future spikes of COVID-19 infections resulting in additional preventative measures to contain or mitigate the
spread of the virus, the effectiveness, distribution and acceptance of COVID-19 vaccines, including the vaccines’ efficacy against emerging COVID-19
variants, and how quickly and to what extent normal economic and operating conditions can resume. These impacts, individually or in the aggregate, could
have a material and adverse effect on our business, financial position, results of operations and cash flows. Such effect may be exacerbated in the event the
pandemic and the measures taken in response to it persist for an extended period of time. Under any of these circumstances, the resumption of normal
business operations may be delayed or hampered by lingering effects of COVID-19 on our operations, partners, and customers.
Our quarterly operating results may vary from period to period, which could result in our failure to meet expectations with respect to operating results
and cause the trading price of our stock to decline.
Our operating results have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors,
many of which are outside of our control, including:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
the level of demand for our solutions;
publicity regarding security breaches generally and the level of perceived threats to IT security;
expenses associated with our existing and new products and services;
changes in customer renewals of our solutions;
the extent to which customers subscribe for additional solutions;
seasonal buying patterns of our customers;
actual or perceived security breaches, technical difficulties or interruptions with our service;
changes in the growth rate of the IT, security and compliance market;
the timing and success of new product or service introductions by us or our competitors or any other changes in the competitive landscape of our
industry, including consolidation among our competitors;
the introduction or adoption of new technologies that compete with our solutions;
decisions by potential customers to purchase IT, security and compliance products or services from other vendors;
the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business;
the timing of sales commissions relative to the recognition of revenues;
the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates;
failure of our products and services to operate as designed;
price competition;
17
�Table of Contents
•
•
•
•
•
•
•
•
•
•
•
•
•
the length of our sales cycle for our products and services;
insolvency or credit difficulties confronting our customers, affecting their ability to purchase or pay for our solutions;
timely invoicing or changes in billing terms of customers;
timing of deals signed within the quarter;
pace and cost of hiring employees;
changes in foreign currency exchange rates;
general economic conditions, both domestically and in the foreign markets in which we sell our solutions;
future accounting pronouncements or changes in our accounting policies;
our ability to integrate any products or services that we may acquire in the future into our product suite or migrate existing customers of any
companies that we may acquire in the future to our products and services;
our effective tax rate, changes in tax rules, tax effects of infrequent or unusual transactions, and tax audit settlements;
the amount and timing of income tax that we recognize resulting from stock-based compensation;
the timing of expenses related to the development or acquisition of technologies, services or businesses; and
potential goodwill and intangible asset impairment charges associated with acquired businesses.
Further, the interpretation and application of international laws and regulations in many cases is uncertain, and our legal and regulatory obligations in
foreign jurisdictions are subject to frequent and unexpected changes, including the potential for various regulatory or other governmental bodies to enact new
or additional laws or regulations or to issue rulings that invalidate prior laws or regulations.
Each factor above or discussed elsewhere in this Annual Report on Form 10-K or the cumulative effect of some of these factors may result in
fluctuations in our operating results. This variability and unpredictability could result in our failure to meet expectations with respect to operating results, or
those of securities analysts or investors, for a particular period. In addition, a significant percentage of our operating expenses are fixed in nature and based
on forecasted trends in revenues. Accordingly, in the event of shortfalls in revenues, we are generally unable to mitigate the negative impact on margins in
the short term by reducing our operating expenses. If we fail to meet or exceed expectations for our operating results for these or any other reasons, the
trading price of our common stock could fall and we could face costly lawsuits, including securities class action suits.
If we do not successfully anticipate market needs and opportunities or are unable to enhance our solutions and develop new solutions that meet those
needs and opportunities on a timely or cost-effective basis, we may not be able to compete effectively and our business and financial condition may be
harmed.
The IT, security and compliance market is characterized by rapid technological advances, customer price sensitivity, short product and service life
cycles, intense competition, changes in customer requirements, frequent new product introductions and enhancements and evolving industry standards and
regulatory mandates. Any of these factors could create downward pressure on pricing and gross margins, and could adversely affect our renewal rates, as well
as our ability to attract new customers. Our future success will depend on our ability to enhance existing solutions, introduce new solutions on a timely and
cost-effective basis, meet changing customer needs, extend our core technology into new applications, and anticipate and respond to emerging standards and
business models. We must also continually change and improve our solutions in response to changes in operating systems, application software, computer
and communications hardware, networking software, data center architectures, programming tools and computer language technology.
We may not be able to anticipate future market needs and opportunities or develop enhancements or new solutions to meet such needs or opportunities in
a timely manner or at all. The market for cloud solutions for IT, security and compliance continues to evolve, and it is uncertain whether our new solutions
will gain market acceptance.
18
�Table of Contents
Our solution enhancements or new solutions could fail to attain sufficient market acceptance for many reasons, including:
•
•
•
•
•
•
•
•
•
•
failure to timely meet market demand for product functionality;
inability to identify and provide intelligence regarding the attacks or techniques used by cyber-attackers;
inability to inter-operate effectively with the database technologies, file systems or web applications of our prospective customers;
defects, errors or failures;
delays in releasing our enhancements or new solutions;
negative publicity about their performance or effectiveness;
introduction or anticipated introduction of products by our competitors;
poor business conditions, causing customers to delay IT, security and compliance purchases;
easing or changing of external regulations related to IT, security and compliance; and
reluctance of customers to purchase cloud solutions for IT, security and compliance.
Furthermore, diversifying our solutions and expanding into new IT, security and compliance markets will require significant investment and planning,
require that our research and development and sales and marketing organizations develop expertise in these new markets, bring us more directly into
competition with IT, security compliance providers that may be better established or have greater resources than we do, require additional investment of time
and resources in the development and training of our channel partners and entail significant risk of failure.
If we fail to anticipate market requirements or fail to develop and introduce solution enhancements or new solutions to satisfy those requirements in a
timely manner, such failure could substantially decrease or delay market acceptance and sales of our present and future solutions and cause us to lose existing
customers or fail to gain new customers, which would significantly harm our business, financial condition and results of operations.
If we fail to continue to effectively scale and adapt our platform to meet the performance and other requirements of our customers, our operating results
and our business would be harmed.
Our future growth depends upon our ability to continue to meet the expanding needs of our customers as their use of our cloud platform grows. As these
customers gain more experience with our solutions, the number of users and the number of locations where our solutions are being accessed may expand
rapidly in the future. In order to ensure that we meet the performance and other requirements of our customers, we intend to continue to make significant
investments to develop and implement new proprietary and third-party technologies at all levels of our cloud platform. These technologies, which include
databases, applications and server optimizations, and network and hosting strategies, are often complex, new and unproven. We may not be successful in
developing or implementing these technologies. To the extent that we do not effectively scale our platform to maintain performance as our customers expand
their use of our platform, our operating results and our business may be harmed.
If we are unable to renew existing subscriptions for our IT, security and compliance solutions, sell additional subscriptions for our solutions and attract
new customers, our operating results would be harmed.
We offer our Qualys Cloud Platform and integrated suite of solutions pursuant to a software-as-a-service model, and our customers purchase
subscriptions from us that are generally one year in length. Our customers have no obligation to renew their subscriptions after their subscription period
expires, and they may not renew their subscriptions at the same or higher levels or at all. As a result, our ability to grow depends in part on customers
renewing their existing subscriptions and purchasing additional subscriptions and solutions. Our customers may choose not to renew their subscriptions to
our solutions or purchase additional solutions due to a number of factors, including their satisfaction or dissatisfaction with our solutions, the prices of our
solutions, the prices of products or services offered by our competitors, reductions in our customers’ spending levels due to the macroeconomic environment
or other factors. If our customers do not renew their subscriptions to our solutions, renew on less favorable terms, or do not purchase additional solutions or
subscriptions, our revenues may grow more slowly than expected or decline and our operating results would be harmed.
In addition, our future growth depends in part upon increasing our customer base. Our ability to achieve significant growth in revenues in the future will
depend, in large part, upon continually attracting new customers and obtaining subscription renewals to our solutions from those customers. If we fail to
attract new customers, our revenues may grow more slowly than expected and our operating results would be harmed.
19
�Table of Contents
If the market for cloud solutions for IT, security and compliance does not evolve as we anticipate, our revenues may not grow and our operating results
would be harmed.
Our success depends to a significant extent on the willingness of organizations to increase their use of cloud solutions for their IT, security and
compliance. To date, some organizations have been reluctant to use cloud solutions because they have concerns regarding the risks associated with the
reliability or security of the technology delivery model associated with these solutions. If other cloud service providers experience security incidents, loss of
customer data, disruptions in service delivery or other problems, the market for cloud solutions as a whole, including our solutions, may be negatively
impacted. Moreover, many organizations have invested substantial personnel and financial resources to integrate on-premise software into their businesses,
and as a result may be reluctant or unwilling to migrate to a cloud solution. Organizations that use on-premise security products, such as network firewalls,
security information and event management products or data loss prevention solutions, may also believe that these products sufficiently protect their IT
infrastructure and deliver adequate security. Therefore, they may continue spending their IT security budgets on these products and may not adopt our IT,
security and compliance solutions in addition to or as a replacement for such products.
If customers do not recognize the benefits of our cloud solutions over traditional on-premise enterprise software products, and as a result we are unable
to increase sales of subscriptions to our solutions, then our revenues may not grow or may decline, and our operating results would be harmed.
Our current research and development efforts may not produce successful products or enhancements to our platform that result in significant revenue,
cost savings or other benefits in the near future.
We must continue to dedicate significant financial and other resources to our research and development efforts if we are to maintain our competitive
position. However, developing products and enhancements to our platform is expensive and time consuming, and there is no assurance that such activities
will result in significant new marketable products or enhancements to our platform, design improvements, cost savings, revenue or other expected benefits. If
we spend significant resources on research and development and are unable to generate an adequate return on our investment, our business and results of
operations may be materially and adversely affected.
Our platform, website and internal systems may be subject to intentional disruption or other security incidents that could result in liability and adversely
impact our reputation and future sales.
We and our service providers face threats from a variety of sources, including attacks on our networks and systems from numerous sources, including
traditional “hackers,” sophisticated nation-state and nation-state supported actors, other sources of malicious code (such as viruses and worms), ransomware,
social engineering, denial of service attacks, and phishing attempts. We and our service providers could be a target of cyber-attacks or other malfeasance
designed to impede the performance of our solutions, penetrate our network security or the security of our cloud platform or our internal systems,
misappropriate proprietary information and/or cause interruptions to our services. We and our service providers have experienced and may continue to
experience security incidents and attacks of varying degrees from time to time. For example, in December 2020, we were notified by a service provider,
Accellion, of a zero-day vulnerability affecting an Accellion FTA server that we deployed to transfer information as part of our customer support system. In
response to this incident, we engaged third-party forensic experts to investigate and determined that attackers illegally obtained certain information from the
Accellion FTA server. We notified affected customers, as we deemed was required or appropriate. We have incurred costs to respond to this incident and may
continue to incur costs to support our efforts to enhance our security measures.
Our solutions, platforms, and system, and those of our service providers, may also suffer security incidents as a result of non-technical issues, including
intentional or inadvertent acts or omissions by our employees or service providers. With the increase in personnel working remotely during the current
COVID-19 pandemic, we and our service providers are at increased risk for security breaches. We have taken and intend to continue to take steps to monitor
and enhance the security of our solutions, cloud platform, and other relevant systems, IT infrastructure, networks, and data; however, the unprecedented scale
of remote work may require additional personnel and resources, which nevertheless cannot be guaranteed to fully safeguard our solutions, our cloud platform,
or any systems, IT infrastructure networks, or data upon which we rely. Further, because our operations involve providing IT security solutions to our
customers, we may be targeted for cyber-attacks and other security incidents. A breach in our data security or an attack against our service availability, or that
of our third-party service providers, could impact our networks or networks secured by our solutions, creating system disruptions or slowdowns and
exploiting security vulnerabilities of our solutions, and the information stored on our networks or those of our third-party service providers could be accessed,
used, publicly disclosed, altered, lost, or stolen, which could subject us to liability and cause us financial harm. If an actual or perceived disruption in the
availability of our solutions or the breach of our security measures or those of our service providers occurs, it could adversely affect the market perception of
our solutions, result in a loss of competitive advantage, have a negative impact on our reputation, or result in the loss of customers, channel partners and sales,
and it may expose us to the loss or alteration of information, litigation, regulatory actions and investigations and possible liability. Any such actual or
perceived security breach or disruption could also divert the efforts of our technical and management personnel. We also may incur significant costs and
operational consequences of investigating, remediating, eliminating and putting in place additional tools and devices designed to prevent actual or perceived
security incidents, as well as the costs to comply with any notification obligations resulting from any security incidents. In addition, any such actual or
perceived security breach could impair our ability to operate our business and provide solutions to our customers. If this happens, our reputation could be
harmed, our revenues could decline and our business could suffer.
Although we maintain insurance coverage that may be applicable to certain liabilities in the event of a security breach or other security incident, we
cannot be certain that our insurance coverage will be adequate for liabilities that actually are incurred, that insurance will continue to be available to us on
economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large
claims against us that exceed available insurance coverage or the occurrence of changes in our insurance policies, including premium increases or the
imposition of large deductible or co-insurance requirements, could have a material and adverse effect on our business, including our financial condition,
operating results and reputation.
Our sales cycle can be long and unpredictable, and our sales efforts require considerable time and expense. As a result, revenues may vary from period to
period, which may cause our operating results to fluctuate and could harm our business.
The timing of sales of subscriptions for our solutions can be difficult to forecast because of the length and unpredictability of our sales cycle, particularly
with large transactions. We sell subscriptions to our IT, security and compliance solutions primarily to IT departments that are managing a growing set of
user and compliance demands, which has increased the complexity of customer requirements to be met and confirmed during the sales cycle and prolonged
our sales cycle. Further, the length of time that potential customers devote to their testing and evaluation, contract negotiation and budgeting processes varies
significantly, which has also made our sales cycle long and unpredictable. The length of the sales cycle for our solutions typically ranges from six to twelve
months but can be more than eighteen months. In addition, we might devote substantial time and effort to a particular unsuccessful sales effort, and as a result
we could lose other sales opportunities or incur expenses that are not offset by an increase in revenues, which could harm our business.
�20
�Table of Contents
Adverse economic conditions or reduced IT spending may adversely impact our business.
Our business depends on the overall demand for IT and on the economic health of our current and prospective customers. Economic weakness, customer
financial difficulties, and constrained spending on IT security may result in decreased revenue and earnings. Such factors could make it difficult to accurately
forecast our sales and operating results and could negatively affect our ability to provide accurate forecasts to our contract manufacturers. In addition,
continued governmental budgetary challenges in the United States and Europe and geopolitical turmoil in many parts of the world have and may continue to
put pressure on global economic conditions and overall spending on IT security. General economic weakness may also lead to longer collection cycles for
payments due from our customers, an increase in customer bad debt, restructuring initiatives and associated expenses, and impairment of investments.
Furthermore, the continued weakness and uncertainty in worldwide credit markets, including the sovereign debt situation in certain countries in the European
Union, may adversely impact our customers' available budgetary spending, which could lead to delays in planned purchases of our solutions.
Additionally, uncertainties related to changes in public policies such as domestic and international regulations, taxes or international trade agreements as
well as geopolitical turmoil and other disruptions to global and regional economies and markets in many parts of the world, have and may continue to put
pressure on global economic conditions and overall spending on IT security. We have operations, as well as current and potential customers, throughout most
of Europe. If economic conditions in Europe and other key markets for our platform continue to remain uncertain or deteriorate further, many customers may
delay or reduce their IT spending.
Uncertainty about future economic conditions also makes it difficult to forecast operating results and to make decisions about future investments. Future
or continued economic weakness for us or our customers, failure of our customers and markets to recover from such weakness, customer financial
difficulties, and reductions in spending on IT security could have a material adverse effect on demand for our platform and consequently on our business,
financial condition and results of operations.
Our IT, security and compliance solutions are delivered from eleven shared cloud platforms, and any disruption of service at these facilities would
interrupt or delay our ability to deliver our solutions to our customers which could reduce our revenues and harm our operating results.
We currently host substantially all of our solutions from third-party shared cloud platforms in the United States, Canada, Switzerland, the Netherlands,
United Arab Emirates, Australia, United Kingdom and India. These facilities are vulnerable to damage or interruption from earthquakes, hurricanes, floods,
fires, cybersecurity attacks, terrorist attacks, employee negligence, power losses, telecommunications failures and similar events. The facilities also could be
subject to break-ins, sabotage, intentional acts of vandalism and other misconduct. The occurrence of a natural disaster, an act of terrorism or misconduct, a
decision to close the facilities without adequate notice or other unanticipated problems could result in interruptions in our services.
Some of our shared cloud platforms are not currently redundant and we may not be able to rapidly move our customers from one shared cloud
platform to another, which may increase delays in the restoration of our service for our customers if an adverse event occurs. We have added shared cloud
platforms to provide additional capacity and to enable disaster recovery. We continue to build out these facilities; however, these additional facilities may not
be operational in the anticipated time-frame and we may incur unplanned expenses.
Additionally, our existing shared cloud platform providers have no obligations to renew their agreements with us on commercially reasonable terms, or
at all. If we are unable to renew our agreements with the facilities providers on commercially reasonable terms or if in the future we add additional shared
cloud platform providers, we may experience costs or downtime in connection with the loss of an existing facility, or the transfer to, or addition of, new
facilities.
Any disruptions or other performance problems with our solutions could harm our reputation and business and may damage our customers’ businesses.
Interruptions in our service delivery might reduce our revenues, cause us to issue credits to customers, subject us to potential liability and cause customers to
terminate their subscriptions or not renew their subscriptions.
21
�Table of Contents
We face competition in our markets, and we may lack sufficient financial or other resources to maintain or improve our competitive position.
We compete with a large range of established and emerging vulnerability management vendors, compliance vendors and data security vendors in a
highly fragmented and competitive environment. We face significant competition for each of our solutions from companies with broad product suites and
greater name recognition and resources than we have, as well as from small companies focused on specialized security solutions.
We compete with large and small public companies, such as Belden (Tripwire), Broadcom (Symantec Enterprise Security), CrowdStrike, Palo Alto
Networks, Rapid7, and Tenable Holdings, as well as privately held security providers including Axonius, Checkmarx, Flexera, Ivanti, Netsparker, Tanium,
Trustwave Holdings and Veracode. We also seek to replace IT, security and compliance solutions that organizations have developed internally. As we
continue to extend our cloud platform’s functionality by further developing IT, security and compliance solutions, such as web application scanning and
firewalls, we expect to face additional competition in these new markets. Our competitors may also attempt to further expand their presence in the IT,
security and compliance market and compete more directly against one or more of our solutions.
We believe that the principal competitive factors affecting our markets include product functionality, breadth of offerings, flexibility of delivery models,
ease of deployment and use, total cost of ownership, scalability and performance, customer support and extensibility of platform. Many of our existing and
potential competitors have competitive advantages, including:
•
•
•
•
•
•
•
•
•
greater brand name recognition;
larger sales and marketing budgets and resources;
broader distribution networks and more established relationships with distributors and customers;
access to larger customer bases;
greater customer support resources;
greater resources to make acquisitions;
greater resources to develop and introduce products that compete with our solutions;
greater resources to meet relevant regulatory requirements; and
substantially greater financial, technical and other resources.
As a result, our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards
or customer requirements. With the introduction of new technologies, the evolution of our service and new market entrants, we expect competition to
intensify in the future.
In addition, some of our larger competitors have substantially broader product offerings and can bundle competing products and services with other
software offerings. As a result, customers may choose a bundled product offering from our competitors, even if individual products have more limited
functionality than our solutions. These competitors may also offer their products at a lower price as part of this larger sale, which could increase pricing
pressure on our solutions and cause the average sales price for our solutions to decline. These larger competitors are also often in a better position to
withstand any significant reduction in capital spending and will therefore not be as susceptible to economic downturns.
Furthermore, our current and potential competitors may establish cooperative relationships among themselves or with third parties that may further
enhance their resources and product and services offerings in the markets we address. In addition, current or potential competitors may be acquired by third
parties with greater available resources. As a result of such relationships and acquisitions, our current or potential competitors might be able to adapt more
quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their products and services, initiate or withstand
substantial price competition, take advantage of other opportunities more readily or develop and expand their product and service offerings more quickly than
we do. For all of these reasons, we may not be able to compete successfully against our current or future competitors.
The sales prices of our solutions are subject to competitive pressures and may decrease, which may reduce our gross profits and adversely impact our
financial results.
The sales prices for our solutions may decline for a variety of reasons, including competitive pricing pressures, discounts, a change in our mix of
solutions and subscriptions, anticipation of the introduction of new solutions or subscriptions, or promotional programs. Competition continues to increase in
the market segments in which we participate, and we expect competition to further increase in the future, thereby leading to increased pricing pressures.
Larger competitors with more diverse product and service offerings may reduce the price of products or subscriptions that compete with ours or may bundle
them with other products and subscriptions. Additionally, although we price our products and subscriptions worldwide in U.S. Dollars, Euros, British
Pounds, Canadian Dollars, Japanese Yen and Indian Rupee, currency fluctuations in certain countries and regions may negatively impact actual prices that
partners and customers are willing to pay in those countries and regions, or the effective prices we realize in our reporting currency. We cannot assure you
that we will be successful in developing and introducing new offerings with enhanced functionality on a timely basis, or that our new product and
subscription offerings, if introduced, will enable us to maintain our prices and gross profits at levels that will allow us to maintain positive gross margins and
profitability.
22
�Table of Contents
If our solutions fail to help our customers achieve and maintain compliance with regulations and industry standards, our revenues and operating results
could be harmed.
We generate a portion of our revenues from solutions that help organizations achieve and maintain compliance with regulations and industry standards.
For example, many of our customers subscribe to our IT, security and compliance solutions to help them comply with the security standards developed and
maintained by the Payment Card Industry Security Standards Council, or the PCI Council, which apply to companies that store cardholder data. Industry
organizations like the PCI Council may significantly change their security standards with little or no notice, including changes that could make their
standards more or less onerous for businesses. Governments may also adopt new laws or regulations, or make changes to existing laws or regulations, that
could impact the demand for or value of our solutions.
If we are unable to adapt our solutions to changing regulatory standards in a timely manner, or if our solutions fail to assist with or expedite our
customers’ compliance initiatives, our customers may lose confidence in our solutions and could switch to products offered by our competitors. In addition, if
regulations and standards related to data security, vulnerability management and other IT, security and compliance requirements are relaxed or the penalties
for non-compliance are changed in a manner that makes them less onerous, our customers may view government and industry regulatory compliance as less
critical to their businesses, and our customers may be less willing to purchase our solutions. In any of these cases, our revenues and operating results could be
harmed.
If our solutions fail to detect vulnerabilities or incorrectly detect vulnerabilities, our brand and reputation could be harmed, which could have an adverse
effect on our business and results of operations.
If our solutions fail to detect vulnerabilities in our customers’ IT infrastructures, or if our solutions fail to identify and respond to new and increasingly
complex methods of attacks, our business and reputation may suffer. There is no guarantee that our solutions will detect all vulnerabilities. Additionally, our
IT, security and compliance solutions may falsely detect vulnerabilities or threats that do not actually exist. For example, some of our solutions rely on
information on attack sources aggregated from third-party data providers who monitor global malicious activity originating from a variety of sources,
including anonymous proxies, specific IP addresses, botnets and phishing sites. If the information from these data providers is inaccurate, the potential for
false indications of security vulnerabilities increases. These false positives, while typical in the industry, may impair the perceived reliability or usability of
our solutions and may therefore adversely impact market acceptance of our solutions and could result in negative publicity, loss of customers and sales,
increased costs to remedy any incorrect information or problem, or claims by aggrieved parties. Similar issues may be generated by the misuse of our tools to
identify and exploit vulnerabilities.
Further, our solutions sometimes are tested against other security products, and may fail to perform as effectively, or to be perceived as performing as
effectively, as competitive products for any number of reasons, including misconfiguration. To the extent current or potential customers, channel partners, or
others believe there has been an occurrence of an actual or perceived failure of our solutions to detect a vulnerability or otherwise to function as effectively as
competitive products in any particular test, or indicates our solutions do not provide significant value, our business, competitive position, and reputation
could be harmed.
In addition, our solutions do not currently extend to cover all mobile and personal devices that employees may bring into an organization. As such, our
solutions would not identify or address vulnerabilities in all mobile and personal devices, and our customers’ IT infrastructures may be compromised by
attacks that infiltrate their networks through such devices.
An actual or perceived security breach or theft of the sensitive data of one of our customers, regardless of whether the breach is attributable to the failure
of our solutions, could adversely affect the market’s perception of our security solutions.
If we are unable to continue the expansion of our sales force, sales of our solutions and the growth of our business would be harmed.
We believe that our growth will depend, to a significant extent, on our success in recruiting and retaining a sufficient number of qualified sales personnel
and their ability to obtain new customers, manage our existing customer base and expand the sales of our newer solutions. We plan to continue to expand our
sales force and make a significant investment in our sales and marketing activities. Our recent hires and planned hires may not become as productive as
quickly as we would like, and we may be unable to hire or retain sufficient numbers of qualified individuals in the future in the competitive markets where
we do business. Competition for highly skilled personnel is frequently intense and we may not be able to compete for these employees. If we are unable to
recruit and retain a sufficient number of productive sales personnel, sales of our solutions and the growth of our business may be harmed. Additionally, if our
efforts do not result in increased revenues, our operating results could be negatively impacted due to the upfront operating expenses associated with
expanding our sales force.
23
�Table of Contents
We rely on third-party channel partners to generate a substantial amount of our revenues, and if we fail to expand and manage our distribution
channels, our revenues could decline and our growth prospects could suffer.
Our success significantly depends upon establishing and maintaining relationships with a variety of channel partners and we anticipate that we will
continue to depend on these partners in order to grow our business. For the years ended December 31, 2021, 2020 and 2019, we derived approximately 41%,
42% and 42%, respectively, of our revenues from sales of subscriptions for our solutions through channel partners, and the percentage of revenues derived
from channel partners may increase in future periods. Our agreements with our channel partners are generally non-exclusive and do not prohibit them from
working with our competitors or offering competing solutions, and many of our channel partners have more established relationships with our competitors. If
our channel partners choose to place greater emphasis on products of their own or those offered by our competitors, do not effectively market and sell our
solutions, or fail to meet the needs of our customers, then our ability to grow our business and sell our solutions may be adversely affected. In addition, the
loss of one or more of our larger channel partners, who may cease marketing our solutions with limited or no notice, and our possible inability to replace
them, could adversely affect our sales. Moreover, our ability to expand our distribution channels depends in part on our ability to educate our channel
partners about our solutions, which can be complex. Our failure to recruit additional channel partners, or any reduction or delay in their sales of our solutions
or conflicts between channel sales and our direct sales and marketing activities may harm our results of operations. Even if we are successful, these
relationships may not result in greater customer usage of our solutions or increased revenues.
In addition, the financial health of our channel partners and our continuing relationships with them are important to our success. Some of these channel
partners may be unable to withstand adverse changes in economic conditions, which could result in insolvency and/or the inability of such distributors to
obtain credit to finance purchases of our products and services. In addition, weakness in the end-user market could negatively affect the cash flows of our
channel partners who could, in turn, delay paying their obligations to us, which would increase our credit risk exposure. Our business could be harmed if the
financial condition of some of these channel partners substantially weakened and we were unable to timely secure replacement channel partners.
A significant portion of our customers, channel partners and employees are located outside of the United States, which subjects us to a number of risks
associated with conducting international operations, and if we are unable to successfully manage these risks, our business and operating results could be
harmed.
We market and sell subscriptions to our solutions throughout the world and have personnel in many parts of the world. In addition, we have sales offices
and research and development facilities outside the United States and we conduct, and expect to continue to conduct, a significant amount of our business
with organizations that are located outside the United States, particularly in Europe and Asia. Therefore, we are subject to risks associated with having
international sales and worldwide operations, including:
•
•
•
•
•
•
•
•
•
•
•
foreign currency exchange fluctuations;
trade and foreign exchange restrictions;
economic or political instability in foreign markets, including as a result of increasing tensions between India and China;
greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods;
changes in regulatory requirements;
tax laws (including U.S. taxes on foreign subsidiaries);
difficulties and costs of staffing and managing foreign operations;
the uncertainty and limitation of protection for intellectual property rights in some countries;
costs of compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations;
costs of complying with U.S. laws and regulations for foreign operations, including the Foreign Corrupt Practices Act, import and export control
laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell our solutions in certain foreign
markets, and the risks and costs of non-compliance;
heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact
financial results and result in restatements of, and irregularities in, financial statements;
the potential for political unrest, acts of terrorism, hostilities or war;
•
• management communication and integration problems resulting from cultural differences and geographic dispersion; and
• multiple and possibly overlapping tax structures.
24
�Table of Contents
Our business, including the sales of subscriptions of our solutions, may be subject to foreign governmental regulations, which vary substantially from
country to country and change from time to time. Failure to comply with these regulations could adversely affect our business. Further, in many foreign
countries it is common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S. regulations applicable to
us. Although we have implemented policies and procedures designed to ensure compliance with these laws and policies, there can be no assurance that all of
our employees, contractors, channel partners and agents have complied or will comply with these laws and policies. Violations of laws or key control policies
by our employees, contractors, channel partners or agents could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or
the prohibition of the importation or exportation of our solutions and could have a material adverse effect on our business and results of operations. If we are
unable to successfully manage the challenges of international operations, our business and operating results could be adversely affected.
In addition, as of December 31, 2021, approximately 75% of our employees were located outside of the United States, with
67% of our employees located in Pune, India. Accordingly, we are exposed to changes in laws governing our employee
relationships in various U.S. and foreign jurisdictions, including laws and regulations regarding wage and hour requirements, fair
labor standards, employee data privacy, unemployment tax rates, workers’ compensation rates, citizenship requirements and
payroll and other taxes which may have a direct impact on our operating costs. We may continue to expand our international
operations and international sales and marketing activities. Expansion in international markets has required, and will continue to
require, significant management attention and resources. We may be unable to scale our infrastructure effectively or as quickly as
our competitors in these markets and our revenues may not increase to offset any increased costs and operating expenses, which
would cause our results to suffer.
We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of
operations.
Our reporting currency is the U.S. dollar and we generate a majority of our revenues in U.S. dollars. However, for the year
ended December 31, 2021, we incurred approximately 28% of our expenses in foreign currencies, primarily Euros, British Pounds,
and Indian Rupee, principally with respect to salaries and related personnel expenses associated with our European and Indian
operations. Additionally, for the year ended December 31, 2021, approximately 23% of our revenues were generated in foreign
currencies. Accordingly, changes in exchange rates may have a material adverse effect on our business, operating results and
financial condition. The exchange rate between the U.S. dollar and foreign currencies has fluctuated substantially in recent years
and may continue to fluctuate substantially in the future. We expect that a majority of our revenues will continue to be generated in
U.S. dollars for the foreseeable future and that a significant portion of our expenses, including personnel costs, as well as capital
and operating expenditures, will continue to be denominated in the Euro, British Pound and Indian Rupee. The results of our
operations may be adversely affected by foreign exchange fluctuations.
We use derivative financial instruments to reduce our foreign currency exchange risks. We use foreign currency forward
contracts to mitigate the impact of foreign currency fluctuations of certain non-U.S. dollar denominated net asset positions, to date
primarily cash, accounts receivable and operating lease liabilities (non-designated), as well as to manage foreign currency
fluctuation risk related to forecasted transactions (designated). However, we may not be able to purchase derivative instruments
that are adequate to insulate ourselves from foreign currency exchange risks. Additionally, our hedging activities may contribute to
increased losses as a result of volatility in foreign currency markets.
Our business and operations have experienced significant growth, and if we do not appropriately manage any future growth, or
are unable to improve our systems and processes, our operating results may be negatively affected.
We have experienced significant growth over the last several years. Our revenues grew from $321.6 million in 2019 to $411.2
million in 2021, and our headcount increased from 1,194 employees at the beginning of 2019 to1,823 employees as of December
31, 2021. We rely on information technology systems to help manage critical functions such as order processing, revenue
recognition and financial forecasts. To manage any future growth effectively we must continue to improve and expand our IT
systems, financial infrastructure, and operating and administrative systems and controls, and continue to manage headcount, capital
and processes in an efficient manner. We may not be able to successfully implement improvements to these systems and processes
in a timely or efficient manner.
Our failure to improve our systems and processes, or their failure to operate in the intended manner, may result in our inability
to manage the growth of our business and to accurately forecast our revenues, expenses and earnings, or to prevent certain losses.
In addition, as we continue to grow, our productivity and the quality of our solutions may also be adversely affected if we do not
integrate and train our new employees quickly and effectively. Any future growth would add complexity to our organization and
require effective coordination across our organization. Failure to manage any future growth effectively could result in increased
costs, harm our results of operations and lead to investors losing confidence in our internal systems and processes.
We depend on the continued services and performance of our senior management and other key employees, the loss of any of
whom could adversely affect our business, operating results and financial condition.
Our future performance depends on the continued services and continuing contributions of our senior management and other
key employees, to execute on our business plan and to identify and pursue new opportunities and product innovations. We do not
maintain key-man insurance for any member of our senior management team. Our senior management and key employees are
generally employed on an at-will basis, which means that they could terminate their employment with us at any time. From time to
time, there may be changes in our senior management team resulting from the termination or departure of executives. For example,
our former chief executive officer resigned for health reasons in March 2021, and our current chief executive officer was appointed
to the role in April 2021. The loss of the services of our senior management or other key employees for any reason could
�significantly delay or prevent the achievement of our development and strategic objectives and harm our business, financial
condition and results of operations.
25
�Table of Contents
If we are unable to hire, retain and motivate qualified personnel, our business may suffer.
Our future success depends, in part, on our ability to continue to attract and retain highly skilled personnel. The loss of the services of any of our key
personnel, the inability to attract or retain qualified personnel or delays in hiring required personnel, particularly in engineering and sales, may seriously harm
our business, financial condition and results of operations. Any of our employees may terminate their employment at any time. Competition for highly skilled
personnel is frequently intense, especially within our industry, and we may not be able to compete for such personnel.
We are required under accounting principles generally accepted in the United States (U.S. GAAP) to recognize compensation expense in our operating
results for employee stock-based compensation under our equity grant programs, which may negatively impact our operating results and may increase the
pressure to limit stock-based compensation that we might otherwise offer to current or potential employees, thereby potentially harming our ability to attract
or retain highly skilled personnel. In addition, to the extent we hire personnel from competitors, we may be subject to allegations that they have been
improperly solicited or divulged proprietary or other confidential information, which could result in a diversion of management's time and our resources.
A portion of our revenues are generated by sales to government entities, which are subject to a number of challenges and risks.
Government entities have historically been particularly concerned about adopting cloud-based solutions for their operations, including security solutions,
and increasing sales of subscriptions for our solutions to government entities may be more challenging than selling to commercial organizations. Selling to
government entities can be highly competitive, expensive and time-consuming, often requiring significant upfront time and expense without any assurance
that we will win a sale. We have invested in the creation of a cloud offering certified under the Federal Information Security Management Act for
government usage but we cannot be sure that we will continue to sustain or renew this certification, that the government will continue to mandate such
certification or that other government agencies or entities will use this cloud offering. Government demand and payment for our solutions may be impacted
by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our solutions.
Government entities may have contractual or other legal rights to terminate contracts with our channel partners for convenience or due to a default, and any
such termination may adversely impact our future results of operations. Governments routinely investigate and audit government contractors’ administrative
processes, and any unfavorable audit could result in the government refusing to continue buying our solutions, a reduction of revenues or fines or civil or
criminal liability if the audit uncovers improper or illegal activities. Any such penalties could adversely impact our results of operations in a material way.
Our success in acquiring and integrating other businesses, products or technologies could impact our financial position.
In order to remain competitive, we have in the past and may in the future seek to acquire additional businesses, products, services or technologies. For
example, we acquired Adya on January 10, 2019, certain intellectual property of Spell Security on July 24, 2020, and certain intellectual property of
TotalCloud on August 19, 2021. The environment for acquisitions in our industry is very competitive and acquisition candidate purchase prices may exceed
what we would prefer to pay. Moreover, achieving the anticipated benefits of future acquisitions will depend in part upon whether we can integrate acquired
operations, products and technology in a timely and cost-effective manner, and even if we achieve benefits from acquisitions, such acquisitions may still be
viewed negatively by customers, financial markets or investors. The acquisition and integration process is complex, expensive and time-consuming, and may
cause an interruption of, or loss of momentum in, product development and sales activities and operations of both companies, as well as divert the attention
of management, and we may incur substantial cost and expense. We may issue equity securities which could dilute current stockholders’ ownership, incur
debt, assume contingent or other liabilities and expend cash in acquisitions, which could negatively impact our financial position, stockholder equity and
stock price. We may not find suitable acquisition candidates, and acquisitions we complete may be unsuccessful. If we consummate a transaction, we may be
unable to integrate and manage acquired products and businesses effectively or retain key personnel. If we are unable to effectively execute acquisitions, our
business, financial condition and operating results could be adversely affected.
26
�Table of Contents
We rely on software-as-a-service vendors to operate certain functions of our business and any failure of such vendors to provide services to us could
adversely impact our business and operations.
We rely on third-party software-as-a-service vendors to operate certain critical functions of our business, including financial management and human
resource management. If these services become unavailable due to extended outages or interruptions or because they are no longer available on commercially
reasonable terms or prices, our expenses could increase, our ability to manage our finances could be interrupted and our processes for managing sales of our
solutions and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and integrated, all of which could
harm our business.
Delays or interruptions in the manufacturing and delivery of our physical scanner appliances by our sole source manufacturer may harm our business.
Upon customer request, we provide physical or virtual scanner appliances on a subscription basis as an additional capability to the customer’s
subscription for use during their subscription term. Our physical scanner appliances are built by a single manufacturer. Our reliance on a sole manufacturer
involves several risks, including a potential inability to obtain an adequate supply of physical scanner appliances and limited control over pricing, quality and
timely deployment of such scanner appliances. In addition, replacing this manufacturer may be difficult and could result in an inability or delay in deploying
our solutions to customers that request physical scanner appliances as part of their subscriptions.
Furthermore, our manufacturer’s ability to timely manufacture and ship our physical scanner appliances depends on a variety of factors, such as the
availability of hardware components, supply shortages or contractual restrictions. In the event of an interruption from this manufacturer, we may not be able
to develop alternate or secondary sources in a timely manner. If we are unable to purchase physical scanner appliances in quantities sufficient to meet our
requirements on a timely basis, we may not be able to effectively deploy our solutions to new customers that request physical scanner appliances, which
could harm our business.
Incorrect or improper implementation or use of our solutions could result in customer dissatisfaction and harm our business and reputation.
If our customers are unable to implement our solutions successfully, customer perceptions of our platform and solutions may be impaired or our
reputation and brand may suffer. Our customers have in the past inadvertently misused our solutions, which triggered downtime in their internal
infrastructure until the problem was resolved. Additionally, any failure to implement and configure our solutions correctly may result in our solutions failing
to detect vulnerabilities or compliance issues, or otherwise to perform effectively, and may result in disruptions to our customers’ IT environments and
businesses. Any misuse of our solutions, including any failure to implement and configure them appropriately, could result in disruption to our customers’
businesses, customer dissatisfaction, negative impacts on the perceived reliability or effectiveness of our solutions, and claims and litigation, and may result
in negative press coverage, negative effects on our reputation and competitive position, a loss of sales, customers, and channel partners, and harm our
financial results.
We recognize revenues from subscriptions over the term of the relevant service period, and therefore any decreases or increases in bookings are not
immediately reflected in our operating results.
We recognize revenues from subscriptions over the term of the relevant service period, which is typically one year. As a result, most of our reported
revenues in each quarter are derived from the recognition of deferred revenues relating to subscriptions entered into during previous quarters. Consequently, a
shortfall in demand for our solutions in any period may not significantly reduce our revenues for that period, but could negatively affect revenues in future
periods. Accordingly, the effect of significant downturns in bookings may not be fully reflected in our results of operations until future periods. We may be
unable to adjust our costs and expenses to compensate for such a potential shortfall in revenues. Our subscription model also makes it difficult for us to
rapidly increase our revenues through additional bookings in any period, as revenues are recognized ratably over the subscription period.
Our business is subject to the risks of earthquakes, fire, power outages, floods and other catastrophic events, and to interruption by man-made problems
such as terrorism.
A significant natural disaster, such as an earthquake, fire or a flood, or a significant power outage could have a material adverse impact on our business,
operating results and financial condition. Our corporate headquarters and a significant portion of our operations are located in the San Francisco Bay Area, a
region known for seismic activity. In addition, natural disasters could affect our business partners’ ability to perform services for us on a timely basis. In the
event we or our business partners are hindered by any of the events discussed above, our ability to provide our solutions to customers could be delayed,
resulting in our missing financial targets, such as revenues and net income, for a particular quarter. Further, if a natural disaster occurs in a region from which
we derive a significant portion of our revenues, customers in that region may delay or forego subscriptions of our solutions, which may materially and
adversely impact our results of operations for a particular period. In addition, acts of terrorism could cause disruptions in our business or the business of our
business partners, customers or the economy as a whole. All of the aforementioned risks may be exacerbated if the disaster recovery plans for us and our
suppliers prove to be inadequate. To the extent that any of the above results in delays of customer subscriptions or commercialization of our solutions, our
business, financial condition and results of operations could be adversely affected.
27
�Table of Contents
Risks Related to Intellectual Property, Legal, Tax and Regulatory Matters
Undetected software errors or flaws in our solutions could harm our reputation, decrease market acceptance of our solutions or result in liability.
Our solutions may contain undetected errors or defects when first introduced or as new versions are released. We have experienced these errors or
defects in the past in connection with new solutions and solution upgrades and we expect that these errors or defects will be found from time to time in the
future in new or enhanced solutions after commercial release of these solutions. Since our customers use our solutions for IT, security and compliance
reasons, any errors, defects, disruptions in service or other performance problems with our solutions, or any other failure of our solutions to detect
vulnerabilities or compliance problems or otherwise to perform effectively, may result in disruptions or damage to the business of our customers, including
security breaches or compliance failures. Additionally, any such issues, or the perception that they have occurred, whether or not relating to any actual or
perceived error or defect in our solutions, could hurt our reputation and competitive position and we may incur significant costs, the attention of key
personnel could be diverted, our customers may delay or withhold payment to us or elect not to renew, we could face a loss of sales, customers, and channel
partners, and other significant problems with our relationships with customers and channel partners may arise. We may also be subject to liability claims for
damages related to actual or perceived errors or defects in our solutions. A material liability claim or other occurrence that harms our reputation or decreases
market acceptance of our solutions may harm our business, competitive and financial position, and operating results.
Although we maintain insurance coverage that may be applicable to certain liabilities in connection with these matters, we cannot be certain that our
insurance coverage will be adequate for liabilities that actually are incurred, that insurance will continue to be available to us on economically reasonable
terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed
available insurance coverage or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-
insurance requirements, could have a material and adverse effect on our business, including our financial condition, operating results and reputation.
Our solutions could be used to collect and store personal information of our customers’ employees or customers, and therefore privacy and other data
handling concerns could result in additional cost and liability to us or inhibit sales of our solutions.
We collect the names and email addresses of our customers in connection with subscriptions to our solutions. Additionally, the data that our solutions
collect to help secure and protect the IT infrastructure of our customers may include additional personal or confidential information of our customers’
employees and their customers. Personal privacy has become a significant issue in the United States and in many other countries where we offer our
solutions. The regulatory framework for privacy issues worldwide is currently evolving and is likely to remain uncertain for the foreseeable future. Many
federal, state and foreign government bodies and agencies have adopted or are considering adopting laws and regulations regarding the collection, use,
disclosure and retention of personal information. In the United States, these include, for example, rules and regulations promulgated under the authority of
the Federal Trade Commission, the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act, and state breach notification
laws. Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our
customers must comply.
These privacy, data protection and information security laws and regulations may result in ever-increasing regulatory and public scrutiny and escalating
levels of enforcement and sanctions. Additionally, new laws and regulations relating to privacy and data protection continue to be proposed and enacted. For
example, the European Union has adopted the Global Data Protection Regulation (“GDPR”). This regulation, which took effect in May of 2018, provides for
substantial obligations relating to the handling, storage and other processing of data relating to individuals and administrative fines for violations, which can
be up to four percent of the previous year’s annual revenue or €20 million, whichever is higher. The GDPR may be subject to new or changing interpretations
by courts, and our interpretation of the law and efforts to comply with the rules and regulations of the law may be ruled invalid. Similarly, the California
Consumer Privacy Act (“CCPA”) requires covered companies to, among other things, provide new disclosures to California consumers and affords such
consumers new rights to opt-out of certain sales of personal information. The CCPA also creates a private right of action for statutory damages for certain
breaches of information. Certain aspects of the CCPA and its interpretation remain uncertain and are likely to remain uncertain for an extended
period. Additionally, a new privacy law, the California Privacy Rights Act (“CPRA”), was approved by voters in the November 3, 2020 election. The CPRA
modifies the CCPA significantly, creating obligations relating to consumer data beginning on January 1, 2022, with implementing regulations expected on or
before July 1, 2022, and enforcement beginning July 1, 2023. Passage of the CPRA has resulted in further uncertainty and may require us to incur additional
costs and expenses in an effort to comply. In addition, other states have enacted or proposed legislation that regulates the collection, use, and sale of personal
information, and such regimes might not be compatible with the GDPR, the CCPA or the CPRA or may require us to undertake additional practices.
Accordingly, we cannot yet predict the impact of the CCPA, CRPA or other evolving privacy and data protection obligations on our business or operations,
but it may require us to modify our data processing practices and policies and incur substantial costs and expenses in an effort to comply.
The privacy, data protection, and information security laws and regulations we must comply with also are subject to change. For example, the United
Kingdom enacted a Data Protection Act in May 2018 that substantially implements the GDPR, but the United Kingdom's exit from the European Union,
commonly referred to as “Brexit,” could lead to further legislative and regulatory changes. It remains unclear how United Kingdom data protection laws or
regulations will develop in the medium to longer term and how data transfers to and from the United Kingdom will be regulated. Additionally, we have joined
the EU-U.S. Privacy Shield Framework and a related program, the Swiss-U.S. Privacy Shield Framework and make use of certain standard contractual
clauses (the “SCCs”) approved by the European Commission, with regard to certain transfers of personal data from the European Economic Area (“EEA”) to
the U.S. Both the EU-U.S. Privacy Shield Framework and SCCs have been subject to legal challenge. We continue to analyze the July 2020 “Schrems II”
decision by the Court of Justice of the European Union (“CJEU”) and its impact on our data transfer mechanisms as well as subsequent guidance from data
privacy regulators and new SCCs published by the European Commission in June 2021, and we may find it necessary or appropriate to take different or
additional steps with respect to transfers of personal data, which may result in increased costs of compliance and limitations on our customers and us. We may
be unsuccessful in maintaining legitimate means for our transfer and receipt of personal data from the EEA or Switzerland. We may experience reluctance or
refusal by current or prospective European customers to use our products, and we and our customers may face a risk of enforcement actions by data protection
authorities in the EEA relating to personal data transfers to us and by us from the EEA. Any such enforcement actions could result in substantial costs and
diversion of resources, distract management and technical personnel and negatively affect our business, operating results and financial condition. Some
countries also are considering or have passed legislation requiring local storage and processing of data, or similar requirements, which could increase the cost
and complexity of delivering our services.
In addition to laws and regulations, privacy advocacy and industry groups or other private parties may propose new and different privacy standards that
either legally or contractually apply to us. Because the interpretation and application of privacy and data protection laws, regulations, standards and
contractual obligations are uncertain, it is possible that they may be interpreted and applied in a manner that is, or perceived to be, inconsistent with our data
management practices or the features of our solutions. If so, in addition to the possibility of regulatory investigations and enforcement actions, fines, lawsuits
and other claims, other forms of injunctive or operations-limiting relief, and damage to our reputations and loss of goodwill, we could be required to
fundamentally change our business activities and practices or modify our solutions and may face limitations in our ability to develop new solutions and
�features, any of which could have an adverse effect on our business. Any inability to adequately address privacy concerns, even if unfounded, or any actual
or perceived inability to comply with applicable privacy or data protection laws, regulations and privacy standards, could result in cost and liability to us,
damage our reputation, inhibit sales of subscriptions and harm our business.
Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and privacy standards that are applicable to the
businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our solutions. Privacy concerns, whether valid or not valid,
may inhibit market adoption of our solutions particularly in certain industries and foreign countries.
28
�Table of Contents
Our solutions contain third-party open source software components, and our failure to comply with the terms of the underlying open source software
licenses could restrict our ability to sell our solutions.
Our solutions contain software licensed to us by third-parties under so-called “open source” licenses, including the GNU General Public License, the
GNU Lesser General Public License, the BSD License, the Apache License and others. From time to time, there have been claims against companies that
distribute or use open source software in their products and services, asserting that such open source software infringes the claimants’ intellectual property
rights. We could be subject to suits by parties claiming that what we believe to be licensed open source software infringes their intellectual property rights.
Use and distribution of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not
provide warranties or other contractual protections regarding infringement claims or the quality of the code. In addition, certain open source licenses require
that source code for software programs that are subject to the license be made available to the public and that any modifications or derivative works to such
open source software continue to be licensed under the same terms. If we combine our proprietary software with open source software in certain ways, we
could, in some circumstances, be required to release the source code of our proprietary software to the public. Disclosing the source code of our proprietary
software could make it easier for cyber attackers and other third parties to discover vulnerabilities in or to defeat the protections of our solutions, which could
result in our solutions failing to provide our customers with the security they expect from our services. This could harm our business and reputation.
Disclosing our proprietary source code also could allow our competitors to create similar products with lower development effort and time and ultimately
could result in a loss of sales for us. Any of these events could have a material adverse effect on our business, operating results and financial condition.
Although we monitor our use of open source software in an effort both to comply with the terms of the applicable open source licenses and to avoid
subjecting our solutions to conditions we do not intend, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk
that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our solutions. In this
event, we could be required to seek licenses from third parties to continue offering our solutions, to make our proprietary code generally available in source
code form, to re-engineer our solutions or to discontinue the sale of our solutions if re-engineering could not be accomplished on a timely basis, any of which
could adversely affect our business, operating results and financial condition.
We use third-party software and data that may be difficult to replace or cause errors or failures of our solutions that could lead to lost customers or harm
to our reputation and our operating results.
We license third-party software as well as security and compliance data from various third parties to deliver our solutions. In the future, this software or
data may not be available to us on commercially reasonable terms, or at all. Any loss of the right to use any of this software or data could result in delays in
the provisioning of our solutions until equivalent technology or data is either developed by us, or, if available, is identified, obtained and integrated, which
could harm our business. In addition, any errors or defects in or failures of this third-party software or data could result in errors or defects in our solutions or
cause our solutions to fail, which could harm our business and be costly to correct. Many of these providers attempt to impose limitations on their liability for
such errors, defects or failures, and if enforceable, we may have additional liability to our customers or third-party providers that could harm our reputation
and increase our operating costs.
We will need to maintain our relationships with third-party software and data providers, and to obtain software and data from such providers that do not
contain any errors or defects. Any failure to do so could adversely impact our ability to deliver effective solutions to our customers and could harm our
operating results.
Failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.
The success of our business depends in part on our ability to protect and enforce our trade secrets, trademarks, copyrights, patents and other intellectual
property rights. We attempt to protect our intellectual property under copyright, trade secret, patent and trademark laws, and through a combination of
confidentiality procedures, contractual provisions and other methods, all of which offer only limited protection.
We primarily rely on our unpatented proprietary technology and trade secrets. Despite our efforts to protect our proprietary technology and trade secrets,
unauthorized parties may attempt to misappropriate, reverse engineer or otherwise obtain and use them. The contractual provisions that we enter into with
employees, consultants, partners, vendors and customers may not prevent unauthorized use or disclosure of our proprietary technology or intellectual
property rights and may not provide an adequate remedy in the event of unauthorized use or disclosure of our proprietary technology or intellectual property
rights. Moreover, policing unauthorized use of our technologies, solutions and intellectual property is difficult, expensive and time-consuming, particularly in
foreign countries where the laws may not be as protective of intellectual property rights as those in the United States and where mechanisms for enforcement
of intellectual property rights may be weak. We may be unable to determine the extent of any unauthorized use or infringement of our solutions, technologies
or intellectual property rights.
The process of obtaining patent protection is expensive and time-consuming, and we may not be able to prosecute all necessary or desirable patent
applications at a reasonable cost or in a timely manner, if at all. We may choose not to seek patent protection for certain innovations and may choose not to
pursue patent protection in certain jurisdictions.
Furthermore, it is possible that our patent applications may not result in granted patents, that the scope of our issued patents will be limited or not
provide the coverage originally sought, that our issued patents will not provide us with any competitive advantages, or that our patents and other intellectual
property rights may be challenged by others or invalidated through administrative processes or litigation. In addition, issuance of a patent does not guarantee
that we have an absolute right to practice the patented invention. As a result, we may not be able to obtain adequate patent protection or to enforce our issued
patents effectively.
From time to time, legal action by us may be necessary to enforce our patents and other intellectual property rights, to protect our trade secrets, to
determine the validity and scope of the intellectual property rights of others or to defend against claims of infringement or invalidity. Such litigation could
result in substantial costs and diversion of resources and could negatively affect our business, operating results and financial condition. If we are unable to
protect our intellectual property rights, we may find ourselves at a competitive disadvantage to others who need not incur the additional expense, time and
effort required to create the innovative solutions that have enabled us to be successful to date.
29
�Table of Contents
Assertions by third parties of infringement or other violations by us of their intellectual property rights could result in significant costs and harm our
business and operating results.
Patent and other intellectual property disputes are common in our industry. Some companies, including some of our competitors, own large numbers of
patents, copyrights and trademarks, which they may use to assert claims against us. Third parties may in the future assert claims of infringement,
misappropriation or other violations of intellectual property rights against us. They may also assert such claims against our customers or channel partners
whom we typically indemnify against claims that our solutions infringe, misappropriate or otherwise violate the intellectual property rights of third parties.
As the numbers of products and competitors in our market increase and overlaps occur, claims of infringement, misappropriation and other violations of
intellectual property rights may increase. Any claim of infringement, misappropriation or other violation of intellectual property rights by a third party, even
those without merit, could cause us to incur substantial costs defending against the claim and could distract our management from our business.
The patent portfolios of our most significant competitors are larger than ours. This disparity may increase the risk that they may sue us for patent
infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. In addition, future assertions of patent
rights by third parties, and any resulting litigation, may involve patent holding companies or other adverse patent owners who have no relevant product
revenues and against whom our own patents may therefore provide little or no deterrence or protection. There can be no assurance that we will not be found
to infringe or otherwise violate any third-party intellectual property rights or to have done so in the past.
An adverse outcome of a dispute may require us to:
•
•
•
pay substantial damages, including treble damages, if we are found to have willfully infringed a third party’s patents or copyrights;
cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others;
expend additional development resources to attempt to redesign our solutions or otherwise develop non-infringing technology, which may not be
successful;
enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property
rights; and
indemnify our partners and other third parties.
•
•
In addition, royalty or licensing agreements, if required or desirable, may be unavailable on terms acceptable to us, or at all, and may require significant
royalty payments and other expenditures. Some licenses may also be non-exclusive, and therefore our competitors may have access to the same technology
licensed to us. Any of the foregoing events could seriously harm our business, financial condition and results of operations.
Governmental export or import controls could subject us to liability if we violate them or limit our ability to compete in foreign markets.
Our solutions are subject to U.S. export controls, specifically, the Export Administration Regulations and economic sanctions enforced by the Office of
Foreign Assets Control. We incorporate encryption technology into certain of our solutions. These encryption solutions and the underlying technology may
be exported only with the required export authorizations, including by license, a license exception or other appropriate government authorizations. U.S.
export controls may require submission of an encryption registration, product classification and/or annual or semi-annual reports. Governmental regulation of
encryption technology and regulation of imports or exports of encryption products, or our failure to obtain required import or export authorization for our
solutions, when applicable, could harm our international sales and adversely affect our revenues. Compliance with applicable regulatory requirements
regarding the export of our solutions, including with respect to new releases of our solutions, may create delays in the introduction of our solutions in
international markets, prevent our customers with international operations from deploying our solutions throughout their globally-distributed systems or, in
some cases, prevent the export of our solutions to some countries altogether. In addition, various countries regulate the import of our appliance-based
solutions and have enacted laws that could limit our ability to distribute solutions or could limit our customers’ ability to implement our solutions in those
countries. Any new export or import restrictions, new legislation or shifting approaches in the enforcement or scope of existing regulations, or in the
countries, persons or technologies targeted by such regulations, could result in decreased use of our solutions by existing customers with international
operations, declining adoption of our solutions by new customers with international operations and decreased revenues. If we fail to comply with export and
import regulations, we may be fined or other penalties could be imposed, including denial of certain export privileges.
If we are required to collect higher sales and use or other taxes on the solutions we sell, we may be subject to liability for past sales and our future sales
may decrease.
Taxing jurisdictions, including state and local entities, have differing rules and regulations governing sales and use or other taxes, and these rules and
regulations are subject to varying interpretations that may change over time. In particular, the applicability of sales taxes to our subscription services in
various jurisdictions is unclear. It is possible that we could face sales tax audits and that our liability for these taxes could exceed our estimates as tax
authorities could still assert that we are obligated to collect additional amounts as taxes from our customers and remit those taxes to those authorities. We
could also be subject to audits with respect to state and international jurisdictions for which we may not have accrued tax liabilities. A successful assertion
that we should be collecting additional sales or other taxes on our services in jurisdictions where we have not historically done so and do not accrue for sales
taxes could result in substantial tax liabilities for past sales, discourage customers from purchasing our solutions or otherwise harm our business and
operating results.
30
�Table of Contents
Changes in our income tax provision or adverse outcomes resulting from examination of our income tax returns could adversely affect our operating
results. We could be subject to additional taxes.
We are subject to income taxes in the United States and various foreign jurisdictions, and our domestic and international tax liabilities are subject to the
allocation of expenses in differing jurisdictions. Our tax rate is affected by changes in the mix of earnings and losses in countries with differing statutory tax
rates, certain non-deductible expenses and excess tax benefits arising from stock-based compensation, other tax benefits and credits, and the valuation of
deferred tax assets and liabilities. Increases in our effective tax rate could harm our operating results.
Additionally, significant judgment is required in evaluating our tax positions and our worldwide tax provisions. During the ordinary course of business,
there are many activities and transactions for which the ultimate tax determination is uncertain. In addition, our tax obligations and effective tax rates could
be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations, including those relating to income
tax nexus, by recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated
earnings in jurisdictions where we have higher statutory rates, by changes in foreign currency exchange rates, or by changes in the valuation of our deferred
tax assets and liabilities. We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes, sales taxes and value-added taxes
against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our
historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period or periods for which a
determination is made.
Risks Related to Ownership of Our Common Stock
Market volatility may affect our stock price and the value of an investment in our common stock and could subject us to litigation.
The trading price of our common stock has been, and may continue to be, subject to significant fluctuations in response to a number of factors, most of
which we cannot predict or control, including:
•
•
•
•
•
•
•
•
•
•
•
announcements of new solutions, services or technologies, commercial relationships, acquisitions or other events by us or our competitors;
fluctuations in stock market prices and trading volumes of securities of similar companies;
general market conditions and overall fluctuations in U.S. equity markets;
variations in our operating results, or the operating results of our competitors;
changes in our financial guidance or securities analysts’ estimates of our financial performance;
changes in accounting principles;
sales of large blocks of our common stock, including sales by our executive officers, directors and significant stockholders;
additions or departures of any of our key personnel;
announcements related to litigation;
changing legal or regulatory developments in the United States and other countries; and
discussion of us or our stock price by the financial press and in online investor communities.
In addition, the stock market in general, and the stocks of technology companies such as ours in particular, have experienced substantial price and
volume volatility that is often seemingly unrelated to the operating performance of particular companies. These broad market fluctuations may cause the
trading price of our common stock to decline. In the past, securities class action litigation has often been brought against a company after a period of
volatility in the trading price of its common stock. We may become involved in this type of litigation in the future. Any securities litigation claims brought
against us could result in substantial expenses and the diversion of our management’s attention from our business.
31
�Table of Contents
Our actual operating results may differ significantly from our guidance.
From time to time, we have released, and may continue to release, guidance in our quarterly earnings conference calls, quarterly earnings releases, or
otherwise, regarding our future performance that represents our management's estimates as of the date of release. This guidance, which includes forward-
looking statements, has been and will be based on projections prepared by our management. These projections are not prepared with a view toward
compliance with published guidelines of the American Institute of Certified Public Accountants, and neither our registered public accountants nor any other
independent expert or outside party compiles or examines the projections. Accordingly, no such person expresses any opinion or any other form of assurance
with respect to the projections.
Projections are based upon a number of assumptions and estimates that, while presented with numerical specificity, are inherently subject to significant
business, economic and competitive uncertainties and contingencies, many of which are beyond our control and are based upon specific assumptions with
respect to future business decisions, some of which will change. We intend to state possible outcomes as high and low ranges which are intended to provide a
sensitivity analysis as variables are changed but are not intended to imply that actual results could not fall outside of the suggested ranges. The principal
reason that we release guidance is to provide a basis for our management to discuss our business outlook with analysts and investors. We do not accept any
responsibility for any projections or reports published by any such third parties.
Guidance is necessarily speculative in nature, and it can be expected that some or all of the assumptions underlying the guidance furnished by us will not
materialize or will vary significantly from actual results. Accordingly, our guidance is only an estimate of what management believes is realizable as of the
date of release. Actual results may vary from our guidance and the variations may be material. In light of the foregoing, investors are urged not to rely upon
our guidance in making an investment decision regarding our common stock.
Any failure to successfully implement our operating strategy or the occurrence of any of the events or circumstances set forth in this “Risk Factors”
section in this Annual Report on Form 10-K could result in our actual operating results being different from our guidance, and the differences may be adverse
and material.
Future sales of shares by existing stockholders could cause our stock price to decline.
The market price of shares of our common stock could decline as a result of substantial sales of our common stock, particularly sales by our directors,
executive officers, employees and significant stockholders, a large number of shares of our common stock becoming available for sale, or the perception in
the market that holders of a large number of shares intend to sell their shares. As of December 31, 2021, we had 39.1 million shares of our common stock
outstanding.
In addition, as of December 31, 2021, there were 0.9 million restricted stock units and stock options to purchase 1.8 million shares of our common stock
outstanding. If such stock options are exercised and restricted stock units are released, these additional shares will become available for sale. As of December
31, 2021, we had 8.1 million shares of our common stock reserved for future grants under our 2012 Equity Incentive Plan and 0.6 million shares reserved for
future purchases under our 2021 Employee Stock Purchase Plan, which can be freely sold in the public market upon issuance. If a large number of these
shares are sold in the public market, the sales could reduce the trading price of our common stock.
32
�Table of Contents
We cannot guarantee that our stock repurchase program will be fully consummated or that it will enhance stockholder value, and any stock repurchases
we make could affect the price of our common stock.
On February 12, 2018, we announced a $100.0 million stock repurchase program. On each of October 30, 2018, October 30, 2019, May 7, 2020,
February 10, 2021, we announced that our board of directors had authorized an increase of $100.0 million, and on November 3, 2021, we announced that our
board of directors had authorized an increase of $200.0 million to the share repurchase program, resulting in an aggregate authorization of $700.0 million to
date. Although our board of directors authorized this stock repurchase program, we are not obligated to repurchase any specific dollar amount or to acquire
any specific number of shares. The stock repurchase program could affect the price of our common stock, increase volatility and diminish our cash reserves.
In addition, it may be suspended or terminated at any time, which may result in a decrease in the price of our common stock. During the year ended
December 31, 2021, we repurchased 1.1 million shares of our common stock for approximately $130.0 million in total. As of December 31, 2021,
approximately $271.8 million remained available for share repurchases pursuant to our share repurchase program.
We do not intend to pay dividends on our common stock and therefore any returns will be limited to the value of our stock.
We have never declared or paid any cash dividend on our common stock. We currently anticipate that we will retain future earnings for the development,
operation and expansion of our business and do not anticipate declaring or paying any cash dividends for the foreseeable future. Any return to stockholders
will therefore be limited to the value of their stock.
Anti-takeover provisions in our charter documents and under Delaware law could make an acquisition of us, which may be beneficial to our
stockholders, more difficult and may prevent attempts by our stockholders to replace or remove our current management.
Our amended and restated certificate of incorporation and amended and restated bylaws contain provisions that may delay or prevent an acquisition of us
or a change in our management. These provisions include:
•
•
•
•
•
•
authorizing “blank check” preferred stock, which could be issued by our board of directors without stockholder approval and may contain voting,
liquidation, dividend and other rights superior to our common stock, which would increase the number of outstanding shares and could thwart a
takeover attempt;
a classified board of directors whose members can only be dismissed for cause;
the prohibition on actions by written consent of our stockholders;
the limitation on who may call a special meeting of stockholders;
the establishment of advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted
upon at stockholder meetings; and
the requirement of at least two-thirds of the outstanding capital stock to amend any of the foregoing second through fifth provisions.
In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law, which
limits the ability of stockholders owning in excess of 15% of our outstanding voting stock to merge or combine with us. Although we believe these
provisions collectively provide for an opportunity to obtain greater value for stockholders by requiring potential acquirers to negotiate with our board of
directors, they would apply even if an offer rejected by our board of directors were considered beneficial by some stockholders. In addition, these provisions
may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to
replace members of our board of directors, which is responsible for appointing the members of our management.
33
�Table of Contents
General Risk Factors
Disruptive technologies could gain wide adoption and supplant our cloud-based IT, security and compliance solutions, thereby weakening our sales and
harming our results of operations.
The introduction of products and services embodying new technologies could render our existing solutions obsolete or less attractive to customers. Our
business could be harmed if new IT, security and compliance technologies are widely adopted. We may not be able to successfully anticipate or adapt to
changing technology or customer requirements on a timely basis, or at all. If we fail to keep up with technological changes or to convince our customers and
potential customers of the value of our solutions even in light of new technologies, our business could be harmed and our revenues may decline.
We may not maintain profitability in the future.
We may not be able to sustain or increase our growth or maintain profitability in the future. We plan to continue to invest in our infrastructure, new
solutions, research and development and sales and marketing, and as a result, we cannot assure you that we will maintain profitability. We may incur losses in
the future for a number of reasons, including without limitation, the other risks and uncertainties described in this Annual Report on Form 10-K.
Additionally, we may encounter unforeseen operating expenses, difficulties, complications, delays and other unknown factors that may result in losses in
future periods. If our revenue growth does not meet our expectations in future periods, our financial performance may be harmed and we may not again
achieve or maintain profitability in the future.
Forecasts of market growth may prove to be inaccurate, and even if the markets in which we compete achieve the forecasted growth, there can be no
assurance that our business will grow at similar rates, or at all.
Growth forecasts relating to the expected growth in the market for IT, security and compliance and other markets are subject to significant uncertainty
and are based on assumptions and estimates which may prove to be inaccurate. Even if these markets experience the forecasted growth, we may not grow our
business at similar rates, or at all. Our growth is subject to many factors, including our success in implementing our business strategy, which is subject to
many risks and uncertainties. Accordingly, forecasts of market growth should not be taken as indicative of our future growth.
Our financial results are based in part on our estimates or judgments relating to our critical accounting policies. These estimates or judgments may prove
to be incorrect, which could harm our operating results and result in a decline in our stock price.
The preparation of financial statements in conformity with U.S. GAAP requires management to make estimates and assumptions that affect the amounts
reported in the consolidated financial statements and accompanying notes. We base our estimates on historical experience and on various other assumptions
that we believe to be reasonable under the circumstances, as provided in the section titled “Part II, Item 7 - Management’s Discussion and Analysis of
Financial Condition and Results of Operations,” the results of which form the basis for making judgments about the carrying values of assets, liabilities,
equity, revenues and expenses that are not readily apparent from other sources. Our operating results may be adversely affected if our assumptions change or
if actual circumstances differ from those in our assumptions, which could cause our operating results to fall below the expectations of securities analysts and
investors, resulting in a decline in our stock price. Significant assumptions and estimates used in preparing our consolidated financial statements include
those related to revenue recognition, accounting for income taxes and stock-based compensation.
Changes in financial accounting standards may cause adverse and unexpected revenue fluctuations and impact our reported results of operations.
We prepare our financial statements in accordance with U.S. GAAP. These principles are subject to interpretation by the SEC and various bodies formed
to interpret and create appropriate accounting principles. A change in these accounting standards or practices could harm our operating results and could have
a significant effect on our reporting of transactions and reported results and may even retroactively affect previously reported transactions. New accounting
pronouncements and varying interpretations of accounting pronouncements have occurred and may occur in the future. Changes to existing rules or the
questioning of current practices may harm our operating results or require that we make significant changes to our systems, processes and controls or the way
we conduct our business.
34
�Table of Contents
If we fail to maintain an effective system of internal control over financial reporting, our ability to produce timely and accurate financial statements or
comply with applicable regulations could be impaired.
As a public company, we are subject to the reporting requirements of the Securities Exchange Act of 1934, or the Exchange Act, the Sarbanes-Oxley Act
of 2002, or the Sarbanes-Oxley Act, and the rules and regulations of the NASDAQ Stock Market. To continue to comply with the requirements of being a
public company, we may need to undertake various actions, such as implementing additional internal controls and procedures and hiring additional
accounting or internal audit staff.
Our internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the
preparation of financial statements in accordance with U.S. GAAP. Our current controls and any new controls that we develop may become inadequate
because of changes in conditions in our business. Any failure to maintain effective controls, or any difficulties encountered in their improvement, could harm
our operating results or cause us to fail to meet our reporting obligations. Any failure to maintain effective internal control over financial reporting also could
adversely affect the results of periodic management evaluations regarding the effectiveness of our internal control over financial reporting that we are
required to include in our periodic reports we file with the SEC under Section 404 of the Sarbanes-Oxley Act. While we were able to assert in this Annual
Report on Form 10-K that our internal control over financial reporting was effective as of December 31, 2021, we cannot predict the outcome of our testing
in future periods. If we are unable to assert in any future reporting period that our internal control over financial reporting is effective (or if our independent
registered public accounting firm is unable to express an opinion on the effectiveness of our internal controls), investors may lose confidence in our operating
results and our stock price could decline. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on the
NASDAQ Stock Market.
Item 1B.
Unresolved Staff Comments
None.
Item 2.
Properties
Our principal executive offices are located in Foster City, California, where we occupy a 76,922 square-foot facility under a lease expiring on April 30,
2028. We also have 281,787 square feet of office space in Pune, India under a non-cancellable lease expiring in February 2025. We have additional U.S.
offices in North Carolina and Washington and other offices in France, Germany, Italy, Japan, the Netherlands, Russia, United Arab Emirates and United
Kingdom. We believe our facilities are adequate for our current needs and for the foreseeable future.
We operate data centers at third-party facilities in Santa Clara, California; Las Vegas, Nevada; Ontario, Canada; Geneva, Switzerland; Pune, India; and
Amsterdam, the Netherlands.
Item 3.
Legal Proceedings
From time to time the Company may become involved in legal proceedings or be subject to claims arising in the ordinary course of our business. As of
December 31, 2021, there has not been at least a reasonable possibility that the Company has incurred a material loss from any ongoing legal proceedings,
individually or taken together. However, litigation is inherently unpredictable and is subject to significant uncertainties, some of which are beyond the
Company's control. Should any of these estimates and assumptions change or prove to have been incorrect, the Company could incur significant charges
related to legal matters which could have a material impact on its results of operations, financial position and cash flows.
Item 4.
Mine Safety Disclosures
Not Applicable.
35
�Table of Contents
Item 5.
Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities
PART II
Market Information
Our common stock is listed and traded on the Nasdaq Global Select Market under the symbol “QLYS”.
Holders of Record
As of February 14, 2022, there were approximately 58 holders of record of our common stock. Because many of our shares of common stock are held by
brokers and other institutions on behalf of stockholders, we are unable to estimate the total number of stockholders represented by these record holders.
Dividend Policy
We have never declared or paid any cash dividends on our capital stock. We currently intend to retain any future earnings to fund business development
and growth, and do not expect to pay any dividends in the foreseeable future. Any future determination to declare cash dividends will be made at the
discretion of our board of directors, subject to applicable laws, and will depend on a number of factors, including our financial condition, results of
operations, capital requirements, contractual restrictions, general business conditions and other factors that our board of directors may deem relevant.
Securities Authorized for Issuance under Equity Compensation Plans
The following table summarizes information about our equity compensation plans as of December 31, 2021. All outstanding awards relate to our
common stock.
Plan Category
(a) Number of Securities
to be Issued Upon
Exercise of Outstanding
Options, Warrants and
Rights
(in thousands)
(b) Weighted-Average
Exercise Price of
Outstanding Options,
Warrants and Rights
(c) Number of Securities
Remaining Available for
Future Issuance Under
Equity Compensation
Plans (Excluding
Securities Reflected in
Column (a)
(in thousands)
Equity compensation plans approved by security holders (1)
Equity compensation plans not approved by security holders
2,755(2) $
— $
66.05(3)
—
8,691(4)
—
(1) Includes our 2000 Equity Incentive Plan (2000 Plan), 2012 Equity Incentive Plan (2012 Plan) and 2021 Employee Stock Purchase Plan (2021 ESPP).
(2) Consists of 917 thousand restricted stock units and 1,838 thousand shares underlying stock options.
(3) The weighted average exercise price is calculated based solely on outstanding stock options.
(4) Consists of 8,091 thousand shares reserved for issuance under our 2012 Plan and 600 thousand shares reserved for issuance under our 2021 ESPP. Our
2012 Plan provides that on the first day of each fiscal year, the number of shares authorized for issuance under the 2012 Plan is automatically increased by a
number equal to the least of (i) 3,050 thousand shares, (ii) five percent (5%) of the aggregate number of shares of common stock outstanding on the last day
of the immediately preceding fiscal year, or (iii) such number of shares that may be determined by our board of directors.
36
�Table of Contents
Stock Price Performance Graph
The following graph shows a comparison from December 31, 2016 through December 31, 2021 of the cumulative total return for an investment of $100
(and the reinvestment of dividends) in our common stock, the NASDAQ Global Select Market Composite Index and the NASDAQ Computer Index and the
S&P 500 Index. Such returns are based on historical results and are not intended to suggest future performance.
COMPARISON OF CUMULATIVE TOTAL RETURN*
Among Qualys, Inc., NASDAQ-Global Select Market Composite Index, and NASDAQ Computer Index and S&P 500 Index
* $100 invested on December 31, 2016 in stock or index, including reinvestment of dividends. Fiscal year ending December 31.
Qualys, Inc.
NASDAQ Global Select Market
NASDAQ Computer
S&P 500
December 31,
2016
December 31,
2017
December 31,
2018
December 31,
2019
December 31,
2020
December 31,
2021
$
$
$
$
100.00 $
100.00 $
100.00 $
100.00 $
187.52 $
128.43 $
138.77 $
121.83 $
236.15 $
123.71 $
133.66 $
116.49 $
263.41 $
167.75 $
200.94 $
153.17 $
385.06 $
239.95 $
301.37 $
181.35 $
433.55
295.43
415.46
233.41
The information on the above Stock Price Performance Graph shall not be deemed to be “filed” for purposes of Section 18 of the Securities Exchange
Act of 1934, as amended, or otherwise subject to the liabilities of that section or Sections 11 and 12(a)(2) of the Securities Act of 1933, as amended, and shall
not be incorporated by reference into any registration statement or other document filed by us with the SEC, whether made before or after the date of this
Annual Report on Form 10-K, regardless of any general incorporation language in such filing, except as shall be expressly set forth by specific reference in
such filing.
37
�Table of Contents
Purchases of Equity Securities by the Issuer and Affiliated Purchasers
A summary of our repurchases of common stock during the three months ended December 31, 2021 is as follows:
Period
October 1, 2021 - October 31, 2021
November 1, 2021 - November 30, 2021
December 1, 2021 - December 31, 2021
Total
Total Number
of Shares
Purchased as
Part of
Publicly
Announced
Plan or
Program (1)
Approximate
Dollar Value
of Shares that
May Yet Be
Purchased
under the
Plan or
Program
84,500 $
97,221,477
95,141 $ 284,387,135
93,100 $ 271,824,993
272,741
Total Number
of Shares
Purchased
Average Price
Paid per Share
114.34
134.90
134.93
84,500 $
95,141 $
93,100 $
272,741
(1) On February 5, 2018, our board of directors authorized a $100.0 million two-year share repurchase program, which was announced on February 12,
2018. On each of October 30, 2018, October 30, 2019, May 7, 2020 and February 10, 2021, we announced that our board of directors had authorized an
increase of $100.0 million, and on November 3, 2021, we announced that our board of directors had authorized an increase of $200.0 million to the share
repurchase program, resulting in an aggregate authorization of $700.0 million to date. Shares may be repurchased from time to time on the open market in
accordance with Rule 10b-18 of the Exchange Act of 1934. We have entered into a pre-set trading plan adopted in accordance with Rule 10b5-1 under the
Exchange Act to effect repurchases under our share repurchase program. All share repurchases have been made using cash resources. Our share repurchase
program does not have an expiration date.
Item 6.
[RESERVED]
38
�Table of Contents
Item 7.
Management's Discussion and Analysis of Financial Condition and Results of Operations
You should read the following discussion in conjunction with our consolidated financial statements and the related notes included elsewhere in this
Annual Report on Form 10-K. You should carefully review and consider the information regarding our financial condition and results of operations set forth
under Part I-Item 7 (Management’s Discussion and Analysis of Financial Condition and Results of Operations) in our Annual Report on Form 10-K for the
fiscal year ended December 31, 2020, filed with the SEC on February 22, 2021, for an understanding of our results of operations and liquidity discussions
and analysis comparing fiscal year 2020 to fiscal year 2019. In addition to historical information, this discussion contains forward-looking statements that
involve risks and uncertainties that could cause our actual results to differ materially from our expectations, as discussed in "Forward-Looking Statements"
in Part I of this Annual Report on Form 10-K. Factors that could cause such differences include, but are not limited to, those described in the section titled
"Risk Factors" and elsewhere in this Annual Report on Form 10-K.
Overview
We are a pioneer and leading provider of a cloud-based platform delivering IT, security and compliance solutions that enable organizations to identify
security risks to their IT infrastructures, help protect their IT systems and applications from ever-evolving cyber-attacks and achieve compliance with internal
policies and external regulations. Our cloud solutions address the growing security and compliance complexities and risks that are amplified by the
dissolving boundaries between internal and external IT infrastructures and web environments, the rapid adoption of cloud computing, containers and
serverless IT models, and the proliferation of geographically dispersed IT assets. Our integrated suite of IT, security and compliance solutions delivered on
our Qualys Cloud Platform enables our customers to identify and manage their IT assets, collect and analyze large amounts of IT security data, discover and
prioritize vulnerabilities, recommend and implement remediation actions and verify the implementation of such actions. Organizations use our integrated
suite of solutions to cost-effectively obtain a unified view of their IT asset inventory as well as security and compliance posture across globally-distributed IT
infrastructures as our solution offers a single platform for information technology, information security, application security, endpoint, developer security and
cloud teams.
We were founded and incorporated in December 1999 with a vision of transforming the way organizations secure and protect their IT infrastructure and
applications and initially launched our first cloud solution, Vulnerability Management (VM), in 2000. As VM gained acceptance, we introduced additional
solutions to help customers manage increasing IT, security and compliance requirements. Today, the suite of solutions that we offer on our cloud platform
and refer to as the Qualys Cloud Apps helps our customers protect a range of assets across on-premises, endpoints, cloud, containers, and mobile
environments. These Cloud Apps address and include:
•
•
IT Security: Vulnerability Management (VM), Vulnerability Management, Detection and Response (VMDR), Threat Protection (TP),
Continuous Monitoring (CM), Patch Management (PM), Multi-Vector Endpoint Detection and Response (EDR), Certificate Assessment
(CRA), SaaS Detection and Response (SaaSDR), Secure Enterprise Mobility (SEM);
Compliance: Policy Compliance (PC), Security Configuration Assessment (SCA), PCI Compliance (PCI), File Integrity Monitoring (FIM),
Security Assessment Questionnaire (SAQ), Out of-Band Configuration Assessment (OCA);
• Web Application Security: Web Application Scanning (WAS), Web Application Firewall (WAF);
•
•
Asset Management: Global Asset View (GAV), Cybersecurity Asset Management (CSAM), Certificate Inventory (CRI); and
Cloud/Container Security: Cloud Inventory (CI), Cloud Security Assessment (CSA), Container Security (CS).
We provide our solutions through a software-as-a-service model, primarily with renewable annual subscriptions. These subscriptions require customers
to pay a fee in order to access each of our cloud solutions. We generally invoice our customers for the entire subscription amount at the start of the
subscription term, and the invoiced amounts are treated as deferred revenues and are recognized ratably over the term of each subscription. We continue to
experience revenue growth from our existing customers as they renew and purchase additional subscriptions, as well as from the addition of new customers
to our cloud platform.
We market and sell our solutions to enterprises, government entities and small and medium-sized businesses across a broad range of industries,
including education, financial services, government, healthcare, insurance, manufacturing, media, retail, technology and utilities. In 2021, 2020 and 2019,
61%, 63% and 64%, respectively, of our revenues were derived from customers in the United States based on our customers' billing addresses. We sell our
solutions to enterprises and government entities primarily through our field sales force and to small and medium-sized businesses through our inside sales
force. We generate a significant portion of sales through our channel partners, including managed security service providers, value-added resellers and
consulting firms in the United States and internationally.
39
�Table of Contents
Impacts of COVID-19
In March 2020, the World Health Organization declared the outbreak of COVID-19 as a pandemic. As a result of COVID-19, we have modified certain
aspects of our business, including restricting employee travel, requiring employees to work from home, and canceling certain events and meetings, among
other modifications. We will continue to actively monitor the situation and may take further actions that alter our business operations as may be required by
federal, state or local authorities or that we determine are in the best interests of our employees, customers, partners, suppliers and stockholders. While we
have not incurred significant disruptions from the COVID-19 pandemic, we are unable to accurately predict the full impact that the pandemic will have due
to numerous uncertainties, including the availability and acceptance of COVID-19 vaccines as well as the effectiveness of the vaccines to new variants of the
disease, future actions that may be taken by governmental authorities and the impact of the pandemic on the businesses of our customers and partners. We
will continue to evaluate the nature and extent of the impact to our business, financial position, results of operations and cash flows.
Key Components of Results of Operations
Revenues
We derive revenues from the sale of subscriptions to our IT, security and compliance solutions, which are delivered on our cloud platform.
Subscriptions to our solutions allow customers to access our cloud-based IT, security and compliance solutions through a unified, web-based interface.
Customers generally enter into one-year renewable subscriptions. The subscription fee entitles the customer to an unlimited number of scans for a specified
number of devices or web applications and, if requested by a customer as part of their subscription, a specified number of physical or virtual scanner
appliances. Our physical and virtual scanner appliances are requested by certain customers as part of their subscriptions in order to scan IT infrastructures
within their firewalls and do not function without, and are not sold separately from, subscriptions for our solutions. In some cases, we also provide certain
computer equipment used to extend our Qualys Cloud Platform into our customers' private cloud environment. Customers are required to return physical
scanner appliances and computer equipment if they do not renew their subscriptions.
We typically invoice our customers for the entire subscription amount at the start of the subscription term. Invoiced amounts are reflected on our
consolidated balance sheets as accounts receivable or as cash when collected, and as deferred revenues until earned and recognized ratably over the
subscription period. Accordingly, deferred revenues represent the amount billed to customers that has not yet been earned or recognized as revenues,
pursuant to subscriptions entered into in current and prior periods.
Cost of Revenues
Cost of revenues consists primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and stock-based
compensation, for employees who operate our data centers and provide support services to our customers. Other expenses include depreciation of data center
equipment, physical scanner appliances and computer hardware provided to certain customers as part of their subscriptions, expenses related to the use of
third-party data centers and cloud infrastructures, amortization of software and license fees, amortization of intangibles related to acquisitions, maintenance
support, fees paid to contractors who supplement or support our operations center personnel and overhead allocations. We expect to continue to make capital
investments to expand and support our data center and cloud infrastructure operations, which will increase the cost of revenues in absolute dollars.
Operating Expenses
Research and Development
Research and development expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and
stock-based compensation, for our research and development teams. Other expenses include third-party contractor fees, software and license fees,
amortization of intangibles related to acquisitions and overhead allocations.
40
�Table of Contents
Sales and Marketing
Sales and marketing expenses consist primarily of personnel expenses, comprised of salaries, benefits, sales commissions, performance-based
compensation and stock-based compensation for our worldwide sales and marketing teams. Other expenses include marketing and promotional events, lead-
generation marketing programs, public relations, travel, software licenses and overhead allocations. Sales commissions related to new business and upsells
are capitalized as an asset. We amortize the capitalized commission cost as a selling expense on a straight-line basis over a period of five years. We expense
sales commissions related to contract renewals as incurred. Our new sales personnel are typically not immediately productive, and the resulting increase in
sales and marketing expenses we incur when we add new personnel may not result in increased revenues if these new sales personnel fail to become
productive. The timing of our hiring of sales personnel, or the participation in new marketing events or programs, and the rate at which these generate
incremental revenues, may affect our future operating results. We expect to continue to significantly invest in additional sales personnel worldwide and also
in more marketing programs to support new solutions on our platform, which will increase sales and marketing expenses in absolute dollars.
General and Administrative
General and administrative expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and
stock-based compensation for our executive, finance and accounting, IT, legal and human resources teams, as well as professional services, fees, software
licenses and overhead allocations. We expect that general and administrative expenses will increase in absolute dollars, as we continue to add personnel and
incur professional services to support our growth and compliance with legal requirements.
Other Income (Expense), Net
Our other income (expense), net consists primarily of interest and investment income from our short-term and long-term marketable securities
and foreign exchange gains and losses, the majority of which result from fluctuations between the U.S. Dollar and the Euro, British Pound ("GBP") and
Indian Rupee ("INR").
Income Tax Provision
We are subject to federal, state and foreign income taxes for jurisdictions in which we operate, and we use estimates in determining our income tax
provision and deferred tax assets. Earnings from our non-U.S. activities are subject to income taxes in the local countries at rates which were generally
similar to the U.S. statutory tax rate.
41
�Table of Contents
Results of Operations
The following table sets forth selected consolidated statements of operations data for each of the periods presented as a percentage of revenues:
Revenues
Cost of revenues
Gross profit
Operating expenses:
Research and development
Sales and marketing
General and administrative
Total operating expenses
Income from operations
Total other income, net
Income before income taxes
Income tax provision
Net income
Year Ended December 31,
2020
2021
100%
22
78
20
19
18
57
21
—
21
4
17%
100%
22
78
20
19
12
51
27
1
28
3
25%
Comparison of Years Ended December 31, 2021 and 2020
Revenues
Revenues
Year Ended
December 31,
Change
2021
2020
$
%
(in thousands, except percentages)
$
411,172 $
362,963 $
48,209
13%
Revenues increased by $48.2 million in 2021 compared to 2020, due to an increase in IT Security, Compliance, Web Application Security, Asset
Management and Cloud and Container Security subscriptions. The revenue growth was primarily from an increase in renewal and expansion business in
2021 compared to 2020. Of the total increase of $48.2 million, $20.3 million was from customers in the United States and the remaining $27.9 million was
from customers in foreign countries. In 2021, 59% of total revenue was direct and 41% of total revenue was through partners. Of the total increase of $48.2
million, $30.4 million was direct and $17.8 million was from partners. With our strong market position driving further demand for our solutions, we expect
revenue growth from new and existing customers to continue.
42
�Table of Contents
Cost of Revenues
Cost of revenues
Year Ended
December 31,
Change
2021
2020
$
%
(in thousands, except percentages)
$
89,439 $
79,226 $
10,213
13%
Cost of revenues increased by $10.2 million in 2021 compared to 2020, due to an increase in personnel costs of $6.3 million driven by additional
employees hired to support the growth of our business, an increase in data center and cloud costs of $2.0 million to meet growing demand and an increase in
depreciation and amortization expense of $1.5 million as more computer equipment was placed in service.
Research and Development Expenses
Research and development
Year Ended
December 31,
Change
2021
2020
$
%
(in thousands, except percentages)
$
81,289 $
72,548 $
8,741
12%
Research and development expenses increased by $8.7 million in 2021 compared to 2020, due to an increase in personnel costs of $5.5 million
primarily driven by additional employees hired to support the growth of our business, an increase in software costs of $1.0 million, an increase in
professional services fees of $0.9 million, an increase in data center and cloud costs of $0.8 million for our ongoing research and development efforts and an
increase in depreciation and amortization expense of $0.7 million as more computer equipment was placed in service.
Sales and Marketing Expenses
Sales and marketing
Year Ended
December 31,
Change
2021
2020
$
%
(in thousands, except percentages)
$
76,487 $
67,965 $
8,522
13%
Sales and marketing expenses increased by $8.5 million in 2021 compared to 2020, due to an increase in commissions of $3.4 million driven by higher
revenues, an increase in personnel costs of $2.8 million driven by additional employees hired to support the growth of our business, an increase in travel and
trade show related costs of $1.1 million associated with the easing of COVID-19 related travel restrictions and an increase in license and subscription costs of
$0.8 million.
43
�Table of Contents
General and Administrative Expenses
General and administrative
Year Ended
December 31,
Change
2021
2020
$
%
(in thousands, except percentages)
$
76,274 $
46,570 $
29,704
64%
General and administrative expenses increased by $29.7 million in 2021 compared to 2020, due to an increase in stock-based compensation expense of
$28.7 million primarily driven by accelerated vesting relating to the resignation of our former chief executive officer and an increase in personnel costs of
$1.6 million driven by additional employees hired to support the growth of our business.
Total other income, net
Total other income, net
Year Ended
December 31,
Change
2021
2020
$
%
(in thousands, except percentages)
$
1,714 $
5,383 $
(3,669)
(68)%
Total other income, net decreased by $3.7 million in 2021 compared to 2020, due to a decrease in interest income of $3.1 million driven by lower yield
and an increase in foreign exchange loss of $0.6 million.
Income tax provision
Income tax provision
Year Ended
December 31,
Change
2021
2020
$
%
(in thousands, except percentages)
$
18,437 $
10,465 $
7,972
76%
Income tax provision increased by $8.0 million in 2021 compared to 2020, due to a reduction in excess tax benefits from stock-based compensation and
an increase in income after permanent tax adjustments related to the former CEO’s accelerated stock-based compensation.
44
�Table of Contents
Key Non-GAAP Metric
In addition to measures of financial performance presented in our consolidated financial statements, we monitor the non-GAAP key metric set forth
below to help us evaluate growth trends, establish budgets, measure the effectiveness of our sales and marketing efforts and assess operational efficiencies.
Adjusted EBITDA
We monitor Adjusted EBITDA, a non-GAAP financial measure, to analyze our financial results and believe that it is useful to investors, as a
supplement to U.S. GAAP measures, in evaluating our ongoing operational performance and enhancing an overall understanding of our past financial
performance. We believe that Adjusted EBITDA helps illustrate underlying trends in our business that could otherwise be masked by the effect of the income
or expenses that we exclude in Adjusted EBITDA. Furthermore, we use this measure to establish budgets and operational goals for managing our business
and evaluating our performance. We also believe that Adjusted EBITDA provides an additional tool for investors to use in comparing our recurring core
business operating results over multiple periods with other companies in our industry.
Adjusted EBITDA should not be considered in isolation from, or as a substitute for, financial information prepared in accordance with U.S. GAAP. We
calculate Adjusted EBITDA as net income before (1) other (income) expense, net, which includes interest income, interest expense and other income and
expense, (2) income tax provision (benefit), (3) depreciation and amortization of property and equipment, (4) amortization of intangible assets, (5) stock-
based compensation and (6) non-recurring expenses that do not reflect ongoing costs of operating the business.
Adjusted EBITDA has limitations as an analytical tool and should not be considered in isolation from or as a substitute for the measures presented in
accordance with U.S. GAAP. Some of these limitations are:
•
•
•
•
Adjusted EBITDA does not reflect certain cash and non-cash charges that are recurring;
Adjusted EBITDA does not reflect income tax payments that reduce cash available to us;
Adjusted EBITDA excludes depreciation and amortization of property and equipment and amortization of intangible assets, although these
are non-cash charges, the assets being depreciated and amortized may have to be replaced in the future; and
Other companies, including companies in our industry, may calculate Adjusted EBITDA differently or not at all, which reduces its usefulness
as a comparative measure.
Because of these limitations, Adjusted EBITDA should be considered alongside other financial performance measures, including revenues, net income,
cash flows from operating activities and our financial results presented in accordance with U.S. GAAP.
The following unaudited table presents the reconciliation of net income to Adjusted EBITDA for the years ended December 31, 2021 and 2020.
Year Ended December 31,
2020
2021
Net income
Depreciation and amortization of property and equipment
Amortization of intangible assets
Income tax provision
Stock-based compensation
Total other income, net
Adjusted EBITDA
Percentage of revenues
45
$
$
$
(in thousands)
70,960
29,236
6,661
18,437
67,579
(1,714)
$
46%
191,159
91,572
26,556
6,289
10,465
40,035
(5,383)
169,534
47%
�Table of Contents
Liquidity and Capital Resources
As of December 31, 2021, our principal source of liquidity was cash, cash equivalents and marketable securities of $516.5 million, including
$57.0 million of cash held outside of the United States. The following summary of cash flows for the periods indicated has been derived from our
consolidated financial statements included elsewhere in this report:
Cash provided by operating activities
Cash used in investing activities
Cash used in financing activities
Net increase (decrease) in cash, cash equivalents and restricted cash
Operating Activities
Year Ended December 31,
2020
2021
(in thousands)
$
$
200,616 $
(29,532)
(107,888)
63,196 $
180,086
(80,932)
(112,581)
(13,427)
In 2021, we generated $169.6 million of cash from our net income, as adjusted for non-cash items mainly related to stock-based compensation
expense, depreciation and amortization expense and deferred taxes, as compared to $169.4 million in 2020. In addition, we also generated $31.0 million of
cash from working capital change in 2021, of which $37.4 million was related to net increase in deferred revenue and accounts receivable as a result of our
continued growth in billing and collection, partially offset by higher prepaid income taxes of $6.9 million. In 2020, we generated $10.7 million of cash from
working capital change, which was also mainly related to deferred revenue and accounts receivable due to continued growth in billing and collection.
Investing Activities
In 2021, we used $4.5 million of cash in marketable securities investment, $24.4 million of cash in capital expenditures mainly related to computer
equipment to support our growth and development and $1.1 million of cash to acquire certain technology assets, as compared to $49.8 million of cash used in
marketable securities investment, $29.6 million of cash used in capital expenditures and $1.5 million of cash used for acquisition of technology assets in
2020.
Financing Activities
In 2021, we used $130.0 million of cash for share repurchase and $27.8 million of cash in payment of employee withholding taxes upon vesting of
restricted stock units and received $50.0 million of proceeds from employee exercise of stock options, as compared to $126.7 million of cash used for share
repurchase, $20.2 million of cash used in payment of employee withholding taxes upon vesting of restricted stock units and $34.5 million of cash received
from employee exercise of stock options in 2020. Net cash used in financing activities are expected to be higher in 2022 due to expected higher volume of
share repurchase and lower cash receipt from stock option exercise, mainly due to the resignation of our former CEO.
We believe our existing cash and cash equivalents, marketable securities and our expected cash flow generated from operations will be sufficient to
fund our operations for the next twelve months and beyond. We do not anticipate that we will need funds generated from foreign operations to fund our
domestic operations. However, if we repatriate these funds, we could be subject to foreign withholding taxes.
Our material cash requirements mainly include the following contractual and other obligations:
• Our operating lease obligations to make payments under our non-cancelable lease agreements for our facilities and data centers. We had fixed
operating lease payment obligations of $54.2 million as of December 31, 2021, with $14.5 million expected to be paid within the next 12 months.
• Cash outflow for capital expenditures in 2022 is expected to be in a range of $25.0 million to $30.0 million. Our future capital requirements will
depend on many factors, including our rate of revenue growth, the expansion of our sales and marketing activities, the timing, type and extent of
our spending on research and development efforts, international expansion and investment in data centers and cloud infrastructures. We may also
seek to invest in or acquire complementary businesses or technologies.
• Other non-cancelable purchase obligations related to cloud infrastructures and other service providers totaled $36.4 million, of which $16.4 million
is expected to be paid within the next 12 months.
We expect to continue to use cash to repurchase shares in 2022 under our share repurchase program authorized by our board of directors on February 5,
2018. As of December 31, 2021, our board of directors had authorized an aggregate amount of $700.0 million for repurchases under our share repurchase
program, of which approximately $271.8 million remained available. Shares will be repurchased from time to time on the open market in accordance with
Rule 10b-18 of the Exchange Act of 1934, including pursuant to a pre-set trading plan adopted in accordance with Rule 10b5-1 under the Exchange Act.
46
�Table of Contents
Critical Accounting Estimates
The preparation of our consolidated financial statements in accordance with U.S. GAAP requires us to make estimates and assumptions that affect the
reported amounts of assets, liabilities, revenues, expenses and related disclosures. Our significant accounting policies are described in Note 1 - The Company
and Summary of Significant Accounting Policies in the accompanying notes to the consolidated financial statements included in Part II, Item 8, "Financial
Statements and Supplementary Data" of this Annual Report on Form 10-K. On an ongoing basis, we evaluate our estimates and assumptions based on
historical and anticipated results and trends that we believe represent our best estimate under the circumstances. However, as accounting estimates are subject
to inherent uncertainty, our actual results may differ from these estimates under different assumptions or conditions.
Income Taxes
Significant assumptions, judgments and estimates are involved in determining our provision for (benefit from) income taxes, our deferred tax assets and
liabilities, and any valuation allowance to be recorded against our deferred tax assets. Our judgments, assumptions and estimates relating to the current
provision for income taxes include the geographic mix and amount of income (loss), our interpretation of current tax laws, and possible outcomes of current
and future audits conducted by foreign and domestic tax authorities. Our judgments also include anticipating the tax positions we will record in the financial
statements before preparing and filing the tax returns. Our estimates and assumptions may differ from the actual results as reflected in our income tax returns
and we record the required adjustments when they are identified or resolved. Changes in our business and tax laws or our interpretation of those, and
developments in current and future tax audits, could significantly impact the amounts provided for income taxes in our results of operations, financial
position, or cash flows.
The assessment of tax effects of our uncertain tax positions in our financial statements involves significant judgment in interpreting complex and
ambiguous tax laws, regulations, and administrative practices, determining the probability of various possible settlement outcomes, evaluating the litigation
process based on tax authority behaviors in similar cases, and estimating the likelihood that another taxing authority could review the respective tax position.
These judgments are inherently challenging and subjective because a taxing authority may change its behavior at any time. We must also determine when it is
reasonably possible that the amount of unrecognized tax benefits will significantly increase or decrease in the 12 months after each fiscal year-end. We
reevaluate our income tax positions on a quarterly basis to consider factors such as changes in facts or circumstances, changes in tax laws, effectively settled
issues under audit, the potential for interest and penalties, and new audit activity. Such a change in recognition or measurement would result in recognition of
a tax benefit or an additional charge to the tax provision.
Stock-Based Compensation
We recognize the fair value of our employee stock options and restricted stock units, including performance-based restricted stock units, over the
requisite service period. The fair value of each stock option is estimated on date of grant using the Black-Scholes-Merton option pricing model. Determining
the appropriate fair value model and calculating the fair value of employee stock options requires the use of subjective assumptions, including the expected
life of the stock option and stock price volatility. The recognition of expenses for performance based restricted stock units requires us to estimate the
probability that the performance condition will be achieved and the number of awards that will vest are adjusted accordingly at each reporting period. The
assumptions used in calculating the fair value of employee stock options and estimating the probability of achievement of performance metrics represent
management’s best estimates, which require significant judgment and involve inherent uncertainties. While not material to the current year, if factors change
and we use different assumptions, our stock-based compensation expense could be materially different in the future.
Item 7A.
Quantitative and Qualitative Disclosures about Market Risk
We have domestic and international operations and we are exposed to market risks in the ordinary course of our business. These risks primarily include
interest rate, foreign exchange and inflation risks, as well as risks relating to changes in the general economic conditions in the countries where we conduct
business. To reduce certain of these risks, we monitor the financial condition of our large customers and limit credit exposure by collecting subscription fees
in advance.
Foreign Currency Risk
Our results of operations and cash flows have been and will continue to be subject to fluctuations because of changes in foreign currency exchange
rates, particularly changes in exchange rates between the U.S. Dollar and the Euro, GBP, INR, Canadian Dollar ("C$") and Swiss Franc ("CHF"), the
currencies of countries where we currently have our most significant international operations. We enter into foreign currency forward contracts to reduce our
exposure to foreign currency exchange rate fluctuations related to forecasted subscription revenue, operating expenses and foreign currency denominated
assets or liabilities. As of December 31, 2021, we had designated cash flow hedge forward contracts with notional amounts of €29.8 million, £9.4 million
and Rs.2,955.3 million and non-designated forward contracts with notional amounts of €34.5 million, £11.6 million, Rs.74.9 million, C$2.5 million and
CHF1.0 million. With our hedging strategy applied, the effect of an immediate 10% adverse change in foreign exchange rates would not be material to our
financial condition, operating results or cash flows.
Interest Rate Sensitivity
We had $516.5 million in cash, cash equivalents and short-term and long-term marketable securities as of December 31, 2021. Cash and cash
equivalents include cash held in banks, highly liquid money market funds and commercial paper. Marketable securities consist of fixed-income U.S. Treasury
and government agency securities, commercial paper corporate bonds, asset-backed securities and foreign government securities. The primary objectives of
our investment activities are the preservation of principal and support of our liquidity requirements. We do not invest for trading or speculative purposes. Our
marketable securities are subject to market risk due to changes in interest rates, which may affect the interest income we earn and the fair market value. As of
December 31, 2021, a hypothetical 100 basis point increase in interest rate would result in a decrease in the fair value of our marketable securities
by $2.4 million.
47
�Table of Contents
Item 8.
Financial Statements and Supplementary Data
Qualys, Inc.
INDEX TO CONSOLIDATED FINANCIAL STATEMENTS
Table of Contents
Reports of Independent Registered Public Accounting Firm (PCAOB ID Number 248)
Consolidated Balance Sheets
Consolidated Statements of Operations
Consolidated Statements of Comprehensive Income
Consolidated Statements of Cash Flows
Consolidated Statements of Stockholders' Equity
Notes to Consolidated Financial Statements
48
Page
49
51
52
53
54
55
56
�Table of Contents
REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM
Board of Directors and Stockholders
Qualys, Inc.
Opinion on the financial statements
We have audited the accompanying consolidated balance sheets of Qualys, Inc. (a Delaware corporation) and subsidiaries (the “Company”) as of December
31, 2021 and 2020, the related consolidated statements of operations, comprehensive income, cash flows, and stockholders’ equity for each of the three years
in the period ended December 31, 2021, and the related notes (collectively referred to as the “financial statements”). In our opinion, the financial statements
present fairly, in all material respects, the financial position of the Company as of December 31, 2021 and 2020, and the results of its operations and its cash
flows for each of the three years in the period ended December 31, 2021, in conformity with accounting principles generally accepted in the United States of
America.
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (“PCAOB”), the Company’s
internal control over financial reporting as of December 31, 2021, based on criteria established in the 2013 Internal Control — Integrated Framework issued
by the Committee of Sponsoring Organizations of the Treadway Commission, and our report dated February 22, 2022 expressed an unqualified opinion.
Basis for opinion
These financial statements are the responsibility of the Company’s management. Our responsibility is to express an opinion on the Company’s financial
statements based on our audits. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company
in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable
assurance about whether the financial statements are free of material misstatement, whether due to error or fraud. Our audits included performing procedures
to assess the risks of material misstatement of the financial statements, whether due to error or fraud, and performing procedures that respond to those risks.
Such procedures included examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. Our audits also included
evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the financial
statements. We believe that our audits provide a reasonable basis for our opinion.
Critical audit matter
The critical audit matter communicated below is a matter arising from the current period audit of the financial statements that was communicated or required
to be communicated to the audit committee and that: (1) relates to accounts or disclosures that are material to the financial statements and (2) involved our
especially challenging, subjective, or complex judgments. The communication of critical audit matters does not alter in any way our opinion on the financial
statements, taken as a whole, and we are not, by communicating the critical audit matter below, providing a separate opinion on the critical audit matter or on
the accounts or disclosures to which it relates.
Income taxes
As described further in Note 12 to the financial statements, the Company records income taxes using the asset and liability method, under which deferred tax
assets and liabilities are determined based on the difference between the financial statement and tax bases of assets and liabilities using enacted tax rates in
effect for the year in which the differences are expected to affect taxable income. We identified the tax effects of temporary and permanent differences related
to stock-based compensation as a critical audit matter.
The principal considerations for our determination that the tax effects of temporary and permanent differences are a critical audit matter are that auditing the
application of executive compensation rules requires significant technical expertise, the Company is generating excess tax deductions as a result of stock-
based compensation and the stock-based compensation calculation is complex due to the required recordkeeping. Our audit procedures related to the tax
effects of temporary and permanent differences related to stock-based compensation included the following, among others.
Involved an employee compensation specialist to assess the application of stock-based compensation tax rules.
•
• Obtained management’s permanent and temporary provision calculation and tied out inputs to supporting equity documentation.
• Tested the completeness and accuracy of the calculation of permanent and temporary differences.
• Determined that the ending gross temporary difference agreed to the supporting equity documentation.
/s/ GRANT THORNTON LLP
We have served as the Company’s auditor since 2005.
San Jose, California
February 22, 2022
49
�Table of Contents
Board of Directors and Stockholders
Qualys, Inc.
Report of Independent Registered Public Accounting Firm
Opinion on internal control over financial reporting
We have audited the internal control over financial reporting of Qualys, Inc. (a Delaware corporation) and subsidiaries (the “Company”) as of December 31,
2021, based on criteria established in the 2013 Internal Control — Integrated Framework issued by the Committee of Sponsoring Organizations of the
Treadway Commission (“COSO”). In our opinion, the Company maintained, in all material respects, effective internal control over financial reporting as of
December 31, 2021, based on criteria established in the 2013 Internal Control — Integrated Framework issued by COSO.
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (“PCAOB”), the consolidated
financial statements of the Company as of and for the year ended December 31, 2021, and our report dated February 22, 2022 expressed an unqualified
opinion on those consolidated financial statements.
Basis for opinion
The Company’s management is responsible for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of
internal control over financial reporting, included in the accompanying Management’s Annual Report on Internal Control over Financial Reporting. Our
responsibility is to express an opinion on the Company’s internal control over financial reporting based on our audit. We are a public accounting firm
registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the
applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audit in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable
assurance about whether effective internal control over financial reporting was maintained in all material respects. Our audit included obtaining an
understanding of internal control over financial reporting, assessing the risk that a material weakness exists, testing and evaluating the design and operating
effectiveness of internal control based on the assessed risk, and performing such other procedures as we considered necessary in the circumstances. We
believe that our audit provides a reasonable basis for our opinion.
Definition and limitations of internal control over financial reporting
A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and
the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company’s internal control over
financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect
the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being
made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or
timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of
effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance
with the policies or procedures may deteriorate.
/s/ GRANT THORNTON LLP
San Jose, California
February 22, 2022
50
�Table of Contents
Assets
Current assets:
Qualys, Inc.
CONSOLIDATED BALANCE SHEETS
(in thousands, except per share data)
Cash and cash equivalents
Short-term marketable securities
Accounts receivable, net of allowance of $793 and $725 as of December 31, 2021 and 2020, respectively
Prepaid expenses and other current assets
Total current assets
Long-term marketable securities
Property and equipment, net
Operating leases - right of use asset
Deferred tax assets, net
Intangible assets, net
Goodwill
Restricted cash
Other noncurrent assets
Total assets
Liabilities and Stockholders’ Equity
Current liabilities:
Accounts payable
Accrued liabilities
Deferred revenues, current
Operating lease liabilities, current
Total current liabilities
Deferred revenues, noncurrent
Operating lease liabilities, noncurrent
Other noncurrent liabilities
Total liabilities
Commitments and contingencies (Note 9)
Stockholders’ equity:
Preferred stock: $0.001 par value; 20,000 shares authorized, no shares issued and outstanding as of December 31,
2021 and 2020
Common stock: $0.001 par value; 1,000,000 shares authorized, 39,112 and 39,253 shares issued and outstanding
as of December 31, 2021 and 2020, respectively
Additional paid-in capital
Accumulated other comprehensive income (loss)
Retained earnings (accumulated deficit)
Total stockholders’ equity
Total liabilities and stockholders’ equity
December 31,
2021
2020
137,328 $
267,960
108,998
32,112
546,398
111,198
61,854
37,016
25,087
6,545
7,447
1,200
17,814
814,559 $
1,296 $
32,504
257,872
12,608
304,280
32,753
35,914
4,898
377,845
74,132
281,892
100,179
19,142
475,345
98,458
64,850
44,838
15,811
12,006
7,447
1,200
16,864
736,819
731
29,833
213,494
11,672
255,730
30,540
45,700
367
332,337
—
—
39
477,323
1,007
(41,655)
436,714
814,559 $
39
401,359
(484)
3,568
404,482
736,819
$
$
$
$
The accompanying notes are an integral part of these Consolidated Financial Statements.
51
�Table of Contents
Revenues
Cost of revenues
Gross profit
Operating expenses:
Research and development
Sales and marketing
General and administrative
Total operating expenses
Income from operations
Other income (expense), net:
Interest expense
Interest income
Other income (expense), net
Total other income, net
Income before income taxes
Income tax provision
Net income
Net income per share:
Basic
Diluted
Qualys, Inc.
CONSOLIDATED STATEMENTS OF OPERATIONS
(in thousands, except per share data)
$
$
$
$
Year Ended December 31,
2020
2021
2019
411,172 $
89,439
321,733
81,289
76,487
76,274
234,050
87,683
—
2,287
(573)
1,714
89,397
18,437
70,960 $
1.82 $
1.77 $
39,030
40,118
362,963 $
79,226
283,737
72,548
67,965
46,570
187,083
96,654
(9)
5,385
7
5,383
102,037
10,465
91,572 $
2.34 $
2.25 $
39,167
40,740
321,607
69,517
252,090
68,239
70,833
40,765
179,837
72,253
(106)
8,443
(607)
7,730
79,983
10,647
69,336
1.77
1.68
39,075
41,284
Weighted average shares used in computing net income per share:
Basic
Diluted
The accompanying notes are an integral part of these Consolidated Financial Statements.
52
�Table of Contents
Qualys, Inc.
CONSOLIDATED STATEMENTS OF COMPREHENSIVE INCOME
(in thousands)
Net income
Other comprehensive income (loss), net of tax
Net change in unrealized gains (losses) on available-for-sale debt securities, net of tax
Net change in unrealized gains (losses) on cash flow hedges, net of tax
Other comprehensive income (loss), net of tax
Comprehensive income
Year Ended December 31,
2020
2021
2019
$
70,960 $
91,572 $
69,336
(1,409)
2,900
1,491
72,451 $
402
(2,048)
(1,646)
89,926 $
1,367
381
1,748
71,084
$
The accompanying notes are an integral part of these Consolidated Financial Statements.
53
�Table of Contents
Qualys, Inc.
CONSOLIDATED STATEMENTS OF CASH FLOWS
(in thousands)
Cash flow from operating activities:
Net income
Adjustments to reconcile net income to net cash provided by operating activities:
Depreciation and amortization expense
Write off of noncurrent asset
Bad debt expense
Loss on disposal of property and equipment
Stock-based compensation
Amortization of premiums (accretion of discounts) on marketable securities
Deferred income taxes
Changes in operating assets and liabilities:
Accounts receivable
Prepaid expenses and other assets
Accounts payable
Accrued liabilities and other noncurrent liabilities
Deferred revenues
Net cash provided by operating activities
Cash flow from investing activities:
Purchases of marketable securities
Sales and maturities of marketable securities
Purchases of property and equipment
Proceeds from disposal of property and equipment
Purchases of intangible assets
Maturity (purchase) of note receivable
Net cash used in investing activities
Cash flow from financing activities:
Repurchase of common stock
Proceeds from exercise of stock options
Payments for taxes related to net share settlement of equity awards
Principal payments under finance lease obligations
Net cash used in financing activities
Net increase (decrease) in cash, cash equivalents and restricted cash
Cash, cash equivalents and restricted cash at beginning of period
Cash, cash equivalents and restricted cash at end of period
Supplemental disclosures of cash flow information
Cash paid for interest expense
Cash paid for income taxes, net of refunds
Non-cash investing and financing activities
Purchases of intangible assets recorded in accrued liabilities
Purchases of property and equipment recorded in accounts payable and accrued liabilities
Year Ended December 31,
2020
2021
2019
$
70,960 $
91,572 $
69,336
35,897
625
402
12
67,579
3,869
(9,723)
(9,221)
(15,665)
(32)
9,322
46,591
200,616
(368,450)
363,941
(24,424)
6
(1,230)
625
(29,532)
(129,977)
49,994
(27,815)
(90)
(107,888)
63,196
75,332
138,528 $
— $
35,080 $
120 $
2,086 $
32,845
—
486
106
40,035
826
3,512
(22,631)
(2,329)
(389)
5,126
30,927
180,086
(391,693)
341,879
(30,037)
419
(1,500)
—
(80,932)
(126,729)
34,461
(20,199)
(114)
(112,581)
(13,427)
88,759
75,332 $
9 $
8,058 $
150 $
1,054 $
31,201
—
247
202
34,892
(1,597)
7,095
(2,456)
(6,012)
(1,076)
715
28,060
160,607
(331,131)
328,350
(27,573)
—
(4,050)
(625)
(35,029)
(86,424)
24,831
(15,743)
(1,709)
(79,045)
46,533
42,226
88,759
107
3,031
150
235
$
$
$
$
$
The accompanying notes are an integral part of these Consolidated Financial Statements.
54
�Table of Contents
Qualys, Inc.
CONSOLIDATED STATEMENTS OF STOCKHOLDERS’ EQUITY
(in thousands)
Common Stock Additional
Other
Earnings
Total
Paid-In Comprehensive (Accumulated Stockholders’
Accumulated Retained
Income (Loss)
Deficit)
Equity
Balances at December 31, 2018
Net income
Other comprehensive income, net of tax
Issuance of common stock upon exercise of stock options
Repurchase of common stock
Issuance of common stock upon vesting of restricted stock
units
Taxes related to net share settlement of equity awards
Stock-based compensation
Balances at December 31, 2019
Net income
Other comprehensive loss, net of tax
Issuance of common stock upon exercise of stock options
Repurchase of common stock
Issuance of common stock upon vesting of restricted stock
units
Taxes related to net share settlement of equity awards
Stock-based compensation
Balances at December 31, 2020
Net income
Other comprehensive income, net of tax
Issuance of common stock upon exercise of stock options
Repurchase of common stock
Issuance of common stock upon vesting of restricted stock
units
Taxes related to net share settlement of equity awards
Stock-based compensation
Balances at December 31, 2021
Shares Amount Capital
39,015 $
—
—
901
(1,026)
39 $ 330,572 $
—
—
—
—
1
24,830
(12,317)
(1)
439
(183)
—
39,146
—
—
1,130
(1,293)
476
(206)
—
39,253
—
—
725
(1,148)
—
—
—
39
—
—
1
(1)
—
—
—
39
—
—
1
(1)
—
(15,743)
35,066
362,408
—
—
34,460
(15,530)
—
(20,199)
40,220
401,359
—
—
49,993
(13,793)
530
(248)
—
39,112 $
—
—
(27,815)
—
—
67,579
39 $ 477,323 $
(586) $
—
1,748
—
—
—
—
—
1,162
—
(1,646)
—
—
—
—
—
(484)
—
1,491
—
—
—
—
—
1,007 $
27,964 $
69,336
—
—
(74,106)
—
—
—
23,194
91,572
—
—
(111,198)
—
—
—
3,568
70,960
—
—
(116,183)
—
—
—
(41,655) $
357,989
69,336
1,748
24,831
(86,424)
—
(15,743)
35,066
386,803
91,572
(1,646)
34,461
(126,729)
—
(20,199)
40,220
404,482
70,960
1,491
49,994
(129,977)
—
(27,815)
67,579
436,714
The accompanying notes are an integral part of these Consolidated Financial Statements.
55
�Table of Contents
Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
NOTE 1.
The Company and Summary of Significant Accounting Policies
Description of Business
Qualys, Inc. (the “Company”, “we”, “us”, “our”) was incorporated in the state of Delaware on December 30, 1999. The Company is headquartered in
Foster City, California and has wholly-owned subsidiaries throughout the world. The Company is a pioneer and leading provider of cloud-based IT, security
and compliance solutions that enable organizations to identify security risks to their IT infrastructures, help protect their IT systems and applications from
ever-evolving cyber-attacks and achieve compliance with internal policies and external regulations. The Company’s cloud solutions address the growing
security and compliance complexities and risks that are amplified by the dissolving boundaries between internal and external IT infrastructures and web
environments, the rapid adoption of cloud computing and the proliferation of geographically dispersed IT assets. Organizations can use the Company’s
integrated suite of solutions delivered on its Qualys Cloud Platform to cost-effectively obtain a unified view of their security and compliance posture across
globally-distributed IT infrastructures.
Basis of Presentation
The accompanying consolidated financial statements and footnotes have been prepared in accordance with U.S. GAAP as well as the instructions to
Form 10-K and the rules and regulations of the SEC. In the opinion of management, the accompanying consolidated financial statements reflect all
adjustments, which include only normal recurring adjustments, necessary for the fair presentation of the Company’s consolidated financial position, results of
operations and cash flows for the periods presented. The accompanying consolidated financial statements include the accounts of the Company and its
wholly-owned subsidiaries. All intercompany transactions and balances have been eliminated upon consolidation.
Risks and Uncertainties
In March 2020, the World Health Organization declared the outbreak of COVID-19 as a pandemic. As a result of COVID-19, the Company has
modified certain aspects of its business, including restricting employee travel, requiring employees to work from home, and canceling certain events and
meetings, among other modifications. The Company will continue to actively monitor the situation and may take further actions that alter its business
operations as may be required by federal, state or local authorities or that the Company determines are in the best interests of its employees, customers,
partners, suppliers and stockholders. While the Company has not incurred significant disruptions from the COVID-19 pandemic to date and does not expect
the pandemic will have a significant impact on the Company’s business in 2022, the Company is unable to accurately predict the full impact that COVID-
19 will have due to numerous uncertainties, including the duration of the outbreak, actions that may be taken by governmental authorities and the impact to
the business of its customers and partners. The Company will continue to evaluate the nature and extent of the impact to its business, financial position,
results of operations and cash flows.
Use of Estimates
The preparation of the consolidated financial statements in conformity with U.S. GAAP requires management to make certain estimates and
assumptions that affect the reported amounts of assets and liabilities and disclosure of assets and liabilities at the date of the consolidated financial statements
and the reported results of operations during the reporting period. The Company’s management regularly assesses these estimates, which primarily affect
revenue recognition, allowance for credit loss, the valuation of goodwill and intangible assets, leases, stock-based compensation and income tax provision.
Actual results could differ from those estimates and such differences may be material to the accompanying consolidated financial statements.
Concentration of Credit Risk
The Company invests its cash and cash equivalents with major financial institutions. Cash balances with any one institution at times may be in excess
of federally insured limits. Cash equivalents are invested in high-quality investment grade financial instruments and are diversified. The Company has not
experienced any losses in such accounts and believes it is not exposed to any significant credit risk.
Credit risk with respect to accounts receivable is dispersed due to the large number of customers. Collateral is not required for accounts receivable. As
of December 31, 2021 and 2020, no customer or channel partner accounted for more than 10% of the Company's revenues and accounts receivable balance.
Cash, Cash Equivalents, Restricted cash and Short-Term and Long-Term Marketable Securities
Cash and cash equivalents include cash held in banks, highly liquid money market funds and commercial paper, all with original maturities of three
months or less when acquired. The Company’s short-term and long-term marketable securities consist of fixed-income U.S. and foreign government agency
securities, corporate bonds, asset-backed securities and commercial paper. Management determines the appropriate classification of the Company's
investments at the time of purchase and reevaluates such designation at each balance sheet date. The Company classifies its marketable securities as either
short-term or long-term based on each instrument's underlying remaining contractual maturity date.
As of both December 31, 2021 and 2020, the Company has a restricted cash balance of $1.2 million in the form of a letter of credit issued to the
landlord of the Company's California headquarter office lease as security deposit.
Cash equivalents are stated at cost, which approximates fair market value. Short-term and long-term marketable securities are classified as available-
for-sale debt securities (AFS debt securities) and are carried at fair value. Unrealized gains and losses in fair value of the AFS debt securities are reported in
other comprehensive income (loss). When the AFS debt securities are sold, cost is based on the specific identification method, and the realized gains and
losses are included in other income (expense), net in the consolidated statements of operations. AFS debt securities are reviewed quarterly for impairment.
An investment is considered impaired when its fair value is below its amortized cost. Declines in fair value from amortized cost for AFS debt securities that
the company intends to sell or will more likely than not be required to sell before the expected recovery of the amortized cost basis are charged to other
income (expense), net in the period in which the loss occurs. Otherwise, the credit loss component of the impairment is recorded as allowance for credit
losses with an offsetting entry charged to other income (expense), net, while the remaining loss is recognized in other comprehensive income (loss).
56
��Table of Contents
Accounts Receivable
Accounts receivable are recorded at the invoiced amount and do not bear interest. The allowance for credit losses is determined on a collective basis
where similar risk characteristics exist and on an individual basis when we identify significant customers or invoices with collectability issues. The estimate
for credit losses considers historical write-offs by aging category, that are adjusted for current conditions and reasonable and supportable forecasts of future
losses. Any change in the assumptions used in analyzing credit losses may result in additional allowances being recognized in the period in which the change
occurs. When the Company ultimately concludes that a receivable is uncollectible, the balance is written off against the allowance for credit losses. Payments
subsequently received on such receivables are recognized in the period received. The allowance for credit losses recognized and write-offs charged against
the allowance were not significant for the years ended December 31, 2021 and 2020.
Non-marketable securities
In 2018, the Company invested $2.5 million in preferred stock of a privately-held company (the “Investee”). The fair value of the investment is not
readily available, and there are no quoted market prices for the investment. The Company elected the measurement alternative to account for the investment
at cost less impairment and will measure the investment at fair value when the Company identifies observable price changes. The investment is assessed for
impairment annually or whenever events or changes in circumstances indicate that the carrying amount may not be recoverable. No impairment has been
incurred related to the investment. The investment is included in other noncurrent assets in the consolidated balance sheets. The Company has not received
any dividends from the investment.
In 2019, the Company made an advance payment of $0.6 million to the Investee for it to perform certain technology development work, which should
either be settled in the form of royalty fee charges when the technology materializes and is licensed to the Company or, otherwise, should be repaid to the
Company in cash. The advance payment was recorded in other non-current assets in the consolidated balance sheet. During the fourth quarter ended
December 31, 2021, the technology has not been developed and the Company decided to no longer pursue the development of the technology or the
collection of the advanced amount. Accordingly, the entire amount of the advance payment was written off and recorded in the general and administrative
expense during the year ended December 31, 2021.
Property and Equipment, net
Property and equipment are stated at cost less accumulated depreciation and amortization. Depreciation is computed using the straight-line method over
the estimated useful lives of the assets, which range from three to five years. Leasehold improvements are amortized on a straight-line basis over the lesser of
the estimated useful life of the asset or the remaining lease term.
The Company purchases physical scanner appliances and other computer equipment that are provided to customers on a subscription basis. This
equipment is recorded within property and equipment and the depreciation is recorded in cost of revenues over an estimated useful life of three years.
Upon retirement or disposal, the cost of assets and the related accumulated depreciation are removed from the accounts and any resulting gain or loss is
reflected in the consolidated statements of operations. Repairs and maintenance that do not extend the life of an asset are expensed as incurred and major
improvements are capitalized as property and equipment.
Leases
The Company leases certain offices, computer equipment and its data center facilities under finance leases and non-cancelable operating leases. For
both operating and finance leases, we recognize a right-of-use asset, which represents our right to use the underlying asset for the lease term, and a lease
liability, which represents the present value of our obligation to make payments arising over the lease term. Many of our leases include rental escalation
clauses, renewal options and/or termination options that are factored into our determination of lease payments and lease terms when appropriate. The present
value of the lease payments is calculated using the incremental borrowing rate of the underlying leases determined at lease commencement. As most of our
leases do not provide a readily determinable implicit rate, the Company determines an incremental borrowing rate using a portfolio approach based on the
rate of interest that the Company would have to pay to borrow an amount equal to the lease payments on a collateralized basis over a similar term as the
leases.
Where the Company is the lessee, the Company elects to account for non-lease components associated with its leases (e.g., common area maintenance
costs) and lease components separately for substantially all of its asset classes, except for data centers, for which the Company elected to combine lease and
non-lease components. For leases with a term of one year or less, the Company has elected not to record the right-of-use asset or liability.
In arrangements where the Company is the lessor, the Company elected to apply the practical expedient to account for lease components (e.g., customer
premise equipment) and non-lease components (e.g., service revenue) as combined components as revenue under ASC 606 as service revenues are the
predominant components in the arrangements.
Impairment of Long-Lived Assets
The Company evaluates its long-lived assets, which consist of property and equipment, and intangible assets subject to amortization, for indicators of
possible impairment when events or changes in circumstances indicate the carrying amount of an asset may not be recoverable. Impairment exists if the
carrying amounts of such assets exceed the estimates of future undiscounted cash flows expected to be generated by such assets. Should an impairment exist,
the impairment loss would be measured based on the excess carrying value of the asset over the asset’s estimated fair value. For the years ended December
31, 2021, 2020 and 2019, there was no impairment of long-lived assets.
Goodwill and Intangible Assets
Goodwill represents the excess of the purchase price over the fair value of the net tangible and identifiable intangible assets acquired in a business
combination. Goodwill and indefinite-lived intangible assets are not amortized but tested for impairment at least annually or more frequently if certain
circumstances indicate a possible impairment may exist. The goodwill impairment tests are performed at the reporting unit level. The Company’s operations
are organized as one reporting unit.
In testing for a potential impairment of goodwill and the indefinite-lived intangible assets, the Company first performs a qualitative assessment to
determine if it is more likely than not (a more than 50% likelihood) that the fair value of the reporting unit or the indefinite-lived intangible assets is less than
�their carrying amount. If the fair value is not considered to be less than the carrying amount, no further evaluation is necessary. Otherwise, the Company will
perform a quantitative test. Goodwill impairment is measured as the amount by which the carrying value of the reporting unit or the indefinite-lived
intangible assets exceeds their fair value. The Company performed the annual assessments on December 1, 2021 and 2020 and concluded there was no
impairment of goodwill or the indefinite-lived intangible assets.
57
�Table of Contents
Business Combinations
The Company applies the provisions of ASC 805, Business Combinations, in accounting for its acquisitions. It requires the Company to recognize
separately from goodwill the assets acquired and the liabilities assumed at their acquisition date fair values. Goodwill as of the acquisition date is measured
as the excess of consideration transferred over the net of the acquisition date fair values of the assets acquired and the liabilities assumed. While the
Company uses its best estimates and assumptions to accurately value assets acquired and liabilities assumed at the acquisition date as well as any contingent
consideration, where applicable, its estimates are inherently uncertain and subject to refinement. As a result, during the measurement period, which may be
up to one year from the acquisition date, the Company records adjustments to the assets acquired and liabilities assumed with the corresponding offset to
goodwill. Upon the conclusion of the measurement period or final determination of the values of assets acquired or liabilities assumed, whichever comes
first, any subsequent adjustments are recorded to its consolidated statements of operations.
Derivative Financial Instruments
Derivative financial instruments are utilized by the Company to reduce foreign currency exchange risks. The Company uses foreign currency forward
contracts, with maturities of 13 months or less, to mitigate the impact of foreign currency fluctuations of certain non-U.S. dollar denominated net asset
positions, to date primarily cash, accounts receivable and operating lease liabilities, as well as to manage foreign currency fluctuation risk related to
forecasted transactions. Open contracts are recorded within prepaid expenses and other current assets, other noncurrent assets, accrued liabilities or other
noncurrent liabilities in the consolidated balance sheets. Gains and losses resulting from currency exchange rate movements on non-designated forward
contracts are recognized in other income (expense), net. Any gains or losses from derivatives designated as cash flow hedges are first recorded
within accumulated other comprehensive income (“AOCI”) and then reclassified into revenue or operating expenses when the hedged item impacts the
consolidated statements of operations. Cash flows related to these forward contracts are classified in our consolidated statements of cash flows in the same
manner as the underlying hedged transaction within cash flows from operating activities.
Stock-Based Compensation
The Company recognizes the fair value of its stock options, restricted stock units (“RSUs”) and stock purchase rights under the employee stock
purchase plan (the “ESPP”) on a straight-line basis over the requisite service periods. The fair value of each stock option or stock purchase right is estimated
on the date of grant using the Black-Scholes-Merton option pricing model and the fair value of each RSU is based on the Company's common stock price on
the date of grant. Compensation expenses for performance-based stock options (“PSOs”) and performance-based restricted stock units (“PSUs”) are recorded
based on expected achievement of the performance metrics specified in the grant, which are assessed on a quarterly basis. Forfeitures are estimated on the
date of grant and revised if actual or expected forfeiture materially differs from original estimates.
Revenue Recognition
The Company derives revenues from subscriptions that require customers to pay a fee in order to access the Company’s cloud solutions. Contract
period with customers generally ranges from less than a year to five years. The subscription fee entitles the customer to an unlimited number of scans for a
specified number of networked devices or web applications and, if requested by a customer as part of their subscription, a specified number of physical or
virtual scanner appliances. The Company’s physical and virtual scanner appliances are requested by certain customers as part of their subscriptions in order
to scan IT infrastructures within their firewalls and do not function without, and are not sold separately from, subscriptions for the Company’s solutions. In
some limited cases, the Company also provides certain computer equipment used to extend its Qualys Cloud Platform into its customers’ private cloud
environment. Customers are required to return physical scanner appliances and computer equipment if they do not renew their subscriptions.
58
�Table of Contents
The Company determines revenue recognition through the following steps:
•
•
•
•
•
Identification of the contract, or contracts, with a customer;
Identification of the performance obligations in the contract;
Determination of the transaction price
Allocation of the transaction price to the performance obligations in the contract; and
Recognition of revenue when, or as, the Company satisfies a performance obligation.
At the inception of a customer contract, the Company makes an assessment as to that customer's ability to pay for the services provided. The Company
assesses collectability based on several factors, including credit worthiness of the customer along with past transaction history. In addition, the Company
performs periodic evaluations of its customers’ financial condition.
Most of the Company’s revenue contracts are subscription based and contain a single performance obligation. The subscription contracts typically do
not offer to the customers any future rights that would constitute material rights. Contract prices are generally composed of fixed consideration for a specific
period of time as the Company in general does not offer refunds, volume rebates, customer loyalty programs or other forms of customer incentive payments.
In limited situations, contract prices are contingent on future events, such as actual usage during the contract terms, which are accounted for as variable
consideration and estimated based on the most likely amount of consideration that the Company is expected to be entitled to. Estimates are included in the
contract price to the extent that it is considered probable that a significant reversal in the amount of cumulative revenue recognized will not occur when the
uncertainty associated with the variable consideration is subsequently resolved. Such estimates are made at contract inception and updated periodically when
additional information becomes available. A cumulative catch-up adjustment is made when there is a change in the estimate of variable consideration.
As the Company's cloud-based subscription services are delivered to customers electronically and over time, revenue is generally recognized ratably
over the contract terms. When physical equipment is provided to the customers as part of the subscription service contract, the Company applies the practical
expedient allowed under ASC 842 Leases to combine lease and nonlease components as a combined component to be accounted for under ASC 606, as the
Company determined that the software subscription is the predominant component of the combined components. Therefore, the Company recognizes revenue
for the physical equipment ratably over the related subscription period.
Contract modifications happen when there is an upsell, where the customers subsequently enter into contract with the Company to purchase additional
product offerings or additional scans for additional devices. Contract modifications related to upsells are typically accounted for prospectively.
Deferred revenues consist of customer contracts billed or cash received that will be recognized in the future under subscriptions existing at the balance
sheet date. The current portion of deferred revenues represents amounts that are expected to be recognized within one year of the balance sheet date.
Costs of shipping and handling charges incurred by the Company associated with physical scanner appliances and other computer equipment are
included in cost of revenues. Sales taxes and other taxes collected from customers to be remitted to government authorities are excluded from revenues.
Incremental direct costs of obtaining a contract, which consist of sales commissions primarily for new business and upsells, are deferred and amortized
over the estimated life of the customer relationship if renewals are expected and the renewal commission is not commensurate with the initial commission.
The Company elected the practical expedient to expense commissions on renewals where the specific anticipated contract term amortization period is one
year or less. The Company amortizes the capitalized commission cost as a selling expense on a straight-line basis over a period of five years. The Company
classifies deferred commissions as current or noncurrent based on the timing of when it expects to recognize the expense. The current and noncurrent
portions of deferred commissions are included in prepaid expenses and other current assets and other noncurrent assets, respectively, in its consolidated
balance sheets.
59
�Table of Contents
Advertising Expenses
Advertising costs are expensed as incurred and are included in sales and marketing expense in the consolidated statements of operations. The Company
incurred advertising costs of $2.1 million, $1.6 million and $1.5 million for the years ended December 31, 2021, 2020 and 2019, respectively.
Income Taxes
The Company provides for the effect of income taxes in its consolidated financial statements using the asset and liability method which requires the
recognition of deferred tax assets and liabilities for the expected future tax consequences of events that have been included in the consolidated financial
statements. Under this method, deferred tax assets and liabilities are recognized for the future tax consequences attributable to differences between the
financial statement carrying amounts of existing assets and liabilities and their respective tax bases, net operating loss carryovers, and tax credit carry
forwards. The Company regularly reviews its deferred tax assets for recoverability and establishes a valuation allowance if it is more likely than not that
some portion or all of the deferred tax assets will not be realized. To make this assessment, the Company takes into account predictions of the amount and
category of taxable income from various sources and all available positive and negative evidence about these possible sources of taxable income. The weight
given to the potential effect of negative and positive evidence is commensurate with the extent to which the strength of the evidence can be objectively
verified. Deferred tax assets and liabilities are measured using enacted tax rates expected to apply to taxable income in the years in which those temporary
differences are expected to be recovered or settled. The effect on deferred tax assets and liabilities of a change in tax rates is recognized in the period that
includes the enactment date.
Income tax expense or benefit is recognized for the amount of taxes payable or refundable for the current year and for deferred tax assets and liabilities
for the tax consequences of events that have been recognized in an entity’s financial statements or tax returns. The Company must make significant
assumptions, judgments and estimates to determine its current income tax provision (benefit), its deferred tax assets and liabilities, and any valuation
allowance to be recorded against its deferred tax assets. The Company's estimates and assumptions may differ from the actual results as reflected on its
income tax returns and will record the required adjustments when they are identified or resolved.
The Company applies a two-step approach to determining the financial statement recognition and measurement of uncertain tax positions. The
Company only recognizes an income tax expense or benefit with respect to uncertain tax positions in its financial statements that the Company judges is
more likely than not to be sustained solely on its technical merits in a tax audit, including resolution of any related appeals or litigation processes. To make
this judgment, the Company must interpret complex and sometimes ambiguous tax laws, regulations and administrative practices. If an income tax position
meets the more likely than not recognition threshold, then the Company must measure the amount of the tax benefit to be recognized by determining the
largest amount of tax benefit that has a greater than a 50% likelihood of being realized upon effective settlement with a taxing authority that has full
knowledge of all of the relevant facts. It is inherently difficult and subjective to estimate such amounts, as this requires the Company to determine the
probability of various possible settlement outcomes. To determine if a tax position is effectively settled after a tax examination has been completed, the
Company must also estimate the likelihood that another taxing authority could review the respective tax position. The Company must also determine when it
is reasonably possible that the amount of unrecognized tax benefits will significantly increase or decrease in the 12 months after each fiscal year-end. These
judgments are difficult because a taxing authority may change its behavior as a result of the Company's disclosures in its financial statements. The Company
must reevaluate its income tax positions on a quarterly basis to consider factors such as changes in facts or circumstances, changes in tax law, effectively
settled issues under audit, and new audit activity. Such a change in recognition or measurement would result in recognition of a tax benefit or an additional
charge to the tax provision. The Company's policy is to recognize interest and penalties related to unrecognized tax benefits as a component of the provision
for income taxes.
60
�Table of Contents
Comprehensive Income (Loss)
Other comprehensive income (loss) consists of unrealized gains (losses) on marketable securities, net of tax, and derivative financial instruments
designated as cash flow hedges which are not included in the Company’s net income. Total comprehensive income includes net income and other
comprehensive income (loss) and is included in the consolidated statements of comprehensive income.
Foreign Currency Transactions
The Company’s operations are conducted in various countries around the world and the financial statements of its foreign subsidiaries are reported in
the U.S. dollar as their respective functional currency. Monetary assets and liabilities denominated in foreign currencies have been re-measured into U.S.
dollars using the exchange rates in effect at the balance sheet date, and income and expenses are re-measured at average exchange rates during the period.
Foreign currency re-measurement gains and losses and foreign currency transaction gains and losses are recognized in other income (expense), net.
Net Income Per Share
Basic net income per share is computed by dividing net income by the weighted-average number of shares outstanding during the period. Diluted net
income per share is computed by dividing net income by the weighted-average number of shares outstanding plus potentially dilutive shares outstanding
during the period. The potentially dilutive shares are computed by applying the treasury stock method to the Company's stock options, RSUs and the stock
purchase rights under the ESPP. Any potential shares that would be anti-dilutive are excluded from the computation of diluted net income per share.
Recently Adopted Accounting Pronouncements
In December 2019, the Financial Accounting Standards Board ("FASB") issued Accounting Standard Update ("ASU") No. 2019-12, Simplifying the
Accounting for Income Taxes ("ASU 2019-12"), which simplifies the accounting for income taxes, eliminates certain exceptions within ASC 740, Income
Taxes, and clarifies certain aspects of the current guidance to promote consistency among reporting entities. ASU 2019-12 is effective for the Company for
fiscal years beginning after December 15, 2020. Most amendments within the standard are required to be applied on a prospective basis, while certain
amendments must be applied on a retrospective or modified retrospective basis. The Company adopted ASU 2019-12 in the first quarter of 2021 with no
material impact on the Company's consolidated financial statements.
Recently Issued Accounting Pronouncements Not Yet Adopted
The Company does not believe any other new accounting pronouncements issued by the FASB that have not become effective will have a material
impact on its consolidated financial statements.
61
�Table of Contents
NOTE 2.
Fair Value of Financial Instruments
Fair value is defined as the price that would be received to sell an asset or paid to transfer a liability in an orderly transaction between market
participants at the measurement date. For certain of the Company’s financial instruments, including certain cash equivalents, accounts receivable, accounts
payable and accrued liabilities, the carrying amounts approximate their fair values due to the relatively short maturity of these balances.
The Company measures and reports certain cash equivalents, marketable securities, derivative foreign currency forward contracts at fair value in
accordance with the provisions of the authoritative accounting guidance that addresses fair value measurements. This guidance establishes a hierarchy for
inputs used in measuring fair value that maximizes the use of observable inputs and minimizes the use of unobservable inputs by requiring that the most
observable inputs be used when available. The hierarchy is broken down into three levels based on the reliability of inputs as follows:
Level 1-Valuations based on quoted prices in active markets for identical assets or liabilities.
Level 2-Valuations based on other than quoted prices in active markets for identical assets and liabilities, including quoted prices for identical assets or
liabilities in less active or inactive markets, quoted prices for similar assets or liabilities in active markets, or inputs other than quoted prices that are
observable for substantially the full term of the assets or liabilities.
Level 3-Valuations based on inputs that are generally unobservable and typically reflect management’s estimates of assumptions that market
participants would use in pricing the asset or liability.
The Company's financial instruments consist of assets and liabilities measured using Level 1 and 2 inputs. Level 1 assets include a highly liquid money
market fund, which is valued using unadjusted quoted prices that are available in an active market for an identical asset. Level 2 assets include fixed-income
U.S. Treasury and government agency securities, commercial paper, corporate bonds, asset-backed securities, foreign government securities and derivative
financial instruments consisting of foreign currency forward contracts. The securities, bonds and commercial paper are valued using prices from independent
pricing services based on quoted prices of identical instruments in less active or inactive markets, quoted prices of similar instruments in active markets, or
industry models using data inputs such as interest rates and prices that can be directly observed or corroborated in active markets. The foreign currency
forward contracts are valued using observable inputs, such as quotations on forward foreign exchange points and foreign interest rates.
The Company's cash and cash equivalents and marketable securities consist of the following:
Cash and cash equivalents:
Cash
Money market funds
Commercial paper
Total
Short-term marketable securities:
Commercial paper
Corporate bonds
Asset-backed securities
U.S. Treasury and government agencies
Total
Long-term marketable securities:
Asset-backed securities
U.S. Treasury and government agencies
Foreign government
Corporate bonds
Total
Total
December 31, 2021
Amortized
Cost
Unrealized
Gains
Unrealized
Losses
Fair Value
(in thousands)
61,220 $
75,258
850
137,328
28,869
3,952
217,160
18,046
268,027
14,941
37,664
1,007
57,762
111,374
516,729 $
$
$
62
— $
—
—
—
101
—
2
—
103
6
—
12
160
178
281 $
— $
—
—
—
(7)
—
(163)
—
(170)
(36)
(136)
—
(182)
(354)
(524) $
61,220
75,258
850
137,328
28,963
3,952
216,999
18,046
267,960
14,911
37,528
1,019
57,740
111,198
516,486
�Table of Contents
Cash and cash equivalents:
Cash
Money market funds
Commercial paper
Total
Short-term marketable securities:
Commercial paper
Corporate bonds
Asset-backed securities
U.S. Treasury and government agencies
Total
Long-term marketable securities:
Asset-backed securities
U.S. Treasury and government agencies
Foreign government
Corporate bonds
Total
Total
December 31, 2020
Amortized
Cost
Unrealized
Gains
Unrealized
Losses
Fair Value
(in thousands)
$
$
33,105 $
38,028
2,999
74,132
6,147
24,368
6,263
244,568
281,346
38,456
6,884
1,006
51,068
97,414
452,892 $
— $
—
—
—
—
170
18
369
557
160
17
31
839
1,047
1,604 $
— $
—
—
—
—
—
—
(11)
(11)
(3)
—
—
—
(3)
(14) $
33,105
38,028
2,999
74,132
6,147
24,538
6,281
244,926
281,892
38,613
6,901
1,037
51,907
98,458
454,482
As of December 31, 2021 and 2020, there were no marketable securities that had been in a continuous unrealized loss position for 12 months or longer.
The Company had the ability and intent to hold all marketable securities that were in an unrealized loss position until recovery of the amortized cost basis.
The Company considered the extent to which fair value was less than amortized cost basis and conditions related to security’s industry and geography and
changes to the ratings, if any, and concluded the decline in fair value compared to carrying value was not related to credit loss.
The following table sets forth by level within the fair value hierarchy the fair value of the Company's cash equivalents and marketable securities
measured on a recurring basis:
Money market funds
Commercial paper
U.S. Treasury and government agencies
Foreign government
Corporate bonds
Asset-backed securities
Total
Money market funds
Commercial paper
U.S. Treasury and government agencies
Foreign government
Corporate bonds
Asset-backed securities
Total
Level 1
December 31, 2021
Level 2
(in thousands)
Fair Value
75,258 $
—
—
—
—
—
75,258 $
— $
18,896
254,527
1,019
86,703
18,863
380,008 $
75,258
18,896
254,527
1,019
86,703
18,863
455,266
Level 1
December 31, 2020
Level 2
(in thousands)
Fair Value
38,028 $
—
—
—
—
—
38,028 $
— $
9,146
251,827
1,037
76,445
44,894
383,349 $
38,028
9,146
251,827
1,037
76,445
44,894
421,377
$
$
$
$
63
�Table of Contents
The following summarizes the fair value of marketable securities by contractual maturity:
December 31, 2021
Mature within
One Year
Mature after
One Year
through Two
Years
Mature over
Two Years
Fair Value
$
$
18,896 $
216,999
—
28,964
3,951
268,810 $
(in thousands)
— $
37,528
1,019
38,407
7,959
84,913 $
— $
—
—
19,332
6,953
26,285 $
18,896
254,527
1,019
86,703
18,863
380,008
Commercial paper
U.S. Treasury and government agencies
Foreign government
Corporate bonds
Asset-backed securities
Total
Derivative Financial Instruments
Designated cash flow hedges
The Company enters into foreign currency forward contracts to reduce the risk of variability in future cash flow due to foreign currency exchange rate
fluctuation from certain forecasted subscription revenue orders billed in GBP and Euro and operation expenses incurred in INR, which are designated as cash
flow hedges. Unrealized foreign exchange gains or losses related to those designated cash flow hedge contracts are recorded in Accumulated other
comprehensive income ("AOCI") and will be reclassified into revenues or operating expenses, respectively, in the same periods when the hedged transactions
hit earnings.
As of December 31, 2021, the Company had designated cash flow hedge forward contracts with notional amounts of €29.8 million, £9.4 million
and Rs.2,955.3 million. As of December 31, 2020, the Company had designated cash flow hedge forward contracts with notional amounts of €25.9 million,
£8.7 million and Rs.1,933.5 million. As of December 31, 2021, a net amount of unrealized gains of $1.0 million before tax on the foreign currency forward
contracts for GBP and Euro reported in AOCI is expected to be reclassified into revenue within the next 12 months. As of December 31, 2021, a net amount
of unrealized gains of $0.3 million before tax on the foreign currency forward contracts for INR reported in AOCI is expected to be reclassified into
operating expenses within the next 12 months.
Non-designated forward contracts
The Company also uses foreign currency forward contracts to hedge certain foreign currency denominated assets or liabilities, which are not designated
as cashflow hedges.
As of December 31, 2021, the Company had non-designated forward contracts with notional amounts of €34.5 million, £11.6 million, Rs.74.9 million,
C$2.5 million and CHF1.0 million. As of December 31, 2020, the Company had non-designated forward contracts with notional amounts of €17.7 million,
£6.5 million and Rs.32.8 million.
The following summarizes derivative financial instruments as of December 31, 2021 and 2020:
Assets
Foreign currency forward contracts designated as cash flow hedge
Foreign currency forward contracts not designated as hedging instruments
Total
Liabilities
Foreign currency forward contracts designated as cash flow hedge
Foreign currency forward contracts not designated as hedging instruments
Total
All foreign currency forward contracts were valued at fair value using Level 2 inputs.
64
December 31,
2021
2020
(in thousands)
$
$
$
$
1,737 $
1,599
3,336 $
(181) $
(207)
(388) $
511
27
538
(2,200)
(1,677)
(3,877)
�Table of Contents
The following summarizes the gains (losses) recognized from forward contracts and other foreign currency transactions in other income (expense), net
in the consolidated statements of operations:
Net gains (losses) from non-designated forward contracts
Other foreign currency transactions gains (losses)
Total foreign exchange gains (losses), net
Other expenses
Other income (expense), net
2021
Year Ended December 31,
2020
(in thousands)
2019
$
$
2,452 $
(2,749)
(297)
(276)
(573) $
(1,634) $
1,894
260
(253)
7 $
438
(792)
(354)
(253)
(607)
NOTE 3.
Accumulated Other Comprehensive Income (Loss)
The components and changes in accumulated other comprehensive income (loss) were as follows:
Balances at December 31, 2018
Change in unrealized gains during the period
Net gains reclassified into income during the period
Income tax provision
Net change during the period
Balances at December 31, 2019
Change in unrealized gains (losses) during the period
Net gains reclassified into income during the period
Income tax benefit (provision)
Net change during the period
Balances at December 31, 2020
Change in unrealized gains (losses) during the period
Net losses reclassified into income during the period
Income tax benefit (provision)
Net change during the period
Balances at December 31, 2021
Available-for-sale
debt securities
Cash flow hedges
(in thousands)
Total
$
$
(545) $
1,610
—
(243)
1,367
822
549
(25)
(122)
402
1,224
(1,854)
22
423
(1,409)
(185) $
(41) $
651
(169)
(101)
381
340
(2,099)
(564)
615
(2,048)
(1,708)
2,837
933
(870)
2,900
1,192 $
The effects on income before income taxes of amounts reclassified from AOCI to the consolidated statements of operations were as follows:
Reclassification of AOCI - Available-for-sale debt securities
Other income (expense), net
Reclassification of AOCI - Cash flow hedges
Revenues
Cost of revenues
Research and development
Sales and marketing
General and administrative
Total
2021
Year Ended December 31,
2020
(in thousands)
2019
(22) $
25 $
(1,667) $
149
492
28
65
(933) $
960 $
(76)
(264)
(20)
(36)
564 $
$
$
$
65
(586)
2,261
(169)
(344)
1,748
1,162
(1,550)
(589)
493
(1,646)
(484)
983
955
(447)
1,491
1,007
—
169
—
—
—
—
169
�Table of Contents
NOTE 4.
Property and Equipment, Net
Property and equipment, net, which includes assets under finance leases, consists of the following:
Computer equipment
Computer software
Leasehold improvements
Scanner appliances
Furniture, fixtures and equipment
Finance leases - right of use asset
Total property and equipment
Less: accumulated depreciation and amortization
Property and equipment, net
December 31,
2021
2020
(in thousands)
$
$
161,809 $
25,807
21,092
16,510
6,479
—
231,697
(169,843)
61,854 $
136,286
26,164
21,107
16,749
6,599
3,503
210,408
(145,558)
64,850
As of December 31, 2021 and 2020, physical scanner appliances and other computer equipment that are or will be subject to leases by customers had a
net carrying value of $5.3 million and $7.5 million, respectively, including assets that had not been placed in service of $1.3 million and $1.9 million,
respectively. Depreciation and amortization expenses relating to property and equipment were $28.5 million, $26.1 million and $24.9 million for the years
ended December 31, 2021, 2020 and 2019, respectively. Assets under finance leases were acquired upon completion of lease term and placed within
computer equipment as of December 31, 2021.
NOTE 5.
Revenue from Contracts with Customers
The Company records deferred revenue when cash payments are received or due in advance of its performance obligations offset by revenue
recognized in the period. Revenues of $211.0 million and $188.6 million were recognized during the years ended December 31, 2021 and December 31,
2020, respectively, which amounts were included in the deferred revenue balances as of December 31, 2020 and December 31, 2019, respectively.
The Company's payment terms vary by the type and location of its customers. The term between invoicing and when payment is due is not significant.
In certain circumstances, based on the credit quality of the customer, the Company requires payment before the products or services are delivered to the
customer.
The following table sets forth the expected revenue from all remaining performance obligations as of December 31, 2021:
2022
2023
2024
2025
2026
2027 and thereafter
Total
(in thousands)
142,812
101,482
36,361
2,422
499
110
283,687
$
$
Revenues allocated to remaining performance obligations represents the transaction price of noncancelable orders for which service has not been
performed, which include deferred revenue and the amounts that will be invoiced and recognized as revenues in future periods from open contracts and
excludes unexercised renewals. The Company applied the short-term contract exemption to exclude the remaining performance obligations that are part of a
contract that has an original expected duration of one year or less.
From time to time, the Company enters into contracts with customers that extend beyond one year, with certain of its customers electing to pay for more
than one year of services upon contract execution. The Company concluded that these contracts did not contain a financing component.
Revenues by sales channel are as follows:
Direct
Partner
Total
2021
Year Ended December 31,
2020
(in thousands)
242,709 $
168,463
411,172 $
212,296 $
150,667
362,963 $
$
$
2019
186,130
135,477
321,607
The Company utilizes partners to enable and accelerate the adoption of its cloud platform by increasing its distribution capabilities and market
awareness of its cloud platform as well as by targeting geographic regions outside the reach of its direct sales force. The Company's channel partners
maintain relationships with their customers throughout the territories in which they operate and provide their customers with services and third-party
solutions to help meet those customers’ evolving security and compliance requirements. As such, these partners may offer the Company's IT security and
compliance solutions in conjunction with one or more of their own products or services and act as a conduit through which the Company can connect with
these prospective customers to offer its solutions. For sales involving a channel partner, the channel partner engages with the prospective customer directly
and involves the Company's sales team as needed to assist in developing and closing an order. When a channel partner secures a sale, the Company sells the
associated subscription to the channel partner who in turn resells the subscription to the customer. Sales to channel partners are made at a discount and
revenues are recorded at this discounted price over the subscription terms. The Company does not have any influence or specific knowledge of its partners'
selling terms with their customers. See Note 13, "Segment Information and Information about Geographic Area" for disaggregation of revenue by geographic
area.
�Deferred costs to obtain contracts are as follows:
Current
Noncurrent
December 31,
2021
2020
$
$
(in thousands)
4,223 $
8,391 $
3,459
6,906
For the years ended December 31, 2021, 2020 and 2019, the Company recognized $4.0 million, $3.0 million and $2.0 million, respectively, of
amortization expense relating to deferred costs to obtain contracts in sales and marketing expense in the consolidated statements of operations. During the
same periods, there was no impairment loss related to the deferred costs to obtain contracts.
66
�Table of Contents
NOTE 6.
Acquisitions
The following table summarizes the purchase price allocation of business and asset acquisitions for the years ended December 31, 2021, 2020 and 2019
based on estimated fair values of the acquired assets as of the acquisition date:
Acquiree
TotalCloud
Spell security
Adya
Acquisition Date
August 19, 2021
July 24, 2020
January 10, 2019
Purchase
Consideration
Purchased Intangible
Assets
(in thousands)
$
$
$
1,200 $
1,500 $
1,000 $
1,200 $
1,500 $
900 $
Goodwill
—
—
100
On August 19, 2021, the Company acquired certain developed technology intangible assets of TotalCloud, a privately held company incorporated in
India, for a total cash consideration of $1.2 million, of which $1.1 million was paid on the acquisition date and the remaining $0.1 million will be due one
year from the acquisition date, subject to potential adjustment from possible indemnity claims. TotalCloud's technology strengthens the Company's cloud
security solution by allowing customers to build user-defined workflows for custom policies and execute them on-demand for simplified security and
compliance. The acquired intangible assets will be amortized over five years.
On July 24, 2020, the Company acquired certain intangible assets of Spell Security, a privately held company incorporated in India, for a total cash
consideration of $1.5 million, of which $1.3 million was paid on the acquisition date and the remaining $0.2 million was deferred and paid in October 2021.
Spell Security’s technology expands the Company's endpoint behavior detection, threat hunting, malware research and multi-layered response capabilities for
its EDR application. The Company recognized intangible assets of $1.0 million for developed technology and $0.5 million for non-compete agreements,
which will be amortized over four and two years, respectively.
On January 10, 2019, the Company acquired Adya, an India-based company. The acquisition included a cloud application management platform, which
enables security and compliance audits of SaaS applications. Total purchase consideration included $0.2 million of deferred consideration due 18 months
from the closing date of the acquisition, subject to potential adjustment from possible indemnity claims, which was fully paid to Adya during the fiscal year
ended December 31, 2020. The acquired intangible assets relating to Adya's developed technology are being amortized over the estimated useful lives of
approximately four years. Goodwill arising from the Adya acquisition is deductible for tax purposes over 15 years.
There were no changes in the carrying amount of goodwill for the years ended December 31, 2021 and 2020.
67
�Table of Contents
NOTE 7.
Intangible Assets, Net
Intangible assets consist primarily of developed technology and patent licenses acquired from business or asset acquisitions. Acquired intangibles are
amortized on a straight-line basis over the respective estimated useful lives of the assets.
The carrying values of intangible assets are as follows:
(in thousands)
Developed technology
Patent licenses
Non-compete agreements
Total intangibles subject to amortization
Intangible assets not subject to amortization
Total intangible assets, net
(in thousands)
Developed technology
Patent licenses
Non-compete agreements
Total intangibles subject to amortization
Intangible assets not subject to amortization
Total intangible assets, net
Weighted
Average Life
(Years)
4.5
14.0
2.0
Weighted
Average
Remaining
Life (Years)
0.9 $
2.7
0.6
$
Weighted
Average Life
(Years)
4.4
14.0
2.0
Weighted
Average
Remaining
Life (Years)
1.8 $
3.7
1.6
$
December 31, 2021
Cost
28,556 $
1,387
500
30,443 $
Accumulated
Amortization
(22,463) $
(1,121)
(354)
(23,938)
$
December 31, 2020
Cost
27,356 $
1,387
500
29,243 $
Accumulated
Amortization
(16,152) $
(1,021)
(104)
(17,277)
$
Net Book
Value
6,093
266
146
6,505
40
6,545
Net Book
Value
11,204
366
396
11,966
40
12,006
Intangible assets amortization expenses were $6.7 million, $6.3 million and $6.1 million for the years ended December 31, 2021, 2020 and 2019,
respectively, which were recorded in the consolidated statements of operations.
As of December 31, 2021, the Company expects amortization expense in future periods to be as follows:
2022
2023
2024
2025
2026
Total expected future amortization expense
68
(in thousands)
5,063
590
452
240
160
6,505
$
$
�Table of Contents
NOTE 8.
Leases
The Company leases certain offices, computer equipment and its data center facilities under non-cancelable operating leases for varying periods
through 2028. While under the Company's lease agreements the Company has options to extend its certain leases, the Company has not included
renewal options in determining the lease terms for calculating its lease liabilities, as these options are not reasonably certain of being exercised. Lease
expense was $16.8 million, $16.7 million and $13.9 million for the years ended December 31, 2021, 2020 and 2019, respectively.
Supplemental cash flow information related to operating leases was as follows:
Cash payments included in the measurement of lease liabilities
Lease liabilities arising from obtaining right-of-use assets
$
$
14,646 $
4,110 $
13,403 $
15,837 $
9,372
17,359
The weighted average remaining lease term and the weighted average discount rate of the Company's operating leases were as follows:
2021
Year Ended December 31,
2020
(in thousands)
2019
Weighted average remaining lease term (years)
Weighted average discount rate
Maturities of the Company's operating lease liabilities as of December 31, 2021 are as follows:
2022
2023
2024
2025
2026
2027 and thereafter
Total minimum lease payments
Less: interest
Present value of net minimum lease payments
Less: lease liabilities, current
Lease liabilities, noncurrent
69
December 31,
2021
2020
3.3
4.8%
4.1
4.8%
(in thousands)
14,543
12,042
10,735
6,536
4,498
5,819
54,173
(5,651)
48,522
(12,608)
35,914
$
$
�Table of Contents
NOTE 9.
Commitment and Contingencies
Purchase Obligation
The Company has entered into agreements to purchase goods and services in the ordinary course of business. As of December 31, 2021, these
remaining purchase commitments for future periods are as follows:
2022
2023
2024
2025
Total purchase commitments
Indemnifications
(in thousands)
23,672
11,488
7,599
936
43,695
$
$
The Company from time to time enters into certain types of contracts that contingently require it to indemnify various parties against claims from third
parties. These contracts primarily relate to (i) the Company's bylaws, under which it must indemnify directors and executive officers, and may indemnify
other officers and employees, for liabilities arising out of their relationship, (ii) contracts under which the Company must indemnify directors and certain
officers for liabilities arising out of their relationship, and (iii) contracts under which the Company may be required to indemnify customers or resellers from
certain liabilities arising from potential infringement of intellectual property rights, as well as potential damages caused by limited product defects. To date,
the Company has not incurred and has not recorded any liability in connection with such indemnifications.
The Company maintains director and officer insurance, which may cover certain liabilities arising from its obligation to indemnify its directors.
Legal Proceedings
From time to time the Company may become involved in legal proceedings or be subject to claims arising in the ordinary course of our business. The
Company records a provision for a liability when it is both probable that a liability has been incurred and the amount can be reasonably estimated. The
Company provides disclosure if it is reasonably possible that a loss has been incurred and a range of loss or possible loss can be reasonably estimated.
Significant judgment is required to determine both probability and the estimated amount. The Company reviews these provisions at least quarterly and adjust
these provisions to reflect the impact of negotiations, settlements, rulings, advice of legal counsel, and updated information.
As of December 31, 2021, there has not been at least a reasonable possibility that the Company has incurred a material loss from any ongoing legal
proceedings, individually or taken together. However, litigation is inherently unpredictable and is subject to significant uncertainties, some of which are
beyond the Company's control. Should any of these estimates and assumptions change or prove to have been incorrect, the Company could incur significant
charges related to legal matters which could have a material impact on its results of operations, financial position and cash flows.
70
�Table of Contents
NOTE 10.
Stockholders' Equity and Stock-based Compensation
Preferred Stock
Effective October 3, 2012, the Company is authorized to issue 20.0 million shares of undesignated preferred stock with a par value of $0.001 per share.
Each series of preferred stock will have such rights and preferences including dividend rights, dividend rate, conversion rights, voting rights, rights and terms
of redemption (including sinking fund provisions), redemption price, and liquidation preferences as determined by the board of directors. As of December 31,
2021, and 2020, there were no issued or outstanding shares of preferred stock.
Common Stock
Equity Incentive Plan
2000 Equity Incentive Plan
Under the 2000 Equity Incentive Plan (“2000 Plan”), the Company was authorized to grant to eligible participants either incentive stock options
(“ISOs”) or non-statutory stock options (“NSOs”). The ISOs were granted at a price per share not less than the fair market value at the date of grant. The
NSOs were granted at a price per share not less than 85% of the fair market value at the date of grant. Options granted generally vest over a period of up to
four years, with a maximum term of ten years. The 2000 Plan was terminated in connection with the closing of the Company's initial public offering, and
accordingly, no shares are currently available for grant under the 2000 Plan. The 2000 Plan continues to govern outstanding awards granted thereunder.
2012 Equity Incentive Plan
The 2012 Equity Incentive Plan (“2012 Plan”) was adopted and approved in September 2012 and became effective on September 26, 2012. Under the
2012 Plan, the Company is authorized to grant to eligible participant’s ISOs, NSOs, stock appreciation rights (“SARs”), restricted stock awards (“RSAs”),
RSUs, performance units and performance shares. The number of shares of common stock available for issuance under the 2012 Plan is subject to an annual
increase on January 1 of each year by an amount equal to the least of 3,050 thousand shares, 5% of the outstanding shares of stock as of the last day of the
immediately preceding fiscal year or an amount determined by the board of directors. For the year ended December 31, 2021, 1,963 thousand shares were
added to the 2012 Plan. As of December 31, 2021, a total of 17,662 thousand shares have been authorized for issuance under the 2012 Plan and
8,091 thousand shares are available for future grants. Options may be granted with an exercise price that is at least equal to the fair market value of the
Company's stock at the date of grant and are exercisable when vested. Options and RSU's granted generally vest over a period of up to four years. ISOs may
only be granted to employees and any subsidiary corporations' employees. All other awards may be granted to employees, directors and consultants and
subsidiary corporations' employees and consultants. Options, SARs, RSUs, performance units and performance awards may be granted with vesting terms as
determined by the board of directors and expire no more than ten years after the date of grant or earlier if employment or service is terminated.
2021 Employee Stock Purchase Plan
On June 9, 2021, the Company’s stockholders approved the 2021 ESPP. A total of 600 thousand shares were authorized for issuance to eligible
participating employees upon adoption of the ESPP, all of which are available for future purchases as of December 31, 2021. The ESPP provides for
consecutive 6-month offering periods beginning on or about August 16 and February 16 of each year. Eligible employees who elect to participate can
contribute from 1% to 15% of their eligible compensation through payroll withholding. During any offering period, contribution rates cannot be changed.
However, eligible employees may withdraw from the current offering period. Any contributions made prior to each purchase date in the case of withdrawal
or termination of employment will be refunded. On each purchase date, eligible participating employees will purchase the shares at a price per share equal to
85% of the lesser of (i) the fair market value of the Company's stock on the first trading day of the offering period or (ii) the fair market value of the
Company's stock on the purchase date (i.e., the last trading day of the offering period). The first ESPP offering period commenced on August 16, 2021 and
will end on February 15, 2022.
Stock-based Compensation
The following table shows a summary of the stock-based compensation expenses included in the consolidated statements of operations for the years
ended December 31, 2021, 2020 and 2019:
Cost of revenues
Research and development
Sales and marketing
General and administrative
Total stock-based compensation
2021
Year Ended December 31,
2020
(in thousands)
2019
$
$
3,782 $
10,750
6,323
46,724
67,579 $
2,767 $
13,502
5,785
17,981
40,035 $
2,262
11,151
4,984
16,495
34,892
The income tax benefit related to the stock-based compensation expenses was $6.2 million, $5.5 million and $5.5 million for the years ended December
31, 2021, 2020 and 2019, respectively. As of December 31, 2021, the Company had unrecognized stock-based compensation expenses of $16.7 million,
$77.0 million and $0.2 million related to options, RSUs and ESPP, respectively, which are expected to be recognized over weighted-average periods
of 2.8 years, 2.8 years and 0.1 years, respectively.
71
�Table of Contents
Performance-Based Stock Options and Restricted Stock Units
On December 21, 2018, the compensation committee of the Company's board of directors (“Compensation Committee”) granted the equity award for
2019 to the Company’s former chief executive officer, Philippe Courtot (“Mr. Courtot”). The first portion of the award consists of 56 thousand RSUs that
were scheduled to vest in 16 quarterly increments beginning on January 1, 2019. The second portion of the award consists of a target number of 33 thousand
PSUs, which were scheduled to vest at the end of the three-year performance period from January 2019 through December 2021. The actual number of PSUs
eligible to vest range from 0% to 200% of the target number, depending on the level of achievement of goals related to revenue growth during the three-year
performance period from January 2019 through December 2021 and Adjusted EBITDA margin for the fiscal year of 2021. The third portion of the award
consists of a target number of 33 thousand PSUs, one third of which (11 thousand target PSUs) was scheduled to vest at the end of each fiscal year of 2019,
2020 and 2021. The actual number of PSUs eligible to vest at each vesting date range from 0% to 200% of the target number, depending on the level of
achievement of goals related to revenue growth and Adjusted EBITDA margin for each of those years.
On November 2, 2019, the Compensation Committee granted the equity award for 2020 to Mr. Courtot. The first portion of the award consists of 49
thousand RSUs that were scheduled to vest in 16 quarterly installments beginning on December 1, 2019. The second portion of the award consists of a target
number of 124 thousand PSOs, which were scheduled to vest at the end of the three-year performance period from January 2020 through December 2022.
The actual number of PSOs eligible to vest range from 0% to 200% of the target number, depending on the level of achievement of goals related to revenue
growth and free cash flow per share growth during the performance period.
On December 10, 2020, the Compensation Committee granted the equity award for 2021 to Mr. Courtot. The first portion of the award consists of 69
thousand RSUs that were scheduled to vest in 16 quarterly installments beginning on November 1, 2020. The second portion of the award consists of a target
number of 224 thousand PSOs, which were scheduled to vest at the end of the three-year performance period from January 2021 through December 2023.
The actual number of PSOs eligible to vest range from 0% to 200% of the target number, depending on the level of achievement of goals related to revenue
growth and free cash flow per share growth during the performance period.
The vesting of the above awards was conditioned on Mr. Courtot’s continued service through the vesting dates or, for PSOs and PSUs, the dates that
performance is certified in addition to the achievement of performance goals. If Mr. Courtot’s employment was terminated (a) by reason of death or disability
or (b) by the Company for reasons other than cause or good reason within 12 months following a change in control, then 100% of any unvested portions of
these awards would vest, with any vesting in connection with change in control terminations conditioned upon the effectiveness of a release of claims in
favor of the Company.
In February 2021 and 2020, 22 thousand shares (representing 200% of target number of awards) and 15 thousand shares (representing 135% of target
number of awards) under the equity award for 2019 for Mr. Courtot, vested as a result of the Company achieving the corresponding level of performance
goals for 2020 and 2019, respectively.
On March 19, 2021, Mr. Courtot resigned from the Company due to health issues. The Compensation Committee determined that Mr. Courtot’s
termination of employment was on account of disability. In accordance with the grant agreements of the equity awards for 2021, 2020 and 2019 for Mr.
Courtot, all remaining outstanding RSUs, PSUs and PSOs under these grants were subject to accelerated vesting and became fully vested at 100% of the
target number of awards as of the date of his termination of employment, which consist of 127 thousand RSUs, 44 thousand PSUs and 348 thousand PSOs.
As a result, the Company recognized an additional $27.3 million of stock-based compensation expense due to the accelerated vesting in the consolidated
statements of operations for the year ended December 31, 2021.
On April 27, 2021, the Compensation Committee granted to the Company’s current president and chief executive officer an equity award consisting of
certain RSUs and a target number of 10 thousand PSUs. The PSUs are scheduled to vest at the end of the three-year performance period from January 2021
through December 2023. The actual number of the PSUs eligible to vest range from 0% to 200% of the target number, depending on the level of achievement
of goals related to revenue growth and free cash flow per share growth during the performance period. If the Company's current president and chief executive
officer is terminated (a) by reason of death or disability or (b) by the Company for reasons other than cause or good reason within 12 months following a
change in control, then 100% of any unvested portions of the award will vest, with any vesting in connection with terminations due to change in control
conditioned upon the effectiveness of a release of claims in favor of the Company.
On October 28, 2021, the Compensation Committee granted to certain executive officers of the Company equity awards consisting of certain RSUs and
an aggregate number of 73 thousand PSUs. The target PSUs are scheduled to vest in three equal annual installments over a three-year period from January
2022 through December 2024. The actual number of the PSUs eligible to vest each year range from 0% to 200% of the annual target number, depending on
the level of achievement of goals related to revenue growth and adjusted EBITDA margin corresponding to that year. The vesting and release of the first and
second installment is capped at 100% of the target number at the end of the first and second year, respectively, with cumulative achievement over 100%, if
any, to be vested and released at the end of the third year, together with the vesting of the third installment. If any of the executive officers is terminated
(a) by reason of death or disability or (b) by the Company for reasons other than cause or good reason within 12 months following a change in control, any
unvested PSUs eligible to vest pursuant to cumulative achievements over 100% for past installments along with any target number of unvested PSUs for any
remaining installments will vest immediately.
For the years ended December 31, 2021, 2020 and 2019, stock-based compensation expenses of $13.3 million, $0.2 million and $0.3 million for PSOs,
respectively, and $5.3 million, $2.8 million and $0.9 million for PSUs, respectively, were recognized.
72
�Table of Contents
Stock Options
The weighted-average grant date fair value of the Company’s stock options granted for the years ended December 31, 2021, 2020 and 2019 was $41.23,
$35.49 and $34.02, respectively, using the Black-Scholes-Merton option-pricing model based on the following assumptions:
Expected term (in years)
Volatility
Risk-free interest rate
Dividend yield
2021
Year Ended December 31,
2020
5.2 to 5.5
38% to 41%
0.5% to 1.2%
—
4.5 to 5.5
38% to 43%
0.3% to 1.4%
—
2019
4.4 to 6.6
40% to 46%
1.5% to 2.4%
—
The expected term of the options is based on evaluations of historical and expected future employee exercise behavior. The risk-free interest rate is
based on the U.S. Treasury rates at the date of grant with maturity dates equal to the expected term at the grant date. The volatility was estimated using the
historical volatility derived from the Company's common stock. The Company has not historically declared any dividends and does not expect to in the
future.
A summary of the Company’s stock option activity is as follows:
Balance as of December 31, 2020
Granted
Exercised
Canceled
Balance as of December 31, 2021
Vested and expected to vest - December 31, 2021
Exercisable - December 31, 2021
(1) Included 348 thousand shares of PSOs.
Weighted
Average
Exercise Price
Weighted
Average
Remaining
Contractual
Life
(Years)
Aggregate
Intrinsic
Value
(in thousands)
139,121
6.5 $
6.0 $
5.7 $
4.3 $
130,791
125,769
110,495
59.07
112.43
68.91
102.92
66.05
61.43
42.60
Outstanding
Options
(in thousands)
$
2,215
495
$
(725)(1) $
$
(147)
1,838
$
$
1,659
$
1,168
The total intrinsic value of options exercised for the years ended December 31, 2021, 2020 and 2019 was $42.5 million, $77.5 million and
$52.1 million, respectively. Intrinsic value of an option is the difference between the fair value of the Company’s common stock at the time of exercise and
the exercise price paid.
Restricted Stock Units
A summary of the Company’s RSU activity is as follows:
Balance as of December 31, 2020
Granted
Vested
Canceled
Outstanding RSUs
(in thousands)
Weighted Average
Grant Date Fair
Value
1,047
$
583(1) $
(530)(2) $
(183)
$
917(3) $
815
$
86.78
114.59
84.97
90.42
104.78
104.22
Balance as of December 31, 2021
Outstanding and expected to vest - December 31, 2021
(1) Included 34 thousand shares of PSUs granted to certain executive officers in 2021 and 11 thousand additional shares of PSUs vested as a result of the
Company achieving the corresponding level of performance goals for 2020.
(2) Included 11 thousand additional shares of PSUs vested as a result of the Company achieving the corresponding level of performance goals for 2020.
(3) Included 34 thousand shares of PSUs granted to certain executive officers in 2021.
The aggregate fair value of RSUs vested for the years ended December 31, 2021, 2020 and 2019 was $59.5 million, $46.5 million and $37.9 million,
respectively.
73
�Table of Contents
Employee Stock Purchase Plan
The weighted-average grant date fair value of the Company’s ESPP for the year ended December 31, 2021 was $26.88 using the Black-Scholes-Merton
option-pricing model based on the following assumptions:
Expected term (in years)
Volatility
Risk-free interest rate
Dividend yield
Year Ended
December 31,
2021
0.5
34%
0.1%
—
The expected term of the ESPP represents the six-month offering period. The risk-free interest rate is based on the U.S. Treasury rates at the date of
grant with maturity dates equal to the expected term at the grant date. The volatility was estimated using the historical volatility derived from the Company's
common stock. The Company has not historically declared any dividends and does not expect to in the future.
Share Repurchase Program
The Company's share repurchase program was authorized by the board of directors as follows:
Announcement Date
February 12, 2018
October 30, 2018
October 30, 2019
May 7, 2020
February 10, 2021
November 3, 2021
Total as of December 31, 2021
Authorized Dollar
Value
(in millions)
$
$
100.0
100.0
100.0
100.0
100.0
200.0
700.0
Shares may be repurchased from time to time on the open market in accordance with Rule 10b-18 of the Exchange Act of 1934, including pursuant to a
pre-set trading plan adopted in accordance with Rule 10b5-1 under the Exchange Act. All share repurchases have been made using cash resources.
Repurchased shares are retired and reclassified as authorized and unissued shares of common stock. On retirement of the repurchased shares, common stock
is reduced by an amount equal to the number of shares being retired multiplied by the par value. The excess amount that is retired over its par value
is first allocated as a reduction to additional paid-in capital based on the initial public offering price of the stock, with the remaining excess to retained
earnings.
For the years ended December 31, 2021, 2020 and 2019, the Company repurchased 1.1 million shares, 1.3 million shares and 1.0 million shares of its
common stock for $130.0 million, $126.7 million and $86.4 million, respectively. As of December 31, 2021, $271.8 million remained available for share
repurchases pursuant to the Company's share repurchase program.
74
�Table of Contents
NOTE 11.
Employee Benefits Plan
The Company’s 401(k) Plan was established in 2000 to provide retirement and incidental benefits for its employees. As allowed under section 401(k) of
the Internal Revenue Code, the 401(k) Plan provides tax-deferred salary deductions for eligible employees. Contributions to the 401(k) Plan are limited to a
maximum amount as set periodically by the Internal Revenue Service. For the years ended December 31, 2021, 2020 and 2019, the Company made
contributions to the 401(k) Plan of $2.4 million, $1.3 million and $1.3 million, respectively.
The Company contributes to a Provident Fund Plan for its employees in India, which is a defined contribution plan set up in accordance with local labor
and tax laws. Gratuity is also paid by the Company to eligible employees in India in accordance with Payment of Gratuity Act, 1972. For the years ended
December 31, 2021, 2020 and 2019, the Company contributed $1.7 million, $1.4 million and $1.1 million, respectively, to those plans.
NOTE 12.
Income Taxes
The Company’s geographical breakdown of income before income taxes is as follows:
Domestic
Foreign
Income before income taxes
Income tax provision consists of the following:
Current
Federal
State
Foreign
Current income tax provision
Deferred
Federal
State
Foreign
Deferred income tax provision (benefit)
Income tax provision
$
$
$
$
2021
Year Ended December 31,
2020
(in thousands)
2019
80,472 $
8,925
89,397 $
94,099 $
7,938
102,037 $
72,124
7,859
79,983
2021
Year Ended December 31,
2020
(in thousands)
2019
20,135 $
4,324
3,701
28,160
(7,342)
(1,722)
(659)
(9,723)
18,437 $
1,944 $
1,438
3,571
6,953
4,239
26
(753)
3,512
10,465 $
The reconciliation of the statutory federal income tax rate to the Company’s effective tax rate is as follows:
Federal statutory rate
State taxes
Stock-based compensation
Excess tax benefits related to stock-based compensation
Foreign source income
Change in valuation allowance
Foreign-derived intangible income deduction
Federal and state research and development credit
Other
Income tax provision
75
2021
Year Ended December 31,
2020
2019
21.0%
3.1
10.3
(5.4)
0.4
0.2
(7.0)
(1.9)
(0.1)
20.6%
21.0%
1.6
4.8
(13.8)
0.2
0.8
(1.7)
(2.6)
—
10.3%
(90)
646
3,000
3,556
7,085
447
(441)
7,091
10,647
21.0%
1.5
4.0
(11.2)
0.1
1.1
—
(3.7)
0.4
13.2%
�Table of Contents
Deferred Income Taxes
Deferred income taxes reflect the tax effects of temporary differences between the carrying amounts of assets and liabilities for financial reporting
purposes and the amounts used for income tax purposes. The components of the Company’s deferred tax assets and liabilities are as follows:
Deferred tax assets
Research and development credit carryforwards
Foreign tax credit carryforwards
Accrued liabilities
Deferred revenues
Operating lease liabilities
Intangible assets
Stock-based compensation
Other
Gross deferred tax assets
Valuation allowance
Net deferred tax assets
Deferred tax liabilities
Fixed assets
Operating leases - right of use asset
Deferred commissions
Total deferred tax liabilities
Net deferred tax assets
December 31,
2021
2020
(in thousands)
10,743 $
933
1,655
7,250
11,777
12,377
4,085
2,987
51,807
(11,364)
40,443
(3,320)
(9,010)
(3,026)
(15,356)
25,087 $
16,965
3,497
2,019
5,123
15,924
1,397
3,907
720
49,552
(11,188)
38,364
(7,017)
(13,054)
(2,482)
(22,553)
15,811
$
$
The realization of deferred tax assets is dependent upon the generation of sufficient taxable income of the appropriate character in future periods. The
Company regularly assesses the ability to realize its deferred tax assets and establishes a valuation allowance if it is more-likely than-not that some portion,
or all, of the deferred tax assets will not be realized. The Company weighs all available positive and negative evidence, including its earnings history and
results of recent operations, scheduled reversals of deferred tax liabilities, projected future taxable income, and tax planning strategies. Due to the weight of
objectively verifiable negative evidence, it is more-likely-than-not that its California deferred tax assets will not be realized as of December 31, 2021.
Additionally, due to a lack of sufficient future income of the appropriate character, certain U.S. federal and state deferred tax assets are not more-likely-than-
not to be realized. Accordingly, the Company has recorded a valuation allowance of $11.4 million and $11.2 million against such deferred tax assets as of
December 31, 2021 and 2020, respectively. The increase of $0.2 million in valuation allowance was mainly associated with the California research and
development credit generated during the year ended December 31, 2021 that will not likely be realized in the foreseeable future.
As of December 31, 2021, the Company had federal net operating loss carryforwards of approximately $0.7 million available to reduce federal taxable
income. The state net operating loss carryforwards are not material. The federal net operating losses begin to expire in 2022. Utilization of the Company’s net
operating loss carryforwards may be subject to an annual limitation due to the ownership change limitations provided by the Internal Revenue Code and
similar state provisions. Such an annual limitation could result in the expiration of the net operating loss carryforwards before utilization. As of December 31,
2021, the Company had $15.5 million of state research and development credit carryforwards. State research and development credits do not expire. As of
December 31, 2021, the Company had foreign tax credit carryforwards of $0.9 million which begin to expire in 2028.
76
�Table of Contents
The following table summarizes the activity related to the Company’s unrecognized tax benefits:
Unrecognized tax benefits beginning balance
Gross increase for tax positions of prior years
Gross decrease for tax positions of prior years
Gross increase for tax positions of current year
Lapse of statute of limitations
Total unrecognized tax benefits
2021
Year Ended December 31,
2020
(in thousands)
2019
8,855 $
—
(25)
846
—
9,676 $
7,778 $
4
—
1,258
(185)
8,855 $
6,406
—
(12)
1,384
—
7,778
$
$
The unrecognized tax benefits, if recognized, would impact the income tax provision by $4.9 million, $4.6 million and $4.2 million as of December 31,
2021, 2020 and 2019, respectively. The remaining amount would result in the recognition of a corresponding deferred tax asset that is then offset by a full
valuation allowance. As of December 31, 2021, the Company does not believe that its estimates, as otherwise provided for, on such tax positions will
significantly increase or decrease within the next twelve months. The Company has elected to include interest and penalties as a component of income tax
expense. The amounts were not material for the years ended December 31, 2021, 2020 and 2019.
The Company files income tax returns in the United States, including various state jurisdictions. The Company’s subsidiaries file tax returns in various
foreign jurisdictions. The tax years 2001 through 2020 remain open to examination by the major taxing jurisdictions in which the Company is subject to tax.
The Company is also currently subject to tax audits in various jurisdictions. The Company believes that an adequate provision has been made for any
adjustments that may result from tax examinations. However, the outcome of tax audits cannot be predicted with certainty. If any issues addressed in the
Company's tax audits are resolved in a manner inconsistent with its expectations, the Company could be required to adjust its income tax provision in the
period such resolution occurs.
As of December 31, 2021, the Company has undistributed earnings in certain foreign subsidiaries that the Company has indefinitely reinvested outside
the United States. As a result, the Company has not provided for deferred tax liabilities on those earnings. The Company may be required to pay additional
income taxes if the Company repatriates those earnings in the future.
77
�Table of Contents
NOTE 13.
Segment and Geographic Area Information
Under ASC 280 Segment Reporting, operating segments are defined as components of an entity about which separate financial information is evaluated
regularly by the chief operating decision maker in deciding how to allocate resources and in assessing performance. The Company operates in one segment
and has only one reportable segment. The Company’s chief operating decision maker is the Chief Executive Officer, who makes operating decisions, assesses
performance and allocates resources on a consolidated basis. All of the Company’s principal operations and decision-making functions are located in the
United States.
Revenue by geographic area, based on the customer's billing address, is as follows:
United States
Foreign
Total revenues
2021
Year Ended December 31,
2020
(in thousands)
2019
$
$
250,761 $
160,411
411,172 $
230,444 $
132,519
362,963 $
206,555
115,052
321,607
Long-lived assets, which consist of Property and equipment, net and Operating leases - right of use asset, by geographic area, are as follows:
United States
India
Rest of world
Total Long-lived Assets
NOTE 14.
Net Income Per Share
The computations for basic and diluted net income per share are as follows:
Numerator:
Net income
Denominator:
Basic weighted average shares
Effect of potentially dilutive shares:
Stock options
Restricted stock units
Employee stock purchase plan
Diluted weighted average shares
Net income per share:
Basic
Diluted
December 31,
2021
2020
(in thousands)
66,440 $
20,401
12,029
98,870 $
69,256
24,774
15,658
109,688
$
$
2021
Year Ended December 31,
2020
(in thousands, except per share data)
2019
$
70,960 $
91,572 $
39,030
39,167
863
224
1
40,118 $
1.82 $
1.77 $
1,262
311
—
40,740 $
2.34 $
2.25 $
$
$
$
69,336
39,075
1,806
403
—
41,284
1.77
1.68
Potentially dilutive shares not included in the calculation of diluted net income per share because doing so would be anti-dilutive are as follows:
Stock options
Restricted stock units
Total anti-dilutive shares
2021
Year Ended December 31,
2020
(in thousands)
2019
534
61
595
532
52
584
460
52
512
78
�Table of Contents
Item 9.
Changes In and Disagreements with Accountants on Accounting and Financial Disclosure
None.
Item 9A.
Controls and Procedures
Evaluation of Disclosure Controls and Procedures
Our management, with the participation of our Chief Executive Officer, Chief Financial Officer and our Principal Accounting Officer, evaluated the
effectiveness of our disclosure controls and procedures as of December 31, 2021. The term “disclosure controls and procedures,” as defined in Rules 13a-
15(e) and 15d-15(e) under the Exchange Act, means controls and other procedures of a company that are designed to ensure that information required to be
disclosed by a company in the reports that it files or submits under the Exchange Act is recorded, processed, summarized and reported, within the time
periods specified in the Securities and Exchange Commission’s rules and forms. Disclosure controls and procedures include, without limitation, controls and
procedures designed to ensure that information required to be disclosed by a company in the reports that it files or submits under the Exchange Act is
accumulated and communicated to the company’s management, including its principal executive and principal financial officers, as appropriate to allow
timely decisions regarding required disclosure. Management recognizes that any controls and procedures, no matter how well designed and operated, can
provide only reasonable assurance of achieving their objectives and management necessarily applies its judgment in evaluating the cost-benefit relationship
of possible controls and procedures. Based on the evaluation of our disclosure controls and procedures as of December 31, 2021, our Chief Executive Officer
and Chief Financial Officer concluded that, as of such date, our disclosure controls and procedures were effective at the reasonable assurance level.
Management's Annual Report on Internal Control over Financial Reporting
Our management is responsible for establishing and maintaining adequate internal control over financial reporting, as such term is defined in Rules
13a-15(f) and 15d-15(f) of the Exchange Act. Our internal control over financial reporting is a process designed to provide reasonable assurance regarding
the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with U.S. GAAP. Our internal control
over financial reporting includes those policies and procedures that: (i) pertain to the maintenance of records that in reasonable detail accurately and fairly
reflect the transactions and dispositions of our assets, (ii) provide reasonable assurance that transactions are recorded as necessary to permit preparation of
financial statements in accordance with U.S. GAAP, and that our receipts and expenditures are being made only in accordance with authorizations of our
management and directors, and (iii) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of
our assets that could have a material effect on our financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation
of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of
compliance with the policies or procedures may deteriorate.
Under the supervision and with the participation of our management, including our Chief Executive Officer, Chief Financial Officer and our Principal
Accounting Officer, we conducted an evaluation of the effectiveness of our internal control over financial reporting as of December 31, 2021 based on the
criteria established in the 2013 Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission,
or COSO. Based on our evaluation under the criteria set forth in the 2013 Internal Control - Integrated Framework issued by the COSO, our management
concluded our internal control over financial reporting was effective as of December 31, 2021.
The effectiveness of the Company's internal control over financial reporting as of December 31, 2021 has been audited by Grant Thornton LLP, an
independent registered public accounting firm, as stated in its report, which is included in Item 8 of this Annual Report on Form 10-K.
Changes in Internal Control over Financial Reporting
There was no change in our internal control over financial reporting identified in connection with the evaluation required by Rule 13a-15(d) and 15d-
15(d) of the Exchange Act that occurred during the fourth quarter ended December 31, 2021 that has materially affected, or is reasonably likely to materially
affect, our internal control over financial reporting.
Item 9B.
Other Information
None.
Item 9C.
Disclosure Regarding Foreign Jurisdictions that Prevent Inspections
Not applicable.
79
�Table of Contents
Item 10.
Directors, Executive Officers and Corporate Governance
Executive Officers and Directors
PART III
Except as set forth below, the information required by this item is incorporated by reference to our Proxy Statement for our 2022 Annual Meeting of
Stockholders to be filed with the SEC within 120 days after the end of the fiscal year ended December 31, 2021.
Codes of Business Conduct and Ethics
Our Board of Directors has adopted a code of business conduct and ethics that applies to all of our employees, officers and directors, including our
Chief Executive Officer, Chief Financial Officer and other executive and senior financial officers. The code of business conduct and ethics is available on our
website. We expect that, to the extent required by law, any amendments to the code, or any waivers of its requirements, will be disclosed on our website. We
intend to disclose any waiver to the provisions of the code of business conduct and ethics that applies specifically to directors or executive officers by filing
such information on a Current Report on Form 8-K with the SEC, to the extent such filing is required by the NASDAQ Stock Market's listing requirements;
otherwise, we will disclose such waiver by posting such information on our website.
Item 11.
Executive Compensation
The information required by this item is incorporated by reference to our Proxy Statement for our 2022 Annual Meeting of Stockholders to be filed with
the SEC within 120 days after the end of the fiscal year ended December 31, 2021.
Item 12.
Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters
The information required by this item with respect to Item 403 of Regulation S-K regarding security ownership of certain beneficial owners and
management is incorporated by reference to our Proxy Statement for our 2022 Annual Meeting of Stockholders to be filed with the SEC within 120 days
after the end of the fiscal year ended December 31, 2021. For the information required by this item with respect to Item 201(d) of Regulation S-K regarding
securities authorized for issuance under equity compensation plans, see “Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer
Purchases of Equity Securities—Securities Authorized for Issuance under Equity Compensation Plans” in Item 5 of this Annual Report on Form 10-K.
Item 13.
Certain Relationships and Related Transactions, and Director Independence
The information required by this item is incorporated by reference to our Proxy Statement for our 2022 Annual Meeting of Stockholders to be filed with
the SEC within 120 days after the end of the fiscal year ended December 31, 2021.
Item 14.
Principal Accounting Fees and Services
The information required by this item is incorporated by reference to our Proxy Statement for our 2022 Annual Meeting of Stockholders to be filed with
the SEC within 120 days after the end of the fiscal year ended December 31, 2021.
80
�Table of Contents
Item 15.
Exhibits and Financial Statement Schedules
PART IV
(a)(1) Financial Statements - The financial statements filed as part of this Annual Report on Form 10-K are listed on the Index to Consolidated
Financial Statements in Item 8.
(a)(2) Financial Statement Schedules - All financial statement schedules have been omitted since the required information is not applicable or has
been included in the consolidated financial statements and accompanying notes included in this Form 10-K.
(b) Exhibits
Exhibit
Number Description
Filed
Herewith
Incorporated by Reference
Exhibit
No.
File No.
Form
3.1
Amended and Restated Certificate of Incorporation of Qualys, Inc.
S-1/A
333-182027
3.3
3.2
Amended and Restated Bylaws of Qualys, Inc.
S-1/A
333-182027
3.5
4.1
Form of common stock certificate.
S-1/A
333-182027
4.1
Filing Date
September 12,
2012
September 12,
2012
September 12,
2012
4.2
Description of Registrant’s securities
10-K
001-35662
4.2
February 21, 2020
10.1*
2000 Equity Incentive Plan, as amended, and the form of stock option
agreement thereunder.
S-1
333-182027
10.1
June 8, 2012
10.2*
2012 Equity Incentive Plan and forms of agreements thereunder.
S-1/A
333-182027
10.2
September 12,
2012
10.3*
Qualys, Inc. 2021 Employee Stock Purchase Plan
8-K
001-35662
10.1
June 11, 2020
10.4*
Offer Letter, between Qualys, Inc. and Sumedh S. Thakar, dated January 20,
2003.
S-1
333-182027
10.5
June 8, 2012
10.5*
Offer Letter, between Qualys, Inc. and Joo Mi Kim, dated May 21, 2020.
10.6*
Offer Letter, between Qualys, Inc. and Bruce K. Posey, dated May 8, 2012.
8-K
S-1
001-35662
10.1
May 26, 2020
333-182027
10.9
June 8, 2012
10.7*
Offer Letter, between Qualys, Inc. and Allan Peters, dated April 26, 2021.
X
10.8*
Form of Performance-Based Restricted Stock Unit Agreement for Executives
under the 2012 Equity Incentive Plan, dated October 28, 2021
X
10.9*
Form of director and executive officer indemnification agreement.
S-1/A
333-182027 10.10 August 10, 2012
10.10*
Qualys, Inc. Executive Performance Bonus Plan.
Schedule 14A,
Appendix A
001-35662 N/A
April 25, 2016
81
�Table of Contents
Exhibit
Number Description
10.11*# Qualys, Inc. 2021 Corporate Bonus Plan.
Filed
Herewith
X
Incorporated by Reference
Exhibit
No.
File No.
Form
Filing Date
10.12
Lease Agreement, between Qualys, Inc. and Hudson Metro Center, LLC, dated
October 14, 2016.
8-K
001-35662
10.1 October 19, 2016
10.13†
Manufacturing Services Agreement, between Qualys, Inc. and Synnex
Corporation, dated March 1, 2011.
S-1/A
333-182027 10.16
September 12,
2012
21.1
List of subsidiaries of Qualys, Inc.
X
23.1
31.1
31.2
32.1
32.2
Consent of Grant Thornton LLP, independent registered public accounting
firm.
Certification of Chief Executive Officer pursuant to Rule 13a-14(a) or Rule
15d-14(a) of the Securities Exchange Act of 1934, as adopted pursuant to
Section 302 of The Sarbanes-Oxley Act of 2002.
Certification of Chief Financial Officer pursuant to Rule 13a-14(a) or Rule
15d-14(a) of the Securities Exchange Act of 1934, as adopted pursuant to
Section 302 of The Sarbanes-Oxley Act of 2002.
Certification of Chief Executive Officer pursuant to Rule 13a-14(b) or Rule
15d-14(b) of the Securities Exchange Act of 1934 and 18 U.S.C. Section 1350
as adopted pursuant to Section 906 of The Sarbanes-Oxley Act of 2002.
Certification of Chief Financial Officer pursuant to Rule 13a-14(b) or Rule
15d-14(b) of the Securities Exchange Act of 1934 and 18 U.S.C. Section 1350
as adopted pursuant to Section 906 of The Sarbanes-Oxley Act of 2002.
101.INS
Inline XBRL Instance Document - the instance document does not appear in
the Interactive Data File because its XBRL tags are embedded within the
Inline XBRL document.
101.SCH
Inline XBRL Taxonomy Extension Schema Document
101.CAL
Inline XBRL Taxonomy Extension Calculation Linkbase Document
101.DEF
Inline XBRL Taxonomy Extension Definition Linkbase
101.LAB
Inline XBRL Taxonomy Extension Labels Linkbase Document
101.PRE
Inline XBRL Taxonomy Extension Presentation Linkbase Document
X
X
X
X
X
X
X
X
X
X
X
104
Cover Page Interactive Data File - formatted in Inline XBRL and included as
Exhibit 101
X
* Indicates a management contract or compensatory plan or arrangement.
† Portions of this exhibit have been omitted due to a determination by the
Securities and Exchange Commission that these portions should be granted
confidential treatment.
# Portions of the exhibit, marked by brackets, have been omitted because the
omitted information (i) is not material and (ii) would likely cause competitive
harm if publicly disclosed.
82
�Table of Contents
SIGNATURES
Pursuant to the requirements of Section 13 or 15(d) of the Securities Exchange Act of 1934, the registrant has duly caused this Annual Report on Form 10-K
to be signed on its behalf by the undersigned, thereunto duly authorized, in the City of Foster City, State of California on February 22, 2022.
QUALYS, INC.
By:
/s/ SUMEDH THAKAR
Sumedh Thakar
President and Chief Executive Officer
(principal executive officer)
83
�Table of Contents
Pursuant to the requirements of the Securities Exchange Act of 1934, this report has been signed below by the following persons on behalf of the Registrant
and in the capacities indicated:
Signature
Title
Date
/s/ SUMEDH THAKAR
Sumedh Thakar
/s/ JOO MI KIM
Joo Mi Kim
/s/ SAIKAT PAUL
Saikat Paul
/s/ SANDRA BERGERON
Sandra Bergeron
/s/ WILLIAM BERUTTI
William Berutti
/s/ JEFFREY P. HANK
Jeffrey P. Hank
/s/ GENERAL PETER PACE
General Peter Pace
/s/ KRISTI M. ROGERS
Kristi M. Rogers
/s/ WENDY M. PFEIFFER
Wendy M. Pfeiffer
/s/ JOHN A. ZANGARDI
John A. Zangardi
Director, President and Chief Executive Officer (principal
executive officer)
February 22, 2022
Chief Financial Officer (principal financial officer)
February 22, 2022
Chief Accounting Officer (principal accounting officer)
February 22, 2022
Chair of the Board of Directors
February 22, 2022
Director
Director
Director
Director
Director
Director
84
February 22, 2022
February 22, 2022
February 22, 2022
February 22, 2022
February 22, 2022
February 22, 2022
�Exhibit 10.7
April 26, 2021
Allan Peters
[Address]
Dear Allan:
On behalf of Qualys (the “Company”), I am pleased to offer you the position of Chief Revenue Officer, reporting to Sumedh Thakar, Interim CEO and Chief
Product Officer. Your location of work will be your home office in Florida. The details of your offer are outlined below:
Salary:
Commission:
Benefits:
RSUs:
$325,000* (Annual Salary)
*To be paid semi-monthly. Less payroll deductions and all required withholding.
You will be eligible to receive up to $325,000 annually upon your achievement of 100% of quota. Further commission
may be earned if you achieve more than 100% of quota. Commissions will be calculated and paid out on a quarterly
basis. The full terms of the commission will be determined soon after you begin employment.
You will be eligible for the following standard Qualys benefits as of the first of the month following date of hire,
pursuant to the terms and conditions of the applicable benefit plan and Company policies: Medical, Dental and Vision. In
addition, you are eligible to participate in our life insurance, accidental death, vacation, sick time and 401(k) plans.
Qualys may modify compensation and benefits from time to time as it deems necessary.
We will recommend to the Board of Directors (or its Compensation Committee) that you be granted restricted stock units
(the “RSUs”) covering shares of Qualys Common Stock. The number of RSUs that management will recommend will be
determined by dividing $3,000,000 by the average of the closing trading prices of Qualys Common Stock for the 30 days
ending one week before the applicable grant date of your RSUs, rounding up to the nearest whole share. The RSUs will
be subject to Qualys’ 2012 Equity Incentive Plan and an RSU agreement thereunder. Your RSUs will vest over
approximately 4 years with 1/4 of the RSUs vesting on the one year anniversary of the 1st day of the month following
your start date as an employee under this agreement (the “First Vesting Date”). Then 1/16 of the RSUs vest quarterly
each three months after the First Vesting Date on the first day of the applicable month. All vesting is subject to your
continued service to Qualys through each vesting date. However, 50% of the then unvested shares subject to the RSUs
shall accelerate and vest if: (i) Qualys incurs a “change in control” (as defined in the 2012 Equity Incentive Plan); and
(ii) your employment is terminated by Qualys other than for “cause” (as will be defined in your RSU agreement), death
or disability or you resign for “good reason” (as will be defined in your RSU agreement), in each case, during the period
on, and 12 months following, a change in control.
Severance:
Should Qualys terminate your employment without cause in the first year of employment, you will be entitled to three
(3) months of your base salary, provided you sign Qualys’ separation agreement.
As a Qualys employee, you will be expected to abide by Qualys rules and regulations, and sign and comply with the attached Proprietary Information and
Inventions Agreement, which prohibits unauthorized use or disclosure of Qualys’ proprietary information.
Qualys, Inc.
919 East Hillsdale Boulevard, 4th Floor, Foster City, CA 94404
T 650 801 6100 F 650 801 6101 www.qualys.com
�Your employment relationship with Qualys is at-will. You may terminate your employment with Qualys at any time and for any reason whatsoever simply by
notifying Qualys. Likewise, Qualys may terminate your employment at any time and for any reason whatsoever, with or without cause or advance notice.
This at-will employment relationship cannot be changed except in a writing signed by a Qualys officer.
This letter, together with your Employee Proprietary Information and Inventions Agreement and the RSU agreement between you and Qualys (relating to
your grant described above), forms the complete and exclusive statement of your employment agreement with Qualys. The employment terms in this letter
supersede any other agreements or promises made to you by anyone, whether oral or written.
Your employment is contingent upon providing evidence of your legal right to work in the United States as required by the US Citizenship and Immigration
Services.
We look forward to your acceptance of employment with Qualys under the terms described above. To accept this offer, please sign and date this letter. Please
keep a copy of these documents for your records. This offer will expire on Thursday, April 29, 2021 and is contingent upon successful reference checks and a
satisfactory background check.
Allan, we are excited about you joining our team. If you have any questions, please feel free to call me at (650) 801-6151.
Sincerely,
/s/ Rima Touma Bruno
Rima Touma Bruno
Chief Human Resources Officer
Offer Accepted By:
/s/ Allan Peters
Allan Peters
Qualys, Inc.
919 East Hillsdale Boulevard, 4th Floor, Foster City, CA 94404
T 650 801 6100 F 650 801 6101 www.qualys.com
Date Accepted:
2021-04-26
Start Date:
May 4, 2021
� QUALYS, INC.
2012 EQUITY INCENTIVE PLAN
RESTRICTED STOCK UNIT AGREEMENT
Exhibit 10.8
Unless otherwise defined herein, the terms defined in the Qualys, Inc. 2012 Equity Incentive Plan (the “Plan”) will have the same defined meanings
in this Restricted Stock Unit Agreement, including the Notice of Restricted Stock Unit Grant (the “Notice of Grant”), the Terms and Conditions of Restricted
Stock Unit Grant, attached hereto as Exhibit A, and any Appendix, attached hereto as Exhibit B (all together, the “Award Agreement”).
NOTICE OF RESTRICTED STOCK UNIT GRANT
Participant Name:
Address:
Participant has been granted the right to receive an Award of Restricted Stock Units, subject to the terms and conditions of the Plan and this Award
Agreement, as follows:
Grant Number
Date of Grant October 28, 2021
Vesting Date Certification dates
Target Number of Restricted Stock Units
Maximum Restricted Stock Units
Vesting Schedule:
Subject to any acceleration provisions contained in the Plan or set forth below, the Restricted Stock Units will vest only if certain performance-based
goals are achieved (as described below) and Participant will not vest in the Restricted Stock Units unless he or she remains a Service Provider through the
applicable vesting dates.
Performance Periods: Each of the [year one], [year two] and [year three] calendar years. 1/3 of the Target Number of Restricted Stock Units are
assigned to each of these three calendar years.
Performance-Based Vesting Component: The actual number of RSUs that will become eligible to vest (if any) with respect to a Performance Period
will be determined based on the Performance Achievement for such Performance Period and will vest on the Certification Date immediately after such
performance period, except that the vesting percentage is capped at 100% on the Certification Dates for [year one] and [year two] performance periods with
cumulative achievement over 100% (if any) to be vested on the Certification Date following the [year three] performance period.
�Any Restricted Stock Units that become eligible to vest after achievement of the performance-based vesting component described in this paragraph
are referred to herein as “Eligible RSUs.”
Performance Metrics: Revenue Growth and Adjusted EBITDA margin (as defined below).
Performance Targets for [year one] Performance Period: Annual operating plan for Revenue and adjusted EBITDA margin.
[year one] Revenue Growth
Less than Threshold
Threshold — [__]%
[__]%
[__]%
Target — [__]%
Maximum — [__]%
[year one] Adjusted EBITDA Margin
Less than Threshold
Threshold — [__]%
[__]%
[__]%
Target — [__]%
Maximum — [__]%
Performance Achievement
0%
0%
25%
75%
100%
200%
Performance Achievement
0%
0%
25%
75%
100%
200%
Performance Targets for [year two] and [year three] Performance Periods will be based on the Annual operating plan for Revenue and adjusted
EBITDA margin to be determined by the board in the fourth quarter of [year one] and [year two], respectively.
All calculations will be rounded to the closest one hundredth decimal position for purposes of calculating achievement (e.g. [__].987% rounds to
[__].99% and does not meet the Revenue Growth threshold). If the Performance Achievement for the Performance Period falls between levels set forth in the
tables above, the actual Performance Achievement will be determined by linear interpolation between the applicable thresholds and the average level of
Performance Achievement for the two metrics will be used to determine the actual number of Eligible RSUs. As an example, assume [__]% Revenue Growth
and [__]% Adjusted EBITDA Margin for the performance period of [year one] calendar year:
● [__]% Revenue Growth is 200% achievement
● [__]% Adjusted EBITDA Margin is 100% achievement.
-2-
�The resulting Performance Achievement in this example is 150%, resulting in Eligible RSUs being 150% of the Target Number of RSUs, of which
100% of the Eligible RSUs will vest on the Certification Date immediately following the completion of the [year one] performance period and the remaining
50% of the Eligible RSUs will vest on the Certification Date immediately following the completion of the [year three] performance period.
For purposes of these vesting provisions, the following terms shall have the following meanings:
“Revenue Growth” means revenue growth during the year that contains the Performance Period and the immediately preceding year with Revenue
determined according to generally accepted accounting principles in effect on the date of grant. In the sole discretion of the Administrator, adjustments may
be made to exclude the effects of acquisitions and/or dispositions during the Performance Period.
“Adjusted EBITDA Margin” means (A) net income (loss) for the Performance Period before (1) other (income) expense, net, which includes interest
income, interest expense and other income and expense, (2) provision for (benefit from) income taxes, (3) depreciation and amortization of property and
equipment, (4) amortization of intangible assets, and (5) stock-based compensation, divided by (B) Revenue for the Performance Period as determined above.
In the sole discretion of the Administrator, adjustments may be made to exclude the effects of acquisitions and/or dispositions during the Performance Period.
All determinations regarding any Performance Metric or the Performance Achievement shall be made by the Administrator in its sole discretion and
all such determinations shall be final and binding on all parties. The Certification Date means the first date on which (i) the Audit Committee of the Board
has verified to the Administrator the calculation of the Performance Metrics for the Performance Period, and (ii) the Administrator has then determined the
Performance Achievement for such Performance Period in formal resolutions or a consent action of the Administrator.
On the Certification Date, the number of RSUs assigned to the applicable performance period that did not become Eligible RSUs due to the required
Performance Achievement threshold not being achieved shall immediately be forfeited without further consideration.
Accelerated Vesting in Special Circumstances
Death and Disability. If the Participant’s employment is terminated due to Death or Disability prior to the Certification Date, 100% of the Target Number of
Restricted Stock Units will vest upon the date of Participant’s termination of employment.
Change in Control. If a Change in Control occurs during the Performance Period, then 100% of the Target Number of RSUs assigned to any performance
periods that have not been completed and any cumulative achievement over 100% of Eligible RSUs determined for all performance periods that have already
been completed will vest on January 1, [year four], contingent on the Participant continuing to be a Service Provider through each date.
-3-
�Notwithstanding the foregoing, if upon, or within twelve (12) months following, a Change in Control occurs while Participant is a Service Provider,
the Participant’s status as a Service Provider of the Company or the successor corporation is terminated:
(i) by the Company or successor corporation other than for “Cause” (as defined below), death or Disability, or
(ii) by Participant for “Good Reason” (as defined below),
then, in each case, 100% of the Target Number of Restricted Stock Units assigned to any performance periods that have not been completed and any
cumulative achievement over 100% of Eligible RSUs determined for all performance periods that have already been completed will vest immediately prior to
such termination. Vesting under this paragraph is subject to Participant’s execution and non-revocation of a general release of claims agreement in a form
acceptable to the Company.
For purposes of this Award Agreement, “Cause” shall mean (i) indictment or conviction of any felony or of any crime involving dishonesty; (ii)
participation in any fraud or act of dishonesty against the Company; (iii) material breach of Participant’s duties to the Company, including but not limited to
unsatisfactory performance of job duties which he fails to correct within thirty (30) days after Participant is given written notice, if a cure is reasonably
possible within said thirty (30)-day period, otherwise such longer period as is reasonably required to effect a cure; (iv) or a violation of Company policy
disclosed to Participant, which causes a material detriment to the Company; (v) intentional damage to any property of the Company; (vi) conduct by
Participant which, in the good faith and reasonable determination of the Company, demonstrates gross unfitness to serve; or (vii) material breach of
Participant’s employment agreement or Proprietary Information and Inventions Agreement entered into with the Company.
For purposes of this Award Agreement, “Good Reason” shall mean Participant’s resignation because the Company, without Participant’s consent: (i)
significantly reduces Participant’s rate of compensation, other than performance or commission based compensation, which is not earned through
Participant’s efforts or lack thereof; (ii) fails to provide Participant with a package of benefit plans which, taken as a whole, provide substantially similar
benefits to those in which Participant currently is entitled to participate as of the date of the Date of Grant (except that employee contributions may be raised
to the extent of any costs increases imposed by third parties) or undertakes any action which would adversely affect Participant’s participation or reduce
Participant’s benefits under any such plans; (iii) significantly diminishes Participant’s duties, responsibilities, authority, reporting structure, titles or offices,
excluding for this purpose an isolated, insubstantial or inadvertent action not taken in bad faith which is remedied by the Company promptly after notice
thereof is given by Participant; (iv) requests that Participant relocate to a worksite that is more than thirty-five (35) miles from Participant’s current worksite,
unless Participant accepts such a relocation opportunity; or (v) materially breaches any of Participant’s obligations under Participant’s employment
agreement or Proprietary Information and Inventions Agreement entered into with the Company and fails to correct any such breach within sixty (60) days
after Participant gave the Company written notice.
-4-
�By Participant’s signature and the signature of the representative of Qualys, Inc. (the “Company”) below, Participant and the Company agree that
this Award of Restricted Stock Units is granted under and governed by the terms and conditions of the Plan and this Award Agreement, which are made a
part of this document. Participant has reviewed the Plan and this Award Agreement in their entirety, has had an opportunity to obtain the advice of counsel
prior to executing this Award Agreement and fully understands all provisions of the Plan and Award Agreement. Participant hereby agrees to accept as
binding, conclusive and final all decisions or interpretations of the Administrator upon any questions relating to the Plan and Award Agreement. Participant
further agrees to notify the Company upon any change in the residence address indicated below.
PARTICIPANT:
QUALYS, INC.
Signature
Print Name
Residence Address:
Rima Touma-Bruno
By
Chief Human Resources Officer
Title
-5-
�EXHIBIT A
TERMS AND CONDITIONS OF RESTRICTED STOCK UNIT GRANT
1. Grant. The Company hereby grants to the individual named in the Notice of Grant (the “Participant”) under the Plan an Award of Restricted
Stock Units, subject to all of the terms and conditions in this Award Agreement and the Plan, which is incorporated herein by reference. Subject to Section
18(c) of the Plan, in the event of a conflict between the terms and conditions of the Plan and the terms and conditions of this Award Agreement, the terms and
conditions of the Plan will prevail.
2. Company’s Obligation to Pay. Each Restricted Stock Unit represents the right to receive a Share on the date it vests. Unless and until the
Restricted Stock Units will have vested in the manner set forth in Sections 3 or 4, Participant will have no right to payment of any such Restricted Stock
Units. Prior to actual payment of any vested Restricted Stock Units, such Restricted Stock Units will represent an unsecured obligation of the Company,
payable (if at all) only from the general assets of the Company. Any Restricted Stock Units that vest in accordance with Sections 3 or 4 will be paid to
Participant (or in the event of Participant’s death, to his or her estate) in whole Shares, subject to Participant satisfying any obligations for Tax-Related Items
(as defined in Section 7). Subject to the provisions of Section 4, such vested Restricted Stock Units shall be paid in whole Shares as soon as practicable after
vesting, but in each such case within the period sixty (60) days following the vesting date. In no event will Participant be permitted, directly or indirectly, to
specify the taxable year of the payment of any Restricted Stock Units payable under this Award Agreement.
3. Vesting Schedule. Except as provided in Section 4, and subject to Section 5, the Restricted Stock Units awarded by this Award Agreement
will vest in accordance with the vesting provisions set forth in the Notice of Grant. Restricted Stock Units scheduled to vest on a certain date or upon the
occurrence of a certain condition will not vest in Participant in accordance with any of the provisions of this Award Agreement, unless Participant will have
been continuously a Service Provider from the Date of Grant until the date such vesting occurs.
4. Administrator Discretion. The Administrator, in its discretion, may accelerate the vesting of the balance, or some lesser portion of the
balance, of the unvested Restricted Stock Units at any time, subject to the terms of the Plan. If so accelerated, such Restricted Stock Units will be considered
as having vested as of the date specified by the Administrator. The payment of Shares vesting pursuant to this Section 4 shall in all cases be paid at a time or
in a manner that is exempt from, or complies with, Section 409A.
-6-
�Notwithstanding anything in the Plan or this Award Agreement to the contrary, if the vesting of the balance, or some lesser portion of the
balance, of the Restricted Stock Units is accelerated in connection with Participant’s termination as a Service Provider (provided that such termination is a
“separation from service” within the meaning of Section 409A, as determined by the Company), other than due to death, and if (x) Participant is a “specified
employee” within the meaning of Section 409A at the time of such termination as a Service Provider and (y) the payment of such accelerated Restricted
Stock Units will result in the imposition of additional tax under Section 409A if paid to Participant on or within the six (6) month period following
Participant’s termination as a Service Provider, then the payment of such accelerated Restricted Stock Units will not be made until the date six (6) months
and one (1) day following the date of Participant’s termination as a Service Provider, unless Participant dies following his or her termination as a Service
Provider, in which case, the Restricted Stock Units will be paid in Shares to Participant’s estate as soon as practicable following his or her death. It is the
intent of this Award Agreement that it and all payments and benefits hereunder be exempt from, or comply with, the requirements of Section 409A so that
none of the Restricted Stock Units provided under this Award Agreement or Shares issuable thereunder will be subject to the additional tax imposed under
Section 409A, and any ambiguities herein will be interpreted to be so exempt or so comply. Each payment payable under this Award Agreement is intended
to constitute a separate payment for purposes of Treasury Regulation Section 1.409A-2(b)(2). For purposes of this Award Agreement, “Section 409A” means
Section 409A of the Code, and any final Treasury Regulations and Internal Revenue Service guidance thereunder, as each may be amended from time to
time.
5. Forfeiture upon Termination of Status as a Service Provider. Notwithstanding any contrary provision of this Award Agreement, the balance of
the Restricted Stock Units that have not vested as of the time of Participant’s termination as a Service Provider for any or no reason and Participant’s right to
acquire any Shares hereunder will immediately terminate. The date of Participant’s termination as a Service Provider is detailed in Section 10(h).
6. Death of Participant. Any distribution or delivery to be made to Participant under this Award Agreement will, if Participant is then deceased,
be made to Participant’s designated beneficiary, or if no beneficiary survives Participant, the administrator or executor of Participant’s estate. Any such
transferee must furnish the Company with (a) written notice of his or her status as transferee, and (b) evidence satisfactory to the Company to establish the
validity of the transfer and compliance with any laws or regulations pertaining to said transfer.
7. Withholding of Taxes. Notwithstanding any contrary provision of this Award Agreement, no certificate representing the Shares will be issued
to Participant, unless and until satisfactory arrangements (as determined by the Administrator) will have been made by Participant with respect to the
payment of income, employment, social insurance, payroll tax, fringe benefit tax, payment on account or other tax-related items related to Participant’s
participation in the Plan and legally applicable to Participant (“Tax-Related Items”) which the Company determines must be withheld with respect to such
Shares. Prior to vesting and/or settlement of the Restricted Stock Units, Participant will pay or make adequate arrangements satisfactory to the Company
and/or Participant’s employer (the “Employer”) to satisfy all withholding and payment obligations of Tax-Related Items of the Company and/or the
Employer. In this regard, Participant authorizes the Company and/or the Employer to withhold any Tax-Related Items legally payable by Participant from his
or her wages or other cash compensation paid to Participant by the Company and/or the Employer or from proceeds of the sale of Shares. Alternatively, or in
addition, if permissible under applicable local law, the Administrator, in its sole discretion and pursuant to such procedures as it may specify from time to
time, may permit or require Participant to satisfy such tax withholding obligation, in whole or in part (without limitation) by (a) paying cash, (b) electing to
have the Company withhold otherwise deliverable Shares having a Fair Market Value equal to the minimum amount required to be withheld, (c) selling a
sufficient number of such Shares otherwise deliverable to Participant through such means as the Company may determine in its sole discretion (whether
through a broker or otherwise) equal to the amount required to be withheld, or (d) if Participant is a U.S. employee, delivering to the Company already vested
and owned Shares having a Fair Market Value equal to the amount required to be withheld. To the extent determined appropriate by the Company in its
discretion, it will have the right (but not the obligation) to satisfy any obligations for Tax-Related Items by reducing the number of Shares otherwise
deliverable to Participant [and, until determined otherwise by the Company, this will be the method by which such tax withholding obligations are satisfied].
Further, if Participant is subject to tax in more than one jurisdiction between the Date of Grant and a date of any relevant taxable or tax withholding event, as
applicable, Participant acknowledges and agrees that the Company and/or the Employer (or former employer, as applicable) may be required to withhold or
account for tax in more than one jurisdiction. If Participant fails to make satisfactory arrangements for the payment of any Tax-Related Items hereunder at the
time any applicable Restricted Stock Units otherwise are scheduled to vest pursuant to Sections 3 or 4 or Tax-Related Items related to Restricted Stock Units
otherwise are due, Participant will permanently forfeit such Restricted Stock Units and any right to receive Shares thereunder and the Restricted Stock Units
will be returned to the Company at no cost to the Company.
-7-
�8. Rights as Stockholder. Neither Participant nor any person claiming under or through Participant will have any of the rights or privileges of a
stockholder of the Company in respect of any Shares deliverable hereunder unless and until certificates representing such Shares will have been issued,
recorded on the records of the Company or its transfer agents or registrars, and delivered to Participant. After such issuance, recordation and delivery,
Participant will have all the rights of a stockholder of the Company with respect to voting such Shares and receipt of dividends and distributions on such
Shares.
9. No Guarantee of Continued Service. PARTICIPANT ACKNOWLEDGES AND AGREES THAT THE VESTING OF THE RESTRICTED
STOCK UNITS PURSUANT TO THE VESTING SCHEDULE HEREOF IS EARNED ONLY BY CONTINUING AS A SERVICE PROVIDER AT THE
WILL OF THE COMPANY (OR THE PARENT OR SUBSIDIARY EMPLOYING OR RETAINING PARTICIPANT) AND NOT THROUGH THE ACT
OF BEING HIRED, BEING GRANTED THIS AWARD OF RESTRICTED STOCK UNITS OR ACQUIRING SHARES HEREUNDER. PARTICIPANT
FURTHER ACKNOWLEDGES AND AGREES THAT THIS AWARD AGREEMENT, THE TRANSACTIONS CONTEMPLATED HEREUNDER AND
THE VESTING SCHEDULE SET FORTH HEREIN DO NOT CONSTITUTE AN EXPRESS OR IMPLIED PROMISE OF CONTINUED
ENGAGEMENT AS A SERVICE PROVIDER FOR THE VESTING PERIOD, FOR ANY PERIOD, OR AT ALL, AND WILL NOT INTERFERE IN ANY
WAY WITH PARTICIPANT’S RIGHT OR THE RIGHT OF THE COMPANY (OR THE PARENT OR SUBSIDIARY EMPLOYING OR RETAINING
PARTICIPANT) TO TERMINATE PARTICIPANT’S RELATIONSHIP AS A SERVICE PROVIDER AT ANY TIME, WITH OR WITHOUT CAUSE.
-8-
�10. Nature of Grant. In accepting the grant, Participant acknowledges, understands and agrees that:
(a)
the Plan is established voluntarily by the Company, it is discretionary in nature and it may be modified, amended, suspended or
terminated by the Company at any time, to the extent permitted by the Plan;
(b) the grant of the Restricted Stock Units is voluntary and occasional and does not create any contractual or other right to receive future
grants of Restricted Stock Units, or benefits in lieu of Restricted Stock Units, even if Restricted Stock Units have been granted in the
past;
(c) all decisions with respect to future Restricted Stock Units or other grants, if any, will be at the sole discretion of the Company;
(d) Participant is voluntarily participating in the Plan;
(e)
the Restricted Stock Units and the Shares subject to the Restricted Stock Units are not intended to replace any pension rights or
compensation;
(f)
the Restricted Stock Units and the Shares subject to the Restricted Stock Units, and the income and value of same, are not part of
normal or expected compensation for purposes of calculating any severance, resignation, termination, redundancy, dismissal, end-of-
service payments, bonuses, long-service awards, pension or retirement or welfare benefits or similar payments;
(g) the future value of the underlying Shares is unknown, indeterminable and cannot be predicted with certainty;
(h) for purposes of the Restricted Stock Units, Participant’s status as a Service Provider will be considered terminated as of the date
Participant is no longer actively providing services to the Company or any Parent or Subsidiary (regardless of the reason for such
termination and whether or not later to be found invalid or in breach of employment laws in the jurisdiction where Participant is a
Service Provider or the terms of Participant’s service agreement, if any), and unless otherwise expressly provided in this Award
Agreement or determined by the Administrator, Participant’s right to vest in the Restricted Stock Units under the Plan, if any, will
terminate as of such date and will not be extended by any notice period (e.g., Participant’s period of service would not include any
contractual notice period or any period of “garden leave” or similar period mandated under employment laws in the jurisdiction where
Participant is a Service Provider or the terms of Participant’s service agreement, if any, unless Participant is providing bona fide services
during such time); the Administrator shall have the exclusive discretion to determine when Participant is no longer actively providing
services for purposes of the Restricted Stock Units grant (including whether Participant may still be considered to be providing services
while on a leave of absence);
-9-
�(i) unless otherwise provided in the Plan or by the Company in its discretion, the Restricted Stock Units and the benefits evidenced by this
Award Agreement do not create any entitlement to have the Restricted Stock Units or any such benefits transferred to, or assumed by,
another company nor be exchanged, cashed out or substituted for, in connection with any corporate transaction affecting the Shares; and
(j)
the following provisions apply only if Participant is providing services outside the United States:
i.
the Restricted Stock Units and the Shares subject to the Restricted Stock Units are not part of normal or expected compensation or
salary for any purpose;
ii. Participant acknowledges and agrees that none of the Company, the Employer, or any Parent or Subsidiary shall be liable for any
foreign exchange rate fluctuation between Participant’s local currency and the United States Dollar that may affect the value of the
Restricted Stock Units or of any amounts due to Participant pursuant to the settlement of the Restricted Stock Units or the
subsequent sale of any Shares acquired upon settlement; and
iii. no claim or entitlement to compensation or damages shall arise from forfeiture of the Restricted Stock Units resulting from the
termination of Participant’s status as a Service Provider (for any reason whatsoever whether or not later found to be invalid or in
breach of employment laws in the jurisdiction where Participant is a Service Provider or the terms of Participant’s service
agreement, if any), and in consideration of the grant of the Restricted Stock Units to which Participant is otherwise not
entitled, Participant irrevocably agrees never to institute any claim against the Company, any Subsidiary or the Employer, waives
his or her ability, if any, to bring any such claim, and releases the Company, any Parent, any Subsidiary and the Employer from
any such claim; if, notwithstanding the foregoing, any such claim is allowed by a court of competent jurisdiction, then, by
participating in the Plan, Participant shall be deemed irrevocably to have agreed not to pursue such claim and agrees to execute
any and all documents necessary to request dismissal or withdrawal of such claim.
-10-
�11. No Advice Regarding Grant. The Company is not providing any tax, legal or financial advice, nor is the Company making any
recommendations regarding Participant’s participation in the Plan, or Participant’s acquisition or sale of the underlying Shares. Participant is hereby advised
to consult with his or her own personal tax, legal and financial advisors regarding his or her participation in the Plan before taking any action related to the
Plan.
12. Data Privacy. Participant hereby explicitly and unambiguously consents to the collection, use and transfer, in electronic or other form,
of Participant’s personal data as described in this Award Agreement and any other Restricted Stock Unit grant materials by and among, as applicable,
the Employer, the Company and any Parent or Subsidiary for the exclusive purpose of implementing, administering and managing Participant’s
participation in the Plan.
Participant understands that the Company and the Employer may hold certain personal information about Participant, including, but not
limited to, Participant’s name, home address and telephone number, date of birth, social insurance number or other identification number, salary,
nationality, job title, any shares of stock or directorships held in the Company, details of all Restricted Stock Units or any other entitlement to shares of
stock awarded, canceled, exercised, vested, unvested or outstanding in Participant’s favor (“Data”), for the exclusive purpose of implementing,
administering and managing the Plan.
Participant understands that Data will be transferred to a stock plan service provider as may be selected by the Company in the future, which is
assisting the Company with the implementation, administration and management of the Plan. Participant understands that the recipients of the Data may
be located in the United States or elsewhere, and that the recipients’ country (e.g., the United States) may have different data privacy laws and protections
than Participant’s country. Participant understands that if he or she resides outside the United States, he or she may request a list with the names and
addresses of any potential recipients of the Data by contacting his or her local human resources representative. Participant authorizes the Company, any
stock plan service provider selected by the Company and any other possible recipients which may assist the Company (presently or in the future) with
implementing, administering and managing the Plan to receive, possess, use, retain and transfer the Data, in electronic or other form, for the sole
purpose of implementing, administering and managing his or her participation in the Plan. Participant understands that Data will be held only as long
as is necessary to implement, administer and manage Participant’s participation in the Plan. Participant understands if he or she resides outside the
United States, he or she may, at any time, view Data, request additional information about the storage and processing of Data, require any necessary
amendments to Data or refuse or withdraw the consents herein, in any case without cost, by contacting in writing his or her local human resources
representative. Further, Participant understands that he or she is providing the consents herein on a purely voluntary basis. If Participant does not
consent, or if Participant later seeks to revoke his or her consent, his or her status as a Service Provider and career with the Employer will not be
adversely affected; the only adverse consequence of refusing or withdrawing Participant’s consent is that the Company would not be able to grant
Participant Restricted Stock Units or other equity awards or administer or maintain such awards. Therefore, Participant understands that refusing or
withdrawing his or her consent may affect Participant’s ability to participate in the Plan. For more information on the consequences of Participant’s
refusal to consent or withdrawal of consent, Participant understands that he or she may contact his or her local human resources representative.
-11-
�13. Address for Notices. Any notice to be given to the Company under the terms of this Award Agreement will be addressed to the Company at
Qualys, Inc., 919 East Hillsdale Boulevard, Foster City, California 94404, or at such other address as the Company may hereafter designate in writing.
14. Grant is Not Transferable. Except to the limited extent provided in Section 6, this grant and the rights and privileges conferred hereby will
not be transferred, assigned, pledged or hypothecated in any way (whether by operation of law or otherwise) and will not be subject to sale under execution,
attachment or similar process. Upon any attempt to transfer, assign, pledge, hypothecate or otherwise dispose of this grant, or any right or privilege conferred
hereby, or upon any attempted sale under any execution, attachment or similar process, this grant and the rights and privileges conferred hereby immediately
will become null and void.
15. Binding Agreement. Subject to the limitation on the transferability of this grant contained herein, this Award Agreement will be binding
upon and inure to the benefit of the heirs, legatees, legal representatives, successors and assigns of the parties hereto.
16. Additional Conditions to Issuance of Stock. If at any time the Company will determine, in its discretion, that the listing, registration,
qualification or rule compliance of the Shares upon any securities exchange or under any state, federal or foreign law, the tax code and related regulations or
the consent or approval of any governmental regulatory authority is necessary or desirable as a condition to the issuance of Shares to Participant (or his or her
estate) hereunder, such issuance will not occur unless and until such listing, registration, qualification, rule compliance, consent or approval will have been
completed, effected or obtained free of any conditions not acceptable to the Company. Where the Company determines that the delivery of the payment of
any Shares will violate federal securities laws or other applicable laws, the Company will defer delivery until the earliest date at which the Company
reasonably anticipates that the delivery of Shares will no longer cause such violation. The Company will make all reasonable efforts to meet the requirements
of any such state, federal or foreign law or securities exchange and to obtain any such consent or approval of any such governmental authority or securities
exchange.
17. Plan Governs. This Award Agreement is subject to all terms and provisions of the Plan. In the event of a conflict between one or more
provisions of this Award Agreement and one or more provisions of the Plan, the provisions of the Plan will govern. Capitalized terms used and not defined in
this Award Agreement will have the meaning set forth in the Plan.
-12-
�18. Administrator Authority. The Administrator will have the power to interpret the Plan and this Award Agreement and to adopt such rules for
the administration, interpretation and application of the Plan as are consistent therewith and to interpret or revoke any such rules (including, but not limited
to, the determination of whether or not any Restricted Stock Units have vested). All actions taken and all interpretations and determinations made by the
Administrator in good faith will be final and binding upon Participant, the Company and all other interested persons. No member of the Administrator will be
personally liable for any action, determination or interpretation made in good faith with respect to the Plan or this Award Agreement.
19. Electronic Delivery and Acceptance. The Company may, in its sole discretion, decide to deliver any documents related to Restricted Stock
Units awarded under the Plan or future Restricted Stock Units that may be awarded under the Plan by electronic means or request Participant’s consent to
participate in the Plan by electronic means. Participant hereby consents to receive such documents by electronic delivery and agrees to participate in the Plan
through any on-line or electronic system established and maintained by the Company or a third party designated by the Company.
20. Language. If Participant has received this Award Agreement or any other document related to the Plan translated into a language other than
English and if the meaning of the translated version is different than the English version, the English version will control.
21. Captions. Captions provided herein are for convenience only and are not to serve as a basis for interpretation or construction of this Award
Agreement.
22. Agreement Severable. In the event that any provision in this Award Agreement will be held invalid or unenforceable, such provision will be
severable from, and such invalidity or unenforceability will not be construed to have any effect on, the remaining provisions of this Award Agreement.
23. Amendment, Suspension or Termination of the Plan. By accepting this Award, Participant expressly warrants that he or she has received an
Award of Restricted Stock Units under the Plan, and has received, read and understood a description of the Plan. Participant understands that the Plan is
discretionary in nature and may be amended, suspended or terminated by the Company at any time.
24. Governing Law and Venue. This Award Agreement will be governed by the laws of California without giving effect to the conflict of law
principles thereof. For purposes of litigating any dispute that arises under this Award of Restricted Stock Units or this Award Agreement, the parties hereby
submit to and consent to the jurisdiction of the State of California, and agree that such litigation will be conducted in the courts of San Mateo County,
California, or the federal courts for the United States for the Northern District of California, and no other courts, where this Award of Restricted Stock Units
is made and/or to be performed.
-13-
�25. [Appendix. Notwithstanding any provisions in this Award Agreement, the Restricted Stock Unit grant shall be subject to any special terms
and conditions set forth in any appendix to this Award Agreement for Participant’s country (the “Appendix”). Moreover, if Participant relocates to one of the
countries included in the Appendix, the special terms and conditions for such country will apply to Participant, to the extent the Company determines that the
application of such terms and conditions is necessary or advisable for legal or administrative reasons. The Appendix constitutes part of this Award
Agreement.]
26. Modifications to the Award Agreement. This Award Agreement constitutes the entire understanding of the parties on the subjects covered.
Participant expressly warrants that he or she is not accepting this Award Agreement in reliance on any promises, representations, or inducements other than
those contained herein. Modifications to this Award Agreement or the Plan can be made only in an express written contract executed by a duly authorized
officer of the Company. Notwithstanding anything to the contrary in the Plan or this Award Agreement, the Company reserves the right to revise the Award
Agreement as it deems necessary or advisable, in its sole discretion and without the consent of Participant, to comply with Section 409A or to otherwise
avoid imposition of any additional tax or income recognition under Section 409A in connection to this Award of Restricted Stock.
27. Waiver. Participant acknowledges that a waiver by the Company of breach of any provision of this Award Agreement shall not operate or
be construed as a waiver of any other provision of this Award Agreement, or of any subsequent breach by Participant or any other Participant.
-14-
�EXHIBIT B
[ANY APPLICABLE APPENDIX TO BE ADDED]
-15-
�[***] Certain information in this document has been excluded because it both (i) is not material and (ii) would likely cause competitive harm to the
registrant if publicly disclosed.
Exhibit 10.11
1. Purpose. The purpose of this 2021 Corporate Bonus Plan (the “Plan”) is to motivate and encourage the employees of Qualys (the
“Company”) to achieve its stated goals and to assist the Company in attracting, motivating and retaining employees on a competitive basis.
2021 CORPORATE BONUS PLAN
2. Eligibility
(a) An officer or employee of the Company is designated as a participant in the Plan (“Participant”) and shall be eligible to participate
in the Plan if he or she is a regular full-time or regular part-time employee (working greater than 20 hours a week) and he or she is not already participating
in a separate Compensation Plan or MBO plan.
(b) New Hires. New employees hired in the first or second month of a quarter will be eligible to participate in the Plan for that quarter,
such participation will be prorated based on the number of days employed in the quarter.
(c) Termination of Employment. To be eligible for the bonus, the employee must be employed as of the last day of the quarter.
(d) Absence during Performance Period. If a Participant is absent for a period of more than one-half of the scheduled workdays
during a quarter, for any reason, the Participant’s bonus payment will be prorated based on the number of days the Participant actually worked compared to
the total number of scheduled work days during that quarter.
3. Bonus Criteria
bonus period.
(a) Bonus Period. The Bonus Plan is effective from January 1, 2021 through December 31, 2021. Each calendar quarter is a separate
(b) Bonus Level. A Participant’s level of participation in the Plan is set based on their grade level as determined by the Human
Resources Department and is applied to the Participant’s base salary as of the last day of that quarter to determine the bonus amount.
(c) Objective Criteria: The Plan payments will be based on ASV (as defined below), Revenue (as defined below) and Non-GAAP
EPS (as defined below).
(1) ASV. The stated goal is the growth in company-wide bookings as represented by Annual Subscription Value (“ASV”) for the
current quarter over the same quarter of the prior year. ASV is the sum of one year’s worth of subscribed revenues to Qualys for all new, renewal and upsell
subscriptions contracted by customers and channel partners in each quarter. ASV is determined by policies and practices administered by the Controller and
the final quarterly ASV amount is approved by the CFO.
Page 1 of 3
�the Company’s quarterly and annual financial statements) for the current quarter over the same quarter of the prior year.
(2) Revenue. The stated goal is the growth in company-wide revenue (as determined in accordance with GAAP and set forth in
stock-based compensation expense, acquisition-related expenses (except for ordinary course advisory fees), tax adjustments and bonus payments under this
Plan divided by weighted average shares (diluted) for the applicable quarter.
(3) Non-GAAP EPS. The stated goal is Non-GAAP earnings per diluted share. Non-GAAP EPS is GAAP net income less
(d) Payout Calculation. A Participant’s bonus amount will be equal to the aggregate for each of the applicable objective goals as
follows: the payment percentage described below multiplied by weighting percentage for the applicable goal. ASV Growth, Revenue Growth and Non-
GAAP EPS shall be the 3 goals and shall be equally weighted.
(1) ASV. The payout percentage scales based upon achievement of ASV as described in Section 1 of the Appendix.
(2) Revenue. The payout percentage scales based upon achievement of Revenue as described in Section 2 of the Appendix.
(3) Non-GAAP EPS. The payout percentage scales based upon achievement of Non-GAAP EPS as described in Section 3 of the
Appendix.
(e) Bonus Payments. Bonus payments to Participants under this Plan will be made with the first payroll of the second month
following the end of the quarter. Bonus payments are “gross” amounts, meaning that they constitute the full amount and that there will be no other increases
(for example, to cover income taxes). The company will deduct from any payment under the Plan the amount of all applicable income and employment taxes,
and any other amounts required by law to be withheld or deducted from such payment. None of the payments will be “benefits bearing” (i.e., the bonus
amounts will not be used for purposes of determining any other company-provided benefits or compensation).
4. Administration. This Plan shall be administered by the Company’s CFO (except with respect to Participants who are the Company’s
executive officers, in which case the Compensation Committee of the Board of Directors will serve as the administrator), who may make and apply such
rules deemed desirable or necessary to administer the Plan in the best interests of the Company. All questions of interpretation or application of the Plan may
be addressed in writing to the CFO (or as applicable, the Compensation Committee), who shall review each inquiry in good faith, and each such
determination shall be final and binding. With the approval of the Compensation Committee, the results with respect to determination of ASV, Revenue, and
Non-GAAP EPS will be adjusted to remove the effects of charges for restructurings, discontinued operations, extraordinary items and all items of gain, loss
or expense determined to be extraordinary or unusual in nature or related to the disposal of a segment of a business or related to a change in accounting
principle, asset write-downs, litigation, claims, judgments or settlements, the effect of changes in tax law or other such laws or provisions affecting reported
results, accruals for reorganization and restructuring programs.
Page 2 of 3
�1. ASV. The bonus will be equal to 100% if the company plan number is achieved, as indicated in the table below. For ASV achievement below company
plan targets, a sliding scale will be used. ASV achievement will be rounded to the nearest ten thousand. The floor indicates the minimum required
achievement for payout. Below is the current year targets and payout schedule:
APPENDIX
[***]
2. Revenue. The bonus will be equal to 100% if the company plan number is achieved, as indicated in the table below. For revenue achievement below
company plan targets, a sliding scale will be used. Revenue achievement will be rounded to the nearest ten thousand. The floor indicates the minimum
required achievement for payout. Below is the current year targets and payout schedule:
[***]
3. Non-GAAP EPS. The bonus will be equal to 100% if the company plan number is achieved, as indicated in the table below. For Non-GAAP EPS
achievement below company plan targets, a sliding scale will be used. Non-GAAP EPS achievement will be rounded to one cent. The floor indicates the
minimum required achievement for payout.
[***]
Page 3 of 3
�Exhibit 21.1
List of subsidiaries of Qualys, Inc.
Name of Subsidiary
Qualys International, Inc.
Blue Jay Acquisition Sub, Inc.
Qualys Brazil Desenvolvimento de Produtos e Consultoria de Tecnologias
de Seguranca LTDA.
Qualys Canada, Ltd.
Qualys Technologies, S.A.
Qualys GmbH
Qualys Hong Kong Limited
Qualys Security TechServices Private Ltd.
Qualys Japan K.K.
Qualys Singapore Pte. Ltd.
Qualys Middle East FZE
Qualys Ltd.
Qualys Australia Pty Ltd.
Qualys Switzerland Sarl
Qualys Colombia S.A.S.
Qualys South Africa Proprietary Limited
Qualys Netherlands B.V.
Jurisdiction of Incorporation
United States
United States
Brazil
Canada
France
Germany
Hong Kong
India
Japan
Singapore
United Arab Emirates
United Kingdom
Australia
Switzerland
Colombia
South Africa
The Netherlands
�CONSENT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM
We have issued our reports dated February 22, 2022, with respect to the consolidated financial statements and internal control over financial reporting
included in the Annual Report of Qualys, Inc. on Form 10-K for the year ended December 31, 2021. We consent to the incorporation by reference of said
reports in the Registration Statements of Qualys, Inc. on Forms S-8 (File Nos. 333-184394, 333-193576, 333-202587, 333-209735, 333-216232, 333-
223192, 333-229908, 333-236576, 333-253373 and 333-257657).
Exhibit 23.1
/s/ GRANT THORNTON LLP
San Jose, California
February 22, 2022
�CERTIFICATION OF CHIEF EXECUTIVE OFFICER
PURSUANT TO RULE 13a-14(a) OR RULE 15d-14(a)
OF THE SECURITIES EXCHANGE ACT OF 1934
Exhibit 31.1
I, Sumedh Thakar, certify that:
1.
2.
3.
4.
I have reviewed this annual report on Form 10-K of Qualys, Inc.;
Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the
statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this
report;
Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the
financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;
The registrant’s other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in
Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-
15(f)) for the registrant and have:
(a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to
ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those
entities, particularly during the period in which this report is being prepared;
(b) Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our
supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external
purposes in accordance with generally accepted accounting principles;
(c) Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the
effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
(d) Disclosed in this report any change in the registrant’s internal control over financial reporting that occurred during the registrant’s most recent
fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially
affect, the registrant’s internal control over financial reporting; and
5.
The registrant's other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the
registrant's auditors and the audit committee of the registrant's board of directors (or persons performing the equivalent functions):
(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably
likely to adversely affect the registrant's ability to record, process, summarize and report financial information; and
(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal control
over financial reporting.
Date:
By:
February 22, 2022
/s/ SUMEDH THAKAR
Sumedh Thakar
President and Chief Executive Officer
(principal executive officer)
Qualys, Inc.
�CERTIFICATION OF CHIEF FINANCIAL OFFICER
PURSUANT TO RULE 13a-14(a) OR RULE 15d-14(a)
OF THE SECURITIES EXCHANGE ACT OF 1934
Exhibit 31.2
I, Joo Mi Kim, certify that:
1.
2.
3.
4.
I have reviewed this annual report on Form 10-K of Qualys, Inc.;
Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the
statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this
report;
Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the
financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;
The registrant's other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in
Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-
15(f)) for the registrant and have:
(a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to
ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those
entities, particularly during the period in which this report is being prepared;
(b) Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our
supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external
purposes in accordance with generally accepted accounting principles;
(c) Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the
effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
(d) Disclosed in this report any change in the registrant’s internal control over financial reporting that occurred during the registrant’s most recent
fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially
affect, the registrant’s internal control over financial reporting; and
5.
The registrant's other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the
registrant's auditors and the audit committee of the registrant's board of directors (or persons performing the equivalent functions):
(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably
likely to adversely affect the registrant's ability to record, process, summarize and report financial information; and
(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal control
over financial reporting.
Date:
By:
February 22, 2022
/s/ JOO MI KIM
Joo Mi Kim
Chief Financial Officer
(principal financial officer)
Qualys, Inc.
�CERTIFICATION OF CHIEF EXECUTIVE OFFICER
PURSUANT TO RULE 13a-14(b) OR RULE 15d-14(b)
OF THE SECURITIES EXCHANGE ACT OF 1934 AND 18 U.S.C. SECTION 1350
Exhibit 32.1
In connection with the Annual Report of Qualys, Inc. (the “Company”) on Form 10-K for the year ended December 31, 2021, as filed with the Securities and
Exchange Commission on the date hereof (the “Report”), I, Sumedh Thakar, Interim Chief Executive Officer of the Company, certify, pursuant to 18 U.S.C.
§ 1350, as adopted pursuant to § 906 of the Sarbanes-Oxley Act of 2002, that, to the best of my knowledge:
(1) The Report fully complies with the requirements of Section 13(a) or 15(d) of the Securities Exchange Act of 1934; and
(2) The information contained in the Report fairly presents, in all material respects, the financial condition and results of operations of the Company.
Date:
By:
February 22, 2022
/s/ SUMEDH THAKAR
Sumedh Thakar
President and Chief Executive Officer
(principal executive officer)
Qualys, Inc.
�CERTIFICATION OF CHIEF FINANCIAL OFFICER
PURSUANT TO RULE 13a-14(b) OR RULE 15d-14(b)
OF THE SECURITIES EXCHANGE ACT OF 1934 AND 18 U.S.C. SECTION 1350
Exhibit 32.2
In connection with the Annual Report of Qualys, Inc. (the “Company”) on Form 10-K for the year ended December 31, 2021, as filed with the Securities and
Exchange Commission on the date hereof (the “Report”), I, Joo Mi Kim, Chief Financial Officer of the Company, certify, pursuant to 18 U.S.C. § 1350, as
adopted pursuant to § 906 of the Sarbanes-Oxley Act of 2002, that, to the best of my knowledge:
(1) The Report fully complies with the requirements of Section 13(a) or 15(d) of the Securities Exchange Act of 1934; and
(2) The information contained in the Report fairly presents, in all material respects, the financial condition and results of operations of the Company.
Date:
By:
February 22, 2022
/s/ JOO MI KIM
Joo Mi Kim
Chief Financial Officer
(principal financial officer)
Qualys, Inc.
�