What changed in Gitlab Inc.'s 2023 10-K compared to 2022?

Across the narrative sections we track, Gitlab Inc. (GTLB) added 539 paragraphs, removed 571, and edited 408 between the 2022 and 2023 10-K filings. The biggest movers are Item 1A. Risk Factors (+265/−252), Item 7. Management's Discussion & Analysis (+116/−162), Item 1. Business (+143/−144).

Did Gitlab Inc. add new Risk Factors in the 2023 10-K?

Yes — Item 1A Risk Factors shows 265 new/edited paragraphs and 252 removed paragraphs versus the 2022 10-K.

What changed in Gitlab Inc.'s MD&A (Item 7) in 2023?

Item 7 Management's Discussion & Analysis shows 116 new/edited paragraphs and 162 removed paragraphs year-over-year. Read the side-by-side diff to see exactly which revenue, margin, and outlook commentary was rewritten.

Did Gitlab Inc.'s Legal Proceedings (Item 3) change in 2023?

Item 3 shows 3 added/edited paragraphs and 3 removed paragraphs — usually indicating new litigation disclosed or settled cases removed.

Where does this GTLB 10-K diff come from?

The source filings are Gitlab Inc.'s official 2022 and 2023 Form 10-K annual reports from SEC EDGAR. 10q10k.net parses each filing, aligns paragraphs by section (Item 1, 1A, 1C, 2, 3, 7, 7A), and highlights every added, removed and edited sentence side-by-side.

What changed in Gitlab Inc.'s 10-K — 2022 vs 2023

Paragraph-level year-over-year comparison of Gitlab Inc.'s 2022 and 2023 10-K annual filings, covering the Business, Risk Factors, Legal Proceedings, Cybersecurity, MD&A and Market Risk sections. Every new, removed and edited paragraph is highlighted side-by-side so you can see exactly what management changed in the 2023 report.

+539 added−571 removedSource: 10-K (2023-03-30) vs 10-K (2022-04-08)

Top changes in Gitlab Inc.'s 2023 10-K

539 paragraphs added · 571 removed · 408 edited across 6 sections

Item 1A. Risk Factors+265 / −252 · 199 edited
Item 7. Management's Discussion & Analysis+116 / −162 · 80 edited
Item 1. Business+143 / −144 · 118 edited
Item 7A. Quantitative and Qualitative Disclosures About Market Risk+8 / −5 · 4 edited
Item 5. Market for Registrant's Common Equity+4 / −5 · 4 edited

Item 1. Business

Business — how the company describes what it does

118 edited+25 added−26 removed38 unchanged

2022 filing

2023 filing

Biggest changeWhile our Free tier platform includes significant functionality for individual users, our paid tiers include features that are more relevant for managers, directors, and executives. • Our Free Plan caters to capabilities needed by individual contributors to do their daily jobs. 14 Table of Contents • Our Premium Plan builds on the capabilities of the Free Plan while also adding functionality intended specifically for managers and directors to help teams enhance collaboration between development and operations teams, manage projects and portfolios, and accelerate the deployment of code. • Our Ultimate Plan provides further functionality for executives and has functions to help organizations establish better collaboration between development, operations, and security teams, instill organizational wide security, compliance and planning practices, and implement full value stream measurement, analytics, and reporting, across the DevOps lifecycle.

Biggest changeWhile our Free tier platform includes significant functionality for individual users, our paid tiers include features that are more relevant for managers, directors, and executives. • Our Free tier caters to capabilities needed by individual contributors to do their daily jobs. • Our Premium tier builds on the capabilities of the Free Plan while also adding functionality intended specifically for managers and directors to help teams enhance collaboration between development and operations teams, manage projects and portfolios, and accelerate the deployment of code. • Our Ultimate tier provides further functionality for executives and has functions to help teams establish better collaboration between development, operations, and security teams, instill organizational wide security, compliance and planning practices, and implement full value stream measurement, analytics, and reporting, across the DevSecOps lifecycle. 14 Table of Contents Our subscription plans are available as a self-managed offering which customers download to run in their own on-premise environment or hybrid cloud environments, and also a SaaS offering which is managed by us and is hosted in either the public cloud or in a private cloud based on the customer’s preference.

We view our primary current competition as customers’ legacy approach of DIY DevOps, using a combination of point tools manually integrated together. Our offering is substantially different in that it is one platform, one codebase, one interface and a unified data model that spans the entire DevOps lifecycle.

We also continue to focus on acquiring users with our free product and converting free users to paying customers, with a special focus on improving the self-service purchasing experience. • Drive increased expansion within our existing customer base.

We also continue to focus on acquiring users with our free product and converting free users to paying customers, with a special emphasis on improving the self-service purchasing experience. • Drive increased expansion within our existing customer base.

In the locations where we use PEOs, we contract with the PEO for it to serve as “Employer of Record” for team members engaged through the PEOs. Team members are employed by the PEO but provide services to GitLab.

In the locations where we use PEOs, we contract with the PEO for it to serve as “Employer of Record” for team members engaged through such PEO. Team members are employed by the PEO but provide services to GitLab.

Protects access to key infrastructure configuration details such as passwords and login information by using ‘secret variables’ to limit access to only authorized users and processes. • Monitor. Provides feedback in the form of errors, traces, metrics, logs, and alerts to help reduce the severity and frequency of incidents so that users can release software frequently with confidence. • Protect.

Finally, as engaged members of the open-source community, our contributors often serve as subject matter experts at market-leading developer events, and The DevOps Platform is presented on the cutting edge of innovation. Competition The markets we serve are highly competitive and rapidly evolving. With the introduction of new technologies and innovations, we expect the competitive environment to remain intense.

Finally, as engaged members of the open-source community, our contributors often serve as subject matter experts at market-leading developer events, and The DevSecOps Platform is presented on the cutting edge of innovation. Competition The markets we serve are highly competitive and rapidly evolving. With the introduction of new technologies and innovations, we expect the competitive environment to remain intense.

Our Technology Our single application strategy means that we have one codebase to author, test, secure, package, and distribute. This also means we are able to give users the most choice. Our customers can use a SaaS subscription or run The DevOps Platform themselves in a self-managed way in their own cloud environments.

Our Technology Our single application strategy means that we have one codebase to author, test, secure, package, and distribute. This also means that we are able to give users the most choice. Our customers can use a SaaS subscription or run The DevSecOps Platform themselves in a self-managed way in their own cloud environments.

See the section entitled “Management’s Discussion and Analysis of Financial Condition and Results of Operations —Key Business Metrics—Dollar-Based Net Retention Rate and ARR” below for additional information about how we define ARR. We make our plans available through our self-managed and software-as-a-service, or SaaS offerings.

We believe this focus on business results and engaged partnership maximizes long-term, sustainable customer value and drives expansion with our existing customers.

We believe that this focus on business results and engaged partnership maximizes long-term, sustainable customer value and drives expansion with our existing customers.

The DevOps Platform eliminates fragmented tools and point integrations that create blind spots and poor visibility across work streams. This allows compliance and audit teams to more easily log, track, and trace different steps across the DevOps lifecycle, better understand governance, and improve their compliance posture. • Boost team member morale and productivity.

The DevSecOps Platform eliminates fragmented tools and point integrations that create blind spots and poor visibility across work streams. This allows compliance and audit teams to more easily log, track, and trace different steps across the DevSecOps lifecycle, better understand governance, and improve their compliance posture. • Boost team member morale and productivity.

The DevOps Platform brings together developers, operations and security professionals and elevates their innovation to new levels, making it faster, safer, and more accessible. We are an all-remote company, and we pride ourselves in how we work through enabling our team members the individualized flexibility to reach their business results.

The DevSecOps Platform brings together developers, operations, and security professionals and elevates their innovation to new levels, making it faster, safer, and more accessible. We are an all-remote company, and we pride ourselves in how we work through enabling our team members the individualized flexibility to reach their business results.

We seek to clearly and consistently articulate our monetization strategy on teams and organizations to provide predictability to both our customers as well as the community of contributors. Our open source approach is intended to increase our development velocity as the developer pool who contributes to our codebase is greater than the size of any single engineering organization.

As each feature is typically similar in size, we are able to measure and track our development team's efficacy by counting the number of merge requests, or a request to merge one branch of code into another. We believe that our development approach, using The DevOps Platform, is a key competitive advantage.

The DevOps Platform enables our customers to spend more time building, deploying, and securing software, and less time managing, integrating, and triaging across different tools. In a single application, each team member can follow the entire lifecycle from beginning to end with contextual history and understanding at each process.

The DevSecOps Platform enables our customers to spend more time building, deploying, and securing software, and less time managing, integrating, and triaging across different tools. In a single application, each team member can follow the entire lifecycle from beginning to end with contextual history and understanding at each process.

For self-managed users GitLab is the only truly public-cloud-agnostic solution. Customers can also run The DevOps Platform in their own data centers if they wish. They can further choose to run GitLab on traditional servers, or they can use containers and an orchestration system like Kubernetes.

For self-managed users, GitLab is the only truly public-cloud-agnostic solution. Customers can also run The DevSecOps Platform in their own data centers if they wish. They can further choose to run GitLab on traditional servers, or they can use containers and an orchestration system like Kubernetes.

It removes the need for point tools and delivers enhanced operational efficiency by eliminating manual work, increasing productivity, and creating a culture of innovation and velocity. The DevOps Platform also embeds security earlier into the development process, improving our customers’ software security, quality, and overall compliance.

It removes the need for point tools and delivers enhanced operational efficiency by eliminating manual work, increasing productivity, and creating a culture of innovation and velocity. The DevSecOps Platform also embeds security earlier into the development process, improving our customers’ software security, quality, and overall compliance.

We believe serving as this system of record for code and our high engagement with developers is a competitive advantage in realizing our single application vision as it creates interdependence and adoption across more stages of the DevOps lifecycle, such as Package, Secure, and Release.

We believe serving as this system of record for code and our high engagement with developers is a competitive advantage in realizing our single application vision as it creates interdependence and adoption across more stages of the DevSecOps lifecycle, such as Package, Secure, and Release.

We are then able to engage with these users to encourage them to upgrade to a paid version. Once a customer is onboarded with GitLab, our teams work to identify additional business units and parent/child/subsidiary prospects that would benefit from The DevOps Platform.

GitLab team members also use The DevOps Platform to power our own DevOps lifecycle. By doing so, we benefit from the inherent advantages of using a single application. We leverage these learnings to establish a rapid feedback loop to continually and rapidly improve The DevOps Platform.

GitLab team members also use The DevSecOps Platform to power our own DevSecOps lifecycle. By doing so, we benefit from the inherent advantages of using a single application. We leverage these learnings to establish a rapid feedback loop to continually and rapidly improve The DevSecOps Platform.

We aim to take an iterative approach in everything we do, including our day to day work and building The DevOps Platform. Our process is centered on dividing work into small increments, not completing everything at once, and pursuing each stage with speed and efficiency.

We aim to take an iterative approach in everything we do, including our day to day work and building The DevSecOps Platform. Our process is centered on dividing work into small increments, not completing everything at once, and pursuing each stage with speed and efficiency.

In certain countries in which we operate, we are subject to, and comply with, local labor law requirements which may automatically make our team members subject to industry-wide collective bargaining agreements or works counsel. We have not experienced any work stoppages.

It spans all stages of the DevOps lifecycle, from project planning, or Plan, to source code management, or Create, to continuous integration, or Verify, to static and dynamic application security testing, or Secure, to packaging artifacts, or Package, to continuous delivery and deployment, or Release, to configuring infrastructure for optimal deployment, or Configure, to monitoring it for incidents, or Monitor, to protecting the production deployment, or Protect, and managing the whole cycle with value stream analytics, or Manage.

It spans all stages of the DevOps lifecycle, from project planning (Plan), to source code management (Create), to continuous integration (Verify), to application security testing (Secure), to packaging artifacts (Package), to continuous delivery and deployment (Release) to configuring infrastructure for optimal deployment (Configure), to monitoring it for incidents (Monitor), to protecting the production deployment (Protect), and managing the whole cycle with value stream analytics (Manage).

When considering buyers as part of product tiering decisions we use the following guidance: • Premium is for team(s) usage, with the purchasing decision led by one or more directors • Ultimate is for strategic organizational usage, with the purchasing decision led by one or more executives We want to be good stewards of our open source solution, so we aim to provide much of The DevOps Platform to the market for free.

When considering buyers as part of product tiering decisions, we use the following guidance: • Premium is for team(s) usage, with the purchasing decision led by one or more managers or directors • Ultimate is for strategic organizational usage, with the purchasing decision led by one or more executives We want to be good stewards of our open source solution, so we aim to provide much of The DevSecOps Platform to the market for free.

Additional benefits programs (which vary by country and region) include a 401(k) Plan with a company match, healthcare, vision, and dental insurance benefits, health savings and flexible spending accounts, flexible paid time off, parental leave, and other benefits tailored to the specific needs of our employees such as family forming, caregiving and mental health resources.

Additional benefits programs (which vary by country and region) include a 401(k) Plan with a company match, healthcare, vision, and dental insurance benefits, health savings and flexible spending accounts, flexible paid time off, parental leave, and other benefits tailored to the specific needs of our team members such as family forming, caregiving, and mental health resources.

The DevOps Platform enables application portability by allowing customers to seamlessly secure and manage their applications across clouds. This allows our customers to provide full value stream analytics on their DevOps workflow and simplify their application security and compliance across clouds.

The DevSecOps Platform enables application portability by allowing customers to seamlessly secure and manage their applications across clouds. This allows our customers to provide full value stream analytics on their DevSecOps workflow and simplify their application security and compliance across clouds.

We plan to continue investing in sales and marketing, with a focus on driving expansion of The DevOps Platform within existing customers, particularly for our larger customers. • Further grow adoption of our SaaS offering.

We plan to continue investing in sales and marketing, with a focus on driving expansion of The DevSecOps Platform within existing customers, particularly for our larger customers. • Further grow adoption of our SaaS offering.

The DevOps Platform GitLab has pioneered The DevOps Platform, a single application that brings together development, operations, IT, security, and business teams to deliver desired business outcomes through efficient software development. It represents a step change in how organizations plan, build, secure and deliver software. The DevOps Platform is built on a single codebase, unified data model, and user interface.

The DevSecOps Platform GitLab has pioneered The DevSecOps Platform, a single application that brings together development, operations, IT, security, and business teams to deliver desired business outcomes through efficient software development. It represents a step change in how teams plan, build, secure and deliver software. The DevSecOps Platform is built on a single codebase, unified data model, and user interface.

Further, The DevOps Platform also delivers cost savings to our customers by eliminating the hidden costs and time it takes to manually integrate these point products and drives greater efficiency gains and productivity.

Further, The DevSecOps Platform also delivers cost savings to our customers by eliminating the hidden costs and time it takes to manually integrate these point products and drives greater efficiency gains and productivity.

We use our investor relations page on our website (https://about.gitlab.com), press releases, public conference calls, public webcasts, our Twitter account (@gitlab), our Facebook page, our LinkedIn page, our company news site (https://about.gitlab.com/press/) and our corporate blog (https://about.gitlab.com/blog/) as means of disclosing material non-public information and for complying with our disclosure obligations under Regulation FD.

We use our investor relations page on our website (https://ir.gitlab.com/), press releases, public conference calls, public webcasts, our Twitter account (@gitlab), our Facebook page, our LinkedIn page, our company news site (https://about.gitlab.com/press/) and our corporate blog (https://about.gitlab.com/blog/) as means of disclosing material nonpublic information and for complying with our disclosure obligations under Regulation FD.

Approaching work this way, we are able to rapidly get input from end-users who are actively using our platform, continuously revisit what we are doing with a fresher perspective, and gradually gain a greater sense of visibility into what the end picture should look like.

Approaching work this way, we are able to rapidly get input from end-users who are actively using our platform, continuously revisit what we are doing with a fresher perspective, and gradually gain a greater 12 Table of Contents sense of visibility into what the end picture should look like.

We expect that the competition from DIY DevOps will decrease over time as companies realize the shortcomings in this approach. To ensure easy transitions for customers and support for 16 Table of Contents dependencies on internal and external tools, we support staged adoption while continuing the use of some legacy tools.

We expect that the competition from DIY DevOps will decrease over time as companies realize the shortcomings in this approach. To ensure easy transitions for customers and support for dependencies on internal and external tools, we support staged adoption while continuing the use of some legacy tools.

Transparency creates awareness for GitLab, allows us to recruit people who care about our values, gets us more and faster feedback from people outside the company, and makes it easier to collaborate.

Transparency creates awareness for GitLab, allows us to recruit people who care about our values, gets us more and faster feedback from people outside GitLab, and makes it easier to collaborate.

We believe that nearly all organizations will modernize from DIY DevOps into DevOps platforms and that the opportunity to continue growing our customer base is substantial. To drive new customer growth, we intend to continue investing in sales and marketing, with a focus on replacing DIY DevOps within larger organizations.

We believe that nearly all teams will modernize from DIY DevOps into DevSecOps Platforms and that the opportunity to continue growing our customer base is substantial. To drive new customer growth, we intend to continue investing in sales and marketing, with a focus on replacing DIY DevOps within larger teams.

We plan to continue investing in building out our partner program to expand our distribution footprint, to broaden the awareness of The DevOps Platform, and to more efficiently add new customers.

We plan to continue investing in building out our partner program to expand our distribution footprint, to broaden the awareness of The DevSecOps Platform, and to more efficiently add new customers.

Our marketing department is focused on generating awareness of The DevOps Platform to our developer community, existing customers and users, and potential customers. We utilize diverse tactics such as digital demand generation, account based marketing, nurture programs, sales development, virtual and field events, sponsored webcasts, gated content downloads, whitepapers, display advertising and integrated campaigns to connect with prospective customers.

Our marketing department is focused on generating awareness of The DevSecOps Platform to our developer community, existing customers and users, and potential customers. We utilize diverse tactics such as digital demand generation, account based marketing, nurture programs, sales development, virtual and field events, sponsored webinars, gated content downloads, whitepapers, display advertising and integrated campaigns to connect with prospective customers.

Additionally, as our platform’s geographic scope expands, regulatory agencies or courts may claim that we are subject to additional requirements, or are prohibited from conducting our business in or with certain jurisdictions, either generally or with respect to certain services, or that we are otherwise required to change our business practices.

Additionally, as our platform’s geographic scope continues to expand, regulatory agencies or courts may claim that we are subject to additional requirements, or are prohibited from conducting our business in or with certain jurisdictions, either generally or with respect to certain services, or that we are otherwise required to change our business practices.

For more information regarding our customers, refer to the section titled “ — Our Customers.” DevOps is the set of practices that combines software development (dev) and IT operations (ops). It aims to allow teams to collaborate and work together to shorten the development lifecycle and evolve from delivering software on a slow, periodic basis to rapid, continuous updates.

For more information regarding our customers, refer to the section titled “Business—Our Customers.” DevOps is the set of practices that combines software development (dev) and IT operations (ops). It allows teams to collaborate and work together to shorten the development lifecycle and evolve from delivering software on a slow, periodic basis to rapid, continuous updates.

The private, secure, container and package registries are built-in and preconfigured out-of-the box to work seamlessly with GitLab source code management, or SCM, security scanners, and Continuous Integration/Continuous Delivery, or CI/CD, pipelines. • Secure.

The private, secure, container, and package registries are built-in 8 Table of Contents and preconfigured out-of-the box to work seamlessly with GitLab source code management, or SCM, security scanners, and Continuous Integration/Continuous Delivery, or CI/CD, pipelines. • Secure.

For IT system administrators and internal security teams this also means they have one application environment and authentication system to inspect and certify according to their company’s standards. Our Customers We serve organizations of all sizes across industries and regions. As of January 31, 2022 , we had customers in over 140 countries.

For IT system administrators and internal security teams this also means they have one application environment and authentication system to inspect and certify according to their team’s standards. Our Customers We serve organizations of all sizes across industries and regions. As of January 31, 2023, we had customers in over 140 countries.

We believe we compete favorably based on the following competitive factors: • ability to provide a single application that is purpose-built to span the entire DevOps lifecycle; • ability to rapidly innovate and consistently ship and release more features and versions of our software; • maturity of features in the Create (source code management) and Verify (continuous integration) stages; • ability to run natively across any public cloud, private cloud, hybrid cloud, or on-premises environment; • ability to enable collaboration between developers, IT operations, and security teams; • ability to reduce handoffs, friction, and switching costs across different stages of the DevOps lifecycle; • ability to reduce software development times to release better software faster; • ability to consolidate multiple tools into a single platform; • ability to eliminate manual integrations that are costly and time-effective to maintain; • ability to provide a seamless, consistent, and single user experience through one user interface; • ability to deliver a large, engaging community of open source contributors; • performance, scalability, and reliability; • ability to implement strong security and governance; • quality of service and overall customer satisfaction; and • strong documentation and transparency of information.

These are essentially third-party DIY DevOps and are not a single application. 16 Table of Contents We believe we compete favorably based on the following competitive factors: • ability to provide a single application that is purpose-built to span the entire DevSecOps lifecycle; • ability to rapidly innovate and consistently ship and release more features and versions of our software; • maturity of features in the Create (Source Code Management) and Verify (Continuous Integration) stages; • ability to run natively across any public cloud, private cloud, hybrid cloud, or on-premises environment; • ability to enable collaboration between developers, IT operations, and security teams; • ability to reduce handoffs, friction, and switching costs across different stages of the DevSecOps lifecycle; • ability to reduce software development times to release better software faster; • ability to consolidate multiple tools into a single platform; • ability to eliminate manual integrations that are costly and time-effective to maintain; • ability to provide a seamless, consistent, and single user experience through one user interface; • ability to deliver a large, engaging community of open source contributors; • performance, scalability, and reliability; • ability to implement more differentiated security and governance; • quality of service and overall customer satisfaction; and • strong documentation and transparency of information.

The DevOps Platform is designed in a way that enables our customers to move their DevOps workflow across any hybrid or multi-cloud environment while maintaining full feature parity and a single application experience. The DevOps Platform is purpose-built to address every stage of the DevOps lifecycle: • Manage.

The DevSecOps Platform is designed in a way that enables our customers to move their DevOps workflow across any hybrid or multi-cloud environment while maintaining full feature parity and a single application experience. The DevSecOps Platform is purpose-built to address every stage of the software development and delivery DevSecOps lifecycle: • Manage.

The DevOps Platform enables businesses to shorten their cycle times to meet the growing business demand to deliver new capabilities and increase responsiveness to change.

The DevSecOps Platform enables businesses to shorten their cycle times to meet the growing business demand to deliver new capabilities and increase responsiveness to change.

As customers realize the benefits of a single application they typically increase their spend with us by adding more users or purchasing higher tiered plans. As a result, for fiscal 2022 and fiscal 2021, our Dollar-Based Net Retention Rate was above 152% and above 145%, respectively.

As customers realize the benefits of a single application, they typically increase their spend with us by adding more users or purchasing higher tiered plans. As a result, for fiscal 2023 and fiscal 2022, our Dollar-Based Net Retention Rate was above 130% and above 152%, respectively.

Our growth strategies include: • Advance our feature maturity across more stages of the DevOps lifecycle. We intend to continue making investments in research and development and hiring top technical talent to mature our features in more stages of the DevOps lifecycle.

Our growth strategies include: • Advance our feature maturity across more stages of the DevSecOps lifecycle. We intend to continue making strategic investments in research and development and hiring top technical talent to mature our features in more stages of the DevSecOps lifecycle.

This helps to deliver outsized productivity gains, helping our customers increase their revenue and generate greater profits. • Reduce costs by enhancing productivity, consolidating point tools, and eliminating integrations. The DevOps Platform fulfills the functionality of multiple point products, enabling organizations to consolidate the number of tools they use.

This helps to deliver outsized productivity gains, helping our customers increase their revenue, and generate greater profits. • Reduce costs by enhancing productivity, consolidating point tools, and eliminating integrations. The DevSecOps Platform fulfills the functionality of multiple point products, enabling teams to consolidate the number of tools they use.

This has also been a big contribution to enabling us to release a new version of our software for 124 months in a row and counting as of January 31, 2022. We believe our open source approach helps us acquire, retain, and grow our paying customer base.

This has also been a big contribution to enabling us to release a new version of our software for 136 months in a row and counting as of January 31, 2023. We believe our open source approach helps us acquire, retain, and grow our paying customer base.

From an end user standpoint, our single application strategy provides one consistent user interface across all stages of the DevOps lifecycle. We see this result in a manifold reduction in lifecycle time for software development teams. For integrators, GitLab has a single API to write integrations against, as opposed to a fragmented tool chain.

From an end user standpoint, our single application strategy provides one consistent user interface across all stages of the DevSecOps lifecycle. We see this result in a manifold reduction in lifecycle time for software development teams. For integrators, GitLab has a single application programming interface (“API”) to write integrations against, as opposed to a fragmented tool chain.

To create software, organizations require collaborative planning from disparate groups, each with shared and unique objectives. Planning together in the same system in which all of the work will take place enables faster and more efficient work in all other stages of The DevOps Platform.

To create software, teams require collaborative planning from disparate groups, each with shared and unique objectives. Planning together in the same system in which all of the work will take place enables faster and more efficient work in all other stages of The DevSecOps Platform.

Human Capital Our Unique Culture and Values Our success is driven by our culture. We believe that our values and culture are a competitive advantage within our industry, and we will continue to invest time and resources in building our culture to drive superior business results.

They benefit from the advanced innovation that comes from distributed development, the documentation, best practices, and knowledge sharing across our community, as well as the engagement of making their own contributions back to our codebase. The DevOps Platform and Plans We offer The DevOps Platform in three different subscription plans: Free, Premium and Ultimate.

Our customers benefit from the advanced innovation that comes from distributed development, the documentation, best practices, and knowledge sharing across our community, as well as the engagement of making their own contributions back to our codebase. The DevSecOps Platform and Plans We offer The DevSecOps Platform in three different subscription tiers: Free, Premium and Ultimate.

Helps teams organize multiple projects into a single collaborative portfolio, track important events across the DevOps lifecycle, measure using key performance indicators how the organization is adopting and performing with DevOps, audit activity and permissions across stages to ensure compliance while simplifying audit, and optimize and analyze the flow of work through the full DevOps value stream. 7 Table of Contents • Plan.

GitLab helps teams organize multiple projects into a single collaborative portfolio, track important events across the DevSecOps lifecycle, measure using key performance indicators how the organization is adopting and performing with DevSecOps, audit activity and permissions across stages to ensure compliance while simplifying audit, and optimize and analyze the flow of work through the full DevSecOps value stream. • Plan.

We believe that the open core model creates more value than it captures, and our ability to execute on our strategy far exceeds the abilities of our competitors. • We do the smallest thing possible and get it out as quickly as we can.

We believe that our transparency creates more value than it captures, and our ability to execute on our strategy far exceeds the abilities of our competitors. • We do the smallest thing possible and get it out as quickly as we can.

Our research and development team consists of our architects, software engineers, security experts, DevOps engineers, product management, quality assurance, and data collection teams. We intend to continue to invest in our research and development capabilities to extend The DevOps Platform and products.

Our research and development team consists of our architects, software engineers, security experts, DevSecOps engineers, product management, user experience, quality assurance, and data collection teams. We intend to continue to invest in our research and development capabilities to extend The DevSecOps Platform and products.

We publicly share information, including our strategy and objectives, in written form to encourage innovation and trust amongst our team 12 Table of Contents members, customers, and the wider open source community. Our process of being public by default reduces the threshold to contribution and makes collaboration easier.

We publicly share non-sensitive information, including our strategy and objectives, in written form to encourage innovation and trust amongst our team members, customers, and the wider open source community. Our process of being public by default reduces the threshold to contribution and makes collaboration easier.

This single codebase, unified data model, user permissioning, and interface can centralize and unify every 8 Table of Contents aspect of our customers’ DevOps lifecycle to streamline workflows and processes, and enhance overall productivity and efficiency. • Enhanced innovation and revenue growth due to faster time to market.

This single codebase, unified data model, user permissioning, and interface can centralize and unify every aspect of our customers’ DevSecOps lifecycle to streamline workflows and processes, and enhance overall productivity and efficiency. • Enhanced innovation and revenue growth due to faster time to market.

As of January 31, 2022, we had three trademark registrations in the United States, including registrations for “GITLAB” and our logo. We also had 11 trademark registrations and applications in certain other jurisdictions and regions. Additionally, we are the registered holder of a number of domain names, including gitlab.com. We are dedicated to open source software.

As of January 31, 2023, we had ten trademark registrations and applications in the United States, including for “GITLAB” and our logo. We also had 21 trademark registrations and applications in certain other jurisdictions and regions. Additionally, we are the registered holder of a number of domain names, including gitlab.com. We are dedicated to open source software.

As organizations move more workloads to the cloud and consume technology as a service, we believe our SaaS offering will continue to grow at a faster rate than our self-managed offering.

As teams move more workloads to the cloud a nd consume technology as a service, we believe our SaaS offering will continue to grow at a faster rate than our self-managed offering.

We will also continue to invest in building out our partnerships to deliver 11 Table of Contents transformation services to help our enterprise customers accelerate the deployment of The DevOps Platform. • Expand our global footprint. We believe there is significant opportunity to continue to expand internationally.

We will also continue to invest in building out our partnerships to deliver transformation services to help our enterprise customers accelerate the deployment of The DevSecOps Platform. • Expand our global footprint. We believe there is significant opportunity to continue to expand internationally.

We believe our customer growth is best represented by the number of our Base Customers, which increased to 4,593 as of January 31, 2022 from 2,745 as of January 31, 2021. In 2019, we began to invest more heavily in our enterprise sales motion and have had strong success in attracting, retaining, and growing ARR from our larger customers.

We believe that our customer growth is best represented by the number of our Base Customers, which increased to 7,002 as of January 31, 2023 from 4,593 as of January 31, 2022. In 2019, we began to invest more heavily in our enterprise sales motion and have had strong success in attracting, retaining, and growing ARR from our larger customers.

We generally enter into confidentiality agreements and invention or work product assignment agreements with our officers, team members, agents, contractors, and business partners to control access to, and clarify ownership of, our proprietary information. As of January 31, 2022, we ha d five issued patents and two pending patent applications in the United States and abroad.

We generally enter into confidentiality agreements and invention or work product assignment agreements with our officers, team members, agents, contractors, and business partners to control access to, and clarify ownership of, our proprietary information. As of January 31, 2023, we had five issued patents and four pending patent applications in the United States and abroad.

We believe we are in material compliance with such laws and regulations and do not expect continued compliance to have a material impact on our capital expenditures, earnings, or competitive position.

We believe that we are in material compliance with such laws and regulations and do not expect continued compliance to have a material impact on our capital 17 Table of Contents expenditures, earnings, or competitive position.

No customer represented more tha n 10% of our revenue in fiscal 2022 or fiscal 2021. Sales and Marketing Our go-to-market strategy spans a self-service buying experience, high velocity inside sales, and a dedicated outbound enterprise sales team. We segment our sales organization by size and region, with an additional vertical focus on the public sector.

No individual customer represented more than 10% of our revenue in fiscal 2023 or fiscal 2022. 15 Table of Contents Sales and Marketing Our go-to-market strategy spans a self-service buying experience, high velocity inside sales, and a dedicated outbound enterprise sales team. We segment our sales organization by size and region, with an additional vertical focus on the public sector.

By adopting this approach we are able to work with a greater sense of speed and efficiency, getting more done in less time. Team Members Our mission is to create a world where everyone can contribute.

By adopting this approach, we are able to work with a greater sense of speed and efficiency, getting more done in less time. Team Members Our mission is to make it so everyone can contribute.

Beyond this legacy approach of DIY DevOps, our principal competitor is Microsoft Corporation following their acquisition of GitHub. There are also a number of other private and public companies whose products address only a portion of the DevOps lifecycle and/or are cobbled together from several point solutions. These are essentially third-party DIY DevOps and are not a single application.

Beyond this legacy approach of DIY DevOps, our principal competitor is Microsoft Corporation following their acquisition of GitHub. There are also a number of other private and public companies whose products address only a portion of the DevSecOps lifecycle and/or are cobbled together from several point solutions.

To further this mission, in September 2021, our board of directors approved the reservation of up to 1,635,545 shares of Class A common stock for the issuance to charitable organizations, to be further designated by our board of directors.

This iterative approach has enabled us to release a new version of our software on the 22 nd day of every month for 124 months in a row as of January 31, 2022. This is also due in part to our over 2,900 contributors in our global, open source community as of January 31, 2022.

This iterative approach has enabled us to release a new version of our software on the 22 nd day of every month for 136 months in a row as of January 31, 2023. This is also due in part to our over 3,500 contributors in our global open source community as of January 31, 2023.

Available Information We file electronically with the SEC our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K, and amendments to reports filed or furnished pursuant to Section 13(a) or 15(d) of the Exchange Act.

Available Information 18 Table of Contents We file electronically with the Securities and Exchange Commission, or the SEC, our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K, and amendments to reports filed or furnished pursuant to Section 13(a) or 15(d) of the Securities Exchange Act of 1934, as amended.

Based on a 2020 study conducted by Forrester Consulting, commissioned by us of a limited number of our customers, the cost savings and business benefits achievable by deploying The DevOps Platform to revenue-generating applications can enable customers to deliver a 407% return on investment within three years of deployment. • Embrace the benefits of a portable workload and multi-cloud strategy.

Based on a 2022 study conducted by Forrester Consulting, commissioned by us and covering a limited number of our customers, the cost savings and business benefits achievable by deploying The DevSecOps Platform to revenue-generating applications can enable customers to deliver a 427% r eturn on investment within three years of deployment. • Embrace the benefits of a portable workload and multi-cloud strategy.

We will make available on our website at https://about.gitlab.com, free of charge, copies of these reports and other information as soon as reasonably practicable after we electronically file such material with, or furnish it to, the SEC.

The SEC maintains a website at www.sec.gov that contains reports, proxy and information statements and other information that we file with the SEC electronically. We make available on our website at https://about.gitlab.com, free of charge, copies of these reports and other information as soon as reasonably practicable after we electronically file such material with, or furnish it to, the SEC.

For example, in fiscal 2022, we have invested a significant portion of our human capital costs focused on development into the Secure, Manage, and Plan phases. Our recent acquisition of Opstrace, Inc. in fiscal 2022 demonstrates our aim to deliver functionality in our monitor stage, leveraging the entire DevOps Platform to provide advanced observability.

For example, in fiscal 2023, we have invested a significant portion of our human capital on development into the Secure, Govern, and Plan stages. Our acquisition of Opstrace, Inc. in fiscal 2022 demonstrates our aim to deliver functionality in our Monitor stage, leveraging the entire DevSecOps Platform to provide advanced observability.

Companies tried to remedy this fragmentation and inefficiency by manually integrating these DevOps point solutions together defining the next phase: “DIY DevOps.” 5 Table of Contents At the same time, the faster delivery of software required more DevOps tools per project. Increased adoption of a microservice architecture led to more projects.

Teams tried to remedy this fragmentation and inefficiency by manually integrating these DevOps point solutions together defining the next phase: “Do-It-Yourself (or DIY) DevOps.” At the same time, the faster delivery of software required more DevOps tools per project. Increased adoption of a microservice architecture led to more projects.

We have been a 100% remote workforce since inception and, as of January 31, 2022 , had approximately 1,630 team members in over 68 countries. Operating remotely allows us access to a global talent pool that enables us to hire talented team members, regardless of location, providing a strong competitive advantage.

We have been a 100% remote workforce since inception and, as of January 31, 2023 , had approximately 2,170 team members in over 65 cou ntries. Operating remotely allows us access to a global talent pool that enables us to hire talented team members, regardless of location, providing a strong competitive advantage.

As of January 31, 2022, more than 2,900 individuals have contributed to The DevOps Platform and since April 30, 2019 community contributions have averaged more than 200 per month. Because people outside of our organization can read our code, users can contribute to identifying and solving issues, which accelerates the time we can release new software to market.

As of January 31, 2023, more than 3,500 individuals have contributed to The DevSecOps Platform and since April 30, 2019, merge code contributions have averaged more than 250 per month. Because people outside of our organization can read our code, users can contribute to identifying and solving issues, which accelerates the time we can release new software to market.

Further, during these same periods we grew our $1.0 million ARR customers to 39 from 20, an increase of 95%. We have key reference customers across a breadth of industry verticals that we believe validate The DevOps Platform, and our customers range from small and medium-sized organizations to Fortune 500 companies.

Further, during the same period, we grew our $1.0 million ARR customers to 63 from 39, an increase of 62%. We have key reference customers across a breadth of industry verticals that we believe validate The DevSecOps Platform, and our customers range from small and medium-sized teams to Fortune 500 companies.

Our cohort of customers generating $1.0 million or more in ARR grew to 39 as of January 31, 2022 from 20 as of January 31, 2021. Our business has experienced rapid growth. We generated revenue of $252.7 million and $152.2 million in fiscal 2022 and 2021, respectively, representing growth of 66%.

Our cohort of customers generating $1.0 million or more in ARR grew to 63 as of January 31, 2023 from 39 as of January 31, 2022. Our business has experienced rapid growth. We generated revenue of $424.3 million and $252.7 million in fiscal 2023 and 2022 , respectively, representing growth of 68%.

Our operating cash flow margin, which we define as operating cash flows as a percentage of revenue, was (19.7)% and (48.4)% for fiscal 2022 and fiscal 2021, respectively. Our gross profit was 88% for each of fiscal 2022 and fiscal 2021.

Our operating cash flow margin, which we define as operating cash flows as a percentage of revenue, 7 Table of Contents was (18.2)% and (19.7)% for fiscal 2023 and fiscal 2022 , respectively. Our gross profit margin was 88% for each of fiscal 2023 and fiscal 2022.

Corporate Philanthropy As part of our mission to create a world where everyone can contribute, we believe it is important to support organizations that can further this goal at local and global levels.

Corporate Philanthropy As part of our mission to make it so everyone can contribute, we believe that it is important to support teams that can further this goal at local and global levels.

We grew our international revenue to $41.1 million for fiscal 2022 from $26.2 million for fiscal 2021, representing an increase of 57%. We intend to grow our international revenue by increasing our investments in our international sales and marketing operations including headcount in the EMEA and APAC regions.

We grew our international revenue to $71.4 million for fiscal 2023 from $41.1 million for fiscal 2022, representing an increase of 73%. We intend to grow our international revenue by increasing our investments strategically in our internatio nal sales and marketing operations, including headcount in the EMEA and APAC regions.

We are a remote-only company, meaning that all of our team members work remotely. Due to this, we do not currently have a principal executive office. Our website address is https://about.gitlab.com. The information 18 Table of Contents contained on, or that can be accessed through, our website is not a part of this prospectus.

We are a remote-only company, meaning that all of our team members work remotely. Due to this, we do not currently have a headquarters. Our website address is https://about.gitlab.com. The information contained on, or that can be accessed through, our website is not a part of this Annual Report on Form 10-K.

Our all-remote culture helps us to practice our values. We believe we were the largest all-remote company in the world prior to the COVID-19 pandemic and as a result we are able to recruit from a wider, more diverse, and more uniquely skilled pool of talent across the world.

Our all-remote culture helps us to practice our values. As an all-remote company, we are able to recruit from a wider, more diverse, and more uniquely skilled pool of talent across the world.

… 89 more changes not shown on this page.

Item 1A. Risk Factors

Risk Factors — what could go wrong, per management

199 edited+66 added−53 removed304 unchanged

2022 filing

2023 filing

Biggest changeOur customer expansions and renewals may decline or fluctuate as a result of a number of factors, including: quality of our sales efforts customer usage, customer satisfaction with our services and customer support, our prices, the prices of competing services, mergers and acquisitions affecting our customer base, the effects of global economic conditions, or reductions in our customers’ spending levels generally.

Biggest changeOur customer expansions and renewals may decline or fluctuate, and conversely, contractions and downtiers may increase, or fluctuate, as a result of a number of factors, including: quality of our sales efforts, customer usage, customer satisfaction with our services and customer support, our prices (including price increases for our Premium tier that we announced in the first quarter of fiscal year 2024 and which are generally effective in the same fiscal quarter depending on whether it is a new or existing customer), the prices of competing services, mergers and acquisitions affecting our customer base, the effects of global economic conditions, including increased interest rates and inflation, or reductions in our customers’ spending levels generally (including, our customers that have or may have to downsize their operations or headcount).

As a result, our losses in future periods may be significantly greater than the losses we would incur if we developed our business more slowly. In addition, we may find that these efforts require greater investment of time, human and capital resources than we currently anticipate and/or that they may not result in increases in our revenues or billings.

As a result, our losses in future periods may be significantly greater than the losses we would incur if we developed our business more slowly. In addition, we may find that these efforts require greater investment of time and human and capital resources than we currently anticipate and/or that they may not result in increases in our revenues or billings.

We also issue equity to a substantial portion of our team members, including team members engaged through PEOs and independent contractors, and must ensure we remain compliant with securities laws of the applicable jurisdiction where such team members are located. Additionally, in some cases, we contract directly with team members who are independent contractors.

We also issue equity to a substantial portion of our team members, including team members engaged through PEOs and to independent contractors, and must ensure we remain compliant with securities laws of the applicable jurisdiction where such team members are located. Additionally, in some cases, we contract directly with team members who are independent contractors.

Among other things, our restated certificate of incorporation and restated bylaws include provisions that: • provide that our board of directors is classified into three classes of directors with staggered three-year terms; • permit our board of directors to establish the number of directors and fill any vacancies and newly created directorships; • require supermajority voting to amend some provisions in our restated certificate of incorporation and restated bylaws; • authorize the issuance of “blank check” preferred stock that our board of directors could use to implement a stockholder rights plan; • provide that only our chief executive officer or a majority of our board of directors will be authorized to call a special meeting of stockholders; • eliminate the ability of our stockholders to call special meetings of stockholders; • do not provide for cumulative voting; • provide that directors may only be removed “for cause” and only with the approval of two-thirds of our stockholders; • provide for a dual class common stock structure in which holders of our Class B common stock may have the ability to control the outcome of matters requiring stockholder approval, even if they own significantly less than a majority of the outstanding shares of our common stock, including 57 Table of Contents the election of directors and other significant corporate transactions, such as a merger or other sale of our company or its assets; • prohibit stockholder action by written consent, which requires all stockholder actions to be taken at a meeting of our stockholders; • provide that our board of directors is expressly authorized to make, alter, or repeal our restated bylaws; and • establish advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted upon by stockholders at annual stockholder meetings.

Among other things, our restated certificate of incorporation and amended and restated bylaws include provisions that: • provide that our board of directors is classified into three classes of directors with staggered three-year terms; • permit our board of directors to establish the number of directors and fill any vacancies and newly created directorships; • require supermajority voting to amend some provisions in our restated certificate of incorporation and amended and restated bylaws; • authorize the issuance of “blank check” preferred stock that our board of directors could use to implement a stockholder rights plan; • provide that only our chief executive officer or a majority of our board of directors will be authorized to call a special meeting of stockholders; • eliminate the ability of our stockholders to call special meetings of stockholders; • do not provide for cumulative voting; 58 Table of Contents • provide that directors may only be removed “for cause” and only with the approval of two-thirds of our stockholders; • provide for a dual class common stock structure in which holders of our Class B common stock may have the ability to control the outcome of matters requiring stockholder approval, even if they own significantly less than a majority of the outstanding shares of our common stock, including the election of directors and other significant corporate transactions, such as a merger or other sale of our company or its assets; • prohibit stockholder action by written consent, which requires all stockholder actions to be taken at a meeting of our stockholders; • provide that our board of directors is expressly authorized to make, alter, or repeal our amended and restated bylaws; and • establish advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted upon by stockholders at annual stockholder meetings.

The various claims in such lawsuits may include, among other things, negligence or misconduct in the operation of our business and provision of services, intellectual property infringement, unfair competition, or violation of employment or privacy laws or regulations. Such suits may seek, as applicable, direct, indirect, consequential, punitive or other penalties or damages, injunctive relief, and/or attorneys’ fees.

The various claims in such lawsuits may include, among other things, negligence or misconduct in the operation of our business and provision of services, intellectual property infringement, unfair competition, or violation of employment or privacy laws or regulations. Such suits may seek, as applicable, direct, indirect, consequential, punitive or other penalties or monetary damages, injunctive relief, and/or attorneys’ fees.

We rely on vendors to handle PCI-DSS matters and to ensure PCI-DSS compliance. Despite our compliance efforts, we may become subject to claims that we have violated the PCIDSS based on past, present, and future business practices. Our actual or perceived failure to comply with the PCI-DSS can subject us to fines, termination of banking relationships, and increased transaction fees.

We rely on vendors to handle PCI-DSS matters and to ensure PCI-DSS compliance. Despite our compliance efforts, we may become subject to claims that we have violated the PCI-DSS based on past, present, and future business practices. Our actual or perceived failure to comply with the PCI-DSS can subject us to fines, termination of banking relationships, and increased transaction fees.

Additional risks we may face in connection with acquisitions include: • diversion of management time and focus from operating our business to addressing acquisition integration challenges; • coordination of research and development and sales and marketing functions; • integration of product and service offerings; • retention of key team members from the acquired company; • changes in relationships with strategic partners as a result of product acquisitions or strategic positioning resulting from the acquisition; • integration of customers from the acquired company; • cultural challenges associated with integrating team members from the acquired company into our organization; • integration of the acquired company’s accounting, management information, human resources and other administrative systems; • the need to implement or improve controls, procedures and policies at a business that prior to the acquisition may have lacked sufficiently effective controls, procedures and policies; • additional legal, regulatory or compliance requirements; • financial reporting, revenue recognition or other financial or control deficiencies of the acquired company that we do not adequately address and that cause our reported results to be incorrect; • liability for activities of the acquired company before the acquisition, including intellectual property infringement claims, violations of laws, commercial disputes, tax liabilities and other known and unknown liabilities; • unanticipated write-offs or charges; and • litigation or other claims in connection with the acquired company, including claims from terminated team members, customers, former stockholders or other third parties.

Additional risks we may face in connection with acquisitions include: • diversion of management time and focus from operating our business to addressing acquisition integration challenges; 52 Table of Contents • coordination of research and development and sales and marketing functions; • integration of product and service offerings; • retention of key team members from the acquired company; • changes in relationships with strategic partners as a result of product acquisitions or strategic positioning resulting from the acquisition; • integration of customers from the acquired company; • cultural challenges associated with integrating team members from the acquired company into our organization; • integration of the acquired company’s accounting, management information, human resources and other administrative systems; • the need to implement or improve controls, procedures and policies at a business that prior to the acquisition may have lacked sufficiently effective controls, procedures and policies; • additional legal, regulatory or compliance requirements; • financial reporting, revenue recognition or other financial or control deficiencies of the acquired company that we do not adequately address and that cause our reported results to be incorrect; • liability for activities of the acquired company before the acquisition, including intellectual property infringement claims, violations of laws, commercial disputes, tax liabilities and other known and unknown liabilities; • unanticipated write-offs or charges; and • litigation or other claims in connection with the acquired company, including claims from terminated team members, customers, former stockholders or other third parties.

Our restated certificate of incorporation and restated bylaws provide that the federal district courts of the United States will, to the fullest extent permitted by law, be the exclusive forum for resolving any complaint asserting a cause of action arising under the Securities Act, such provision, the Federal Forum Provision.

Our restated certificate of incorporation and amended and restated bylaws provide that the federal district courts of the United States will, to the fullest extent permitted by law, be the exclusive forum for resolving any complaint asserting a cause of action arising under the Securities Act, such provision, the Federal Forum Provision.

There are significant costs and risks inherent in conducting business in international markets, including: • establishing and maintaining effective controls at foreign locations and the associated increased costs; 46 Table of Contents • adapting our technologies, products, and services to non-U.S. consumers’ preferences and customs; • increased competition from local providers; • compliance with foreign laws and regulations; • adapting to doing business in other languages and/or cultures; • compliance with the laws of numerous taxing jurisdictions where we conduct business, potential double taxation of our international earnings, and potentially adverse tax consequences due to U.S. and foreign tax laws as they relate to our international operations; • compliance with anti-bribery laws, such as the FCPA and the U.K.

There are significant costs and risks inherent in conducting business in international markets, including: • establishing and maintaining effective controls at foreign locations and the associated increased costs; • adapting our technologies, products, and services to non-U.S. consumers’ preferences and customs; 47 Table of Contents • increased competition from local providers; • compliance with foreign laws and regulations; • adapting to doing business in other languages and/or cultures; • compliance with the laws of numerous taxing jurisdictions where we conduct business, potential double taxation of our international earnings, and potentially adverse tax consequences due to U.S. and foreign tax laws as they relate to our international operations; • compliance with anti-bribery laws, such as the FCPA and the U.K.

We rely to a significant degree on a number of independent open source contributors, to develop and enhance the open source technologies we use to provide our products and services. In our development process we rely upon numerous open source software programs which are outside of our direct control.

We rely to a significant degree on a number of independent open source contributors, to develop and enhance the open source technologies we use to provide our products and services. In our development process we rely upon numerous open core software programs which are outside of our direct control.

We believe that our ability to compete depends upon many factors both within and beyond our control, including the following: • ability of our products or of those of our competitors to deliver the positive business outcomes prioritized and valued by our customers and prospects; • our ability to price our products competitively, including our ability to transition users of our free product offering to a paying version of The DevOps Platform; • the amount and quality of communications, postings, and sharing by our users on public forums, which can promote improvements on The DevOps Platform but may also lead to disclosure of commercially sensitive details; • the timing and market acceptance of services, including the developments and enhancements to those services offered by us or our competitors; • our ability to monetize activity on our services; • customer service and support efforts; • sales and marketing efforts; • ease of use, performance and reliability of solutions developed either by us or our competitors; • our ability to manage our operations in a cost effective manner; • insolvency or credit difficulties confronting our customers, affecting their ability to purchase or pay for our product offering; 22 Table of Contents • our reputation and brand strength relative to our competitors; • introduction of new technologies or standards that compete with or are unable to be adopted in our products; • ability to attract new team members or retain existing team members which could affect our ability to attract new customers, service existing customers, enhance our product or handle our business needs; • our ability to maintain and grow our community of users; and • the length and complexity of our sales cycles.

We believe that our ability to compete depends upon many factors both within and beyond our control, including the following: • the ability of our products or of those of our competitors to deliver the positive business outcomes prioritized and valued by our customers and prospects; • our ability to price our products competitively, including our ability to transition users of our free product offering to a paid version of The DevSecOps Platform; • the amount and quality of communications, postings, and sharing by our users on public forums, which can promote improvements on The DevSecOps Platform but may also lead to disclosure of commercially sensitive details; • the timing and market acceptance of services, including the developments and enhancements to those services offered by us or our competitors; • our ability to monetize activity on our services; • customer service and support efforts; • sales and marketing efforts; 22 Table of Contents • ease of use, performance and reliability of solutions developed either by us or our competitors; • our ability to manage our operations in a cost effective manner; • insolvency or credit difficulties confronting our customers, affecting their ability to purchase or pay for our product offering; • our reputation and brand strength relative to our competitors; • introduction of new technologies or standards that compete with or are unable to be adopted in our products; • ability to attract new team members or retain existing team members which could affect our ability to attract new customers, service existing customers, enhance our product or handle our business needs; • our ability to maintain and grow our community of users; and • the length and complexity of our sales cycles.

We intend to invest resources to comply with evolving laws, regulations and standards, and this investment will result in increased general and administrative expenses and may divert management’s time and attention from our other business activities.

We intend to continue to invest resources to comply with evolving laws, regulations and standards, and this investment will result in increased general and administrative expenses and may divert management’s time and attention from our other business activities.

GDPR impose stringent data protection requirements and, where we are acting as a controller, includes requirements to: provide detailed disclosures about how personal data is collected and processed (in a concise, intelligible and easily accessible form); demonstrate that an appropriate legal basis is in place or otherwise exists to justify data processing activities; grant rights for data subjects in regard to their personal data including the right to be “forgotten,” the right to data portability and data subject access requests; notify data protection regulators or supervisory authorities (and in certain cases, affected individuals) of significant data breaches; define pseudonymized (key-coded) data; limit the retention of personal data; maintain a record of data processing; and comply with 37 Table of Contents the principle of accountability and the obligation to demonstrate compliance through policies, procedures, training and audit.

GDPR impose stringent data protection requirements and, where we are acting as a controller, includes requirements to: provide detailed disclosures about how personal data is collected and processed (in a concise, intelligible and easily accessible form); demonstrate that an appropriate legal basis is in place or otherwise exists to justify data processing activities; grant rights for data subjects in regard to their personal data including the right to be “forgotten,” the right to data portability and data subject access requests; notify data protection regulators or supervisory authorities (and in certain cases, affected individuals) of significant data breaches; define pseudonymized (key-coded) data; limit the retention of personal data; maintain a record of data processing; and comply with the principle of accountability and the obligation to demonstrate compliance through policies, procedures, training and audit.

Provisions in our restated certificate of incorporation and restated bylaws may have the effect of delaying or preventing a merger, acquisition or other change of control of our company that our stockholders may consider favorable.

Provisions in our restated certificate of incorporation and amended and restated bylaws may have the effect of delaying or preventing a merger, acquisition or other change of control of our company that our stockholders may consider favorable.

We also expect our operating and other expenses to increase in the foreseeable future as we continue to invest in our future growth, including expanding our research and development function to drive further development of The DevOps Platform, expanding our sales and marketing activities, developing the functionality to expand into adjacent markets, and reaching customers in new geographic locations, which will negatively affect our operating results if our total revenue does not increase.

We also expect our operating and other expenses to increase in the foreseeable future as we continue to invest in our future growth, including expanding our research and development function to drive further development of The DevSecOps Platform, expanding our sales and marketing activities, developing the functionality to expand into adjacent markets, and reaching customers in new geographic locations, which will negatively affect our operating results if our total revenue does not increase.

The market for our services is new and unproven and may not grow, which would adversely affect our future results and the trading price of our Class A common stock.

The market for our services is relatively new and unproven and may not grow, which would adversely affect our future results and the trading price of our Class A common stock.

As a public company, we will bear all of the internal and external costs of preparing and distributing periodic public reports in compliance with our obligations under the securities laws.

As a public company, we bear all of the internal and external costs of preparing and distributing periodic public reports in compliance with our obligations under the securities laws.

Any security breach of The DevOps Platform, our operational systems, physical facilities, or the systems of our third-party processors, or the perception that a breach has occurred, could result in litigation, indemnity obligations, regulatory enforcement actions, investigations, compulsory audits, fines, penalties, mitigation and remediation costs, disputes, reputational harm, diversion of management’s attention, and other liabilities and damage to our business.

Any security breach of The DevSecOps Platform, our operational systems, physical facilities, or the systems of our third-party processors, or the perception that a breach has occurred, could result in litigation, indemnity obligations, regulatory enforcement actions, investigations, compulsory audits, fines, penalties, mitigation and remediation costs, disputes, reputational harm, diversion of management’s attention, and other liabilities and damage to our business.

Security incidents compromising the confidentiality, integrity, and availability of our confidential or personal information and our and our third-party service providers’ information technology systems could result from cyber-attacks, including denial-of-service attacks, ransomware attacks, business email compromises, computer malware, viruses, and social engineering (including phishing), which are prevalent in our industry and our customers’ industries.

Security incidents compromising the confidentiality, integrity, and availability of our confidential or personal information and our third-party service providers’ information technology systems could result from cyber-attacks, including denial-of-service attacks, web scraping, ransomware attacks, business email compromises, computer malware, viruses, and social engineering (including phishing), which are prevalent in our industry and our customers’ industries.

Unauthorized access to The DevOps Platform, systems, networks, or physical facilities could result in litigation with our customers, our customers’ end-users, or other relevant stakeholders. These proceedings could force us to spend money in defense or settlement, divert management’s time and attention, increase our costs of doing business, or adversely affect our reputation.

Unauthorized access to The DevSecOps Platform, systems, networks, or physical facilities could result in litigation with our customers, our customers’ end-users, or other relevant stakeholders. These proceedings could force us to spend money in defense or settlement, divert management’s time and attention, increase our costs of doing business, or adversely affect our reputation.

If a security breach were to occur, and the confidentiality, integrity or availability of our data or the data of our partners, our customers or our customers’ end-users was disrupted, we could incur significant liability, or The DevOps Platform, systems, or networks may be perceived as less desirable, which could negatively affect our business and damage our reputation.

If a security breach were to occur, and the confidentiality, integrity or availability of our data or the data of our partners, our customers or our customers’ end-users was disrupted, we could incur significant liability, or The DevSecOps Platform, systems, or networks may be perceived as less desirable, which could negatively affect our business and damage our reputation.

If we fail to detect or remediate a security breach in a timely manner, or a breach otherwise affects a large amount of data of one or more customers, or if we suffer a cyber-attack that impacts our ability to operate The DevOps Platform, we may suffer material damage to our reputation, business, financial condition, and results of operations.

If we fail to detect or remediate a security breach in a timely manner, or a breach otherwise affects a large amount of data of one or more customers, or if we suffer a cyber-attack that impacts our ability to operate The DevSecOps Platform, we may suffer material damage to our reputation, business, financial condition, and results of operations.

In addition, all channel partners must be trained to distribute The DevOps Platform. In order to develop and expand our distribution channel, we must develop and improve our processes for channel partner introduction and training. If we do not succeed in identifying suitable indirect sales channel partners, our business, operating results, and financial condition may be adversely affected.

In addition, all channel partners must be trained to distribute The DevSecOps Platform. In order to develop and expand our distribution channel, we must develop and improve our processes for channel partner introduction and training. If we do not succeed in identifying suitable indirect sales channel partners, our business, operating results, and financial condition may be adversely affected.

Many factors may contribute to this decline, including changes to technology, increased competition, slowing demand for The DevOps Platform, the maturation of our business, a failure by us to continue capitalizing on growth opportunities, our failure, for any reason, to continue to take advantage of growth opportunities and a global economic downturn, among others.

Many factors may contribute to this decline, including changes to technology, increased competition, slowing demand for The DevSecOps Platform, the maturation of our business, a failure by us to continue capitalizing on growth opportunities, our failure, for any reason, to continue to take advantage of growth opportunities and a global economic downturn, among others.

If we cannot adequately monitor the use of our technologies and products, or enforce our intellectual property rights in China or contractual restrictions relating to use of our intellectual property by Chinese companies, our revenue could be adversely affected. Our joint venture is subject to laws and regulations applicable to foreign investment in China.

If we cannot adequately monitor the use of our technologies and products, or enforce our intellectual property rights in China or contractual restrictions relating to use of our intellectual property by Chinese companies, our revenue from JiHu could be adversely affected. Our joint venture is subject to laws and regulations applicable to foreign investment in China.

Security and privacy breaches may hurt our business. The DevOps Platform processes, stores, and transmits our customers’ proprietary and sensitive data, including personal information, and financial data. We also use third-party service providers and sub-processors to help us deliver services to our customers and their end-users.

Security and privacy breaches may hurt our business. The DevSecOps Platform processes, stores, and transmits our customers’ proprietary and sensitive data, including personal information, and financial data. We also use third-party service providers and sub-processors to help us deliver services to our customers and their end-users.

If our, our customers’, or our partners’ security measures are breached as a result of third-party action, team member error, malfeasance or otherwise and, as a result, someone obtains unauthorized access to the GitLab application or data, including personal and/or confidential information of our customers, our reputation will be damaged, our business may suffer loss of current customers and future opportunities and we could incur significant financial liability including fines, cost of recovery, and costs related to remediation measures.

If our, our customers’, or our partners’ security measures are breached as a result of third-party action, team member error, misconfiguration, malfeasance (including bribery) or otherwise and, as a result, someone obtains unauthorized access to the GitLab application or data, including personal and/or confidential information of our customers, our reputation could be damaged, our business may suffer loss of current customers and future opportunities and we could incur significant financial liability including fines, cost of recovery, and costs related to remediation measures.

Our revenue growth may slow or our revenue may decline for a number of reasons, including reduced demand for The DevOps Platform, increased competition, an increased use of our free product offerings, a decrease in the growth or reduction in size of our overall market, or any inability on our part to capitalize on growth opportunities.

Our revenue growth may slow or our revenue may decline for a number of reasons, including reduced demand for The DevSecOps Platform, increased competition, an increased use of our free product offerings, a decrease in the growth or reduction in size of our overall market, or any inability on our part to capitalize on growth opportunities.

The DevOps Platform is built using open-source technology. Using or incorporating any third-party technology can become a vector for supply-chain cyber-attacks, denial-of-service attacks, ransomware attacks, business email compromises, computer malware, viruses, and social engineering (including phishing) attacks.

The DevSecOps Platform is built using open-source technology. Using or incorporating any third-party technology can become a vector for supply-chain cyber-attacks, denial-of-service attacks, ransomware attacks, business email compromises, computer malware, viruses, and social engineering (including phishing) attacks.

We have from time to time been, and are likely to in the future become, defendants in actual or threatened lawsuits brought by or on behalf of our current and former team members, competitors, governmental or regulatory bodies, or third parties who use The DevOps Platform.

As a result, we may need to engage in additional equity or debt financings to provide the funds required for these investments and other business endeavors. We may not be able to raise needed cash on terms acceptable to us or at all.

As a result, we may need to engage in additional equity or debt financings to provide the funds required for these investments and other business endeavors. If we need to engage in such additional equity or debt financings, we may not be able to raise needed cash on terms acceptable to us or at all.

To the extent we do identify such partners, we will need to negotiate the terms of a commercial agreement with them under which the partner would distribute The DevOps Platform. We cannot be certain that we will be able to negotiate commercially-attractive terms with any channel partner, if at all.

To the extent we do identify such partners, we will need to negotiate the terms of a commercial agreement with them under which the partner would distribute The DevSecOps Platform. We cannot be certain that we will be able to negotiate commercially-attractive terms with any channel partner, if at all.

If we or other software and SaaS providers experience security incidents, loss of customer data, or disruptions in delivery or service, the market for these applications as a whole, including The DevOps Platform and products, may be negatively affected.

If we or other software and SaaS providers experience security incidents, loss of customer data, or disruptions in delivery or service, the market for these applications as a whole, including The DevSecOps Platform and products, may be negatively affected.

If we are unable to find efficient ways to deploy our marketing spend or to hire, develop, and 30 Table of Contents retain talent in numbers required to maintain and support our growth, if our new sales talent are unable to achieve desired productivity levels in a reasonable period of time, or if our sales and marketing programs are not effective, our ability to increase our customer base and achieve broader market acceptance of our services could be harmed.

If we are unable to find efficient ways to deploy our marketing spend or to hire, develop, and retain talent in numbers required to maintain and support our growth, if our new sales talent are unable to achieve desired productivity levels in a reasonable period of time, or if our sales and marketing programs are not effective, our ability to increase our customer base and achieve broader market acceptance of our services could be harmed.

Accordingly, investors must for the for eseeable future rely on sales of their Class A common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.

Accordingly, investors must for the foreseeable future rely on sales of their Class A common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.

Additionally, the dramatic increase 59 Table of Contents in the cost of directors’ and officers’ liability insurance may cause us to opt for lower overall policy limits or to forgo insurance that we may otherwise rely on to cover significant defense costs, settlements, and damages awarded to plaintiffs. ITEM 1B. UNRESOLVED STAFF COMMENTS None.

Additionally, the dramatic increase in the cost of directors’ and officers’ liability insurance may cause us to opt for lower overall policy limits or 60 Table of Contents to forgo insurance that we may otherwise rely on to cover significant defense costs, settlements, and damages awarded to plaintiffs. ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 2.

If a service provider fails to provide sufficient capacity to support our products, otherwise experiences service outages, or intentionally or unintentionally restricts or limits our ability to send, deliver, or receive electronic 32 Table of Contents communications or provide services, such failure could interrupt our customers’ access to our products, adversely affect their perception of our products’ reliability and reduce our revenues.

If a service provider fails to provide sufficient capacity to support our products, otherwise experiences service outages, or intentionally or unintentionally restricts or limits our ability to send, deliver, or receive electronic communications or provide services, such failure could interrupt our customers’ access to our products, adversely affect their perception of our products’ reliability and reduce our revenues.

If we incur more debt it would result in increased fixed obligations and could also subject us to covenants or other restrictions that would impede or may be beyond our ability to manage our operations. Additionally, we may receive indications of interest from other parties interested in acquiring some or all of our business.

If we incur more debt it would result in increased fixed obligations and could also subject us to covenants or 36 Table of Contents other restrictions that would impede or may be beyond our ability to manage our operations. Additionally, we may receive indications of interest from other parties interested in acquiring some or all of our business.

Any failure to increase our revenue or to manage our costs as we continue to grow and invest in our business would prevent us from achieving or maintaining profitability or 21 Table of Contents maintaining positive operating cash flow at all or on a consistent basis, which would cause our business, financial condition, and results of operations to suffer.

Any failure to increase our revenue or to manage our costs as we continue to grow and invest in our business would prevent us from achieving or maintaining profitability or achieving or maintaining positive operating cash flow at all or on a consistent basis, which would cause our business, financial condition, and results of operations to suffer.

Any defects in functionality or that cause interruptions in the availability of our products could result in: • loss or delayed market acceptance and sales; • breach of warranty claims; • sales credits or refunds for prepaid amounts related to unused subscription services; • loss of customers; • diversion of development and customer service resources; and • injury to our reputation.

Any defects in functionality or that cause interruptions in the availability of our products could result in: • loss or delayed market acceptance and sales; • loss of data; • breach of warranty claims; • sales credits or refunds for prepaid amounts related to unused subscription services; • loss of customers; • diversion of development and customer service resources; • loss of operational time; and • injury to our reputation.

We could be required to fundamentally change our business activities and practices or modify The DevOps Platform capabilities in response to such litigation, which could have an adverse effect on our business.

We could be required to fundamentally change our business activities and practices or modify The DevSecOps Platform capabilities in response to such litigation, which could have an adverse effect on our business.

Factors that could cause fluctuations in the market price of our Class A common stock include the following: • actual or anticipated changes or fluctuations in our operating results; • the financial projections we may provide to the public, any changes in these projections or our failure to meet these projections; • announcements by us or our competitors of new products or new or terminated significant contracts, commercial relationships or capital commitments; • industry or financial analyst or investor reaction to our press releases, other public announcements and filings with the SEC; • rumors and market speculation involving us or other companies in our industry; • price and volume fluctuations in the overall stock market from time to time; • changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular; • failure of industry or financial analysts to maintain coverage of us, changes in financial estimates by any analysts who follow our company, or our failure to meet these estimates or the expectations of investors; • actual or anticipated developments in our business or our competitors’ businesses or the competitive landscape generally; • litigation involving us, our industry or both, or investigations by regulators into our operations or those of our competitors; 54 Table of Contents • developments or disputes concerning our intellectual property rights or our solutions, or third-party proprietary rights; • announced or completed acquisitions of businesses or technologies by us or our competitors; • new laws or regulations or new interpretations of existing laws or regulations applicable to our business; • the impact of interest rate increases on the overall stock market and the market for technology company stocks; • any major changes in our management or our board of directors; • effects of public health crises, pandemics, and epidemics, such as the COVID-19 pandemic; • general economic conditions and slow or negative growth of our markets; and • other events or factors, including those resulting from war, incidents of terrorism or responses to these events, including those related to the recent and developing armed conflict in Ukraine.

Factors that could cause fluctuations in the market price of our Class A common stock include the following: • actual or anticipated changes or fluctuations in our operating results; • the financial projections we may provide to the public, any changes in these projections or our failure to meet these projections; • announcements by us or our competitors of new products or new or terminated significant contracts, commercial relationships or capital commitments; • industry or financial analyst or investor reaction to our press releases, other public announcements and filings with the SEC; • rumors and market speculation involving us or other companies in our industry; • price and volume fluctuations in the overall stock market from time to time; 55 Table of Contents • changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular; • failure of industry or financial analysts to maintain coverage of us, changes in financial estimates by any analysts who follow our company, or our failure to meet these estimates or the expectations of investors; • actual or anticipated developments in our business or our competitors’ businesses or the competitive landscape generally; • litigation involving us, our industry or both, or investigations by regulators into our operations or those of our competitors; • developments or disputes concerning our intellectual property rights or our solutions, or third-party proprietary rights; • announced or completed acquisitions of businesses or technologies by us or our competitors; • new laws or regulations or new interpretations of existing laws or regulations applicable to our business; • the impact of interest rate increases on the overall stock market and the market for technology company stocks; • any major changes in our management or our board of directors; • effects of public health crises, pandemics, and epidemics; • general economic conditions, changes in the capital markets generally, inflation and slow or negative growth of our markets; and • other events or factors, including those resulting from war, incidents of terrorism or responses to these events, including those related to the ongoing armed conflict in Ukraine.

We do not have an adequate history with our subscription or pricing models to accurately predict the long-term rate of customer subscription renewals or adoption, or the impact these renewals and adoption will have on our revenues or operating results. 29 Table of Contents We have limited experience with respect to determining the optimal prices for our services.

We do not have an adequate history with our subscription or pricing models to accurately predict the long-term rate of customer subscription renewals or adoption, or the impact these renewals and adoption will have on our revenues or operating results. We have limited experience with respect to determining the optimal prices for our services.

Any change in export or import laws or regulations, economic sanctions or related legislation, shift in the enforcement or scope of existing export, import or sanctions laws or regulations, or change in the countries, governments, persons, or technologies targeted by such export, import or sanctions laws or regulations, could result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential 41 Table of Contents end-customers with international operations.

Any impediments to preserving our corporate culture and fostering collaboration could harm our future success, including our ability to retain and recruit personnel, innovate and operate effectively, and execute on our business strategy. Unfavorable media coverage could negatively impact our business. We receive a high degree of media coverage, including due to our commitment to transparency.

Any impediments to preserving our corporate culture and fostering 46 Table of Contents collaboration could harm our future success, including our ability to retain and recruit personnel, innovate and operate effectively, and execute on our business strategy. Unfavorable media coverage could negatively impact our business. We receive a high degree of media coverage, including due to our commitment to transparency.

In addition to the anticipated costs to grow our business, we also expect to incur significant additional legal, accounting, and other expenses as a newly public company. These efforts and additional expenses may be more costly than we expect, and we cannot guarantee that we will be able to increase our revenue to offset our operating expenses.

In addition to the anticipated costs to grow our business, we also expect to continue to incur significant legal, accounting, and other expenses as a public company. These efforts and expenses may be more costly than we expect, and we cannot guarantee that we will be able to increase our revenue to offset our operating expenses.

As we continue to invest in infrastructure, develop our services and features, increase our headcount and expand our sales and marketing activity, we may continue to have losses in future periods and these may increase significantly.

As we continue to invest in infrastructure, develop our services and features, responsibly manage our headcount and expand our sales and marketing activity, we may continue to have losses in future periods and these may increase significantly.

Our ability to increase our customer base and achieve broader market adoption of The DevOps Platform will depend to a significant extent on our ability to continue to expand our sales and marketing operations.

Our ability to increase our customer base and achieve broader market adoption of The DevSecOps Platform will depend to a significant extent on our ability to continue to expand our sales and marketing operations.

If our growth rate declines, investors’ perceptions of our business and the market price of our Class A common stock could be adversely affected. 20 Table of Contents In addition, we expect to continue to expend substantial financial and other resources on: • expansion and enablement of our sales, services, and marketing organization to increase brand awareness and drive adoption of The DevOps Platform; • product development, including investments in our product development team and the development of new features and functionality for The DevOps Platform; • technology and sales channel partnerships; • international expansion; • acquisitions or strategic investments; and • general administration, including increased legal and accounting expenses associated with being a public company.

If our growth rate declines, investors’ perceptions of our business and the market price of our Class A common stock could be adversely affected. 20 Table of Contents In addition, we expect to continue to responsibly expend financial and other resources to align with our: • expansion and enablement of our sales, services, and marketing organization to increase brand awareness and drive adoption of The DevSecOps Platform; • product development, including investments in our product development team and the development of new features and functionality for The DevSecOps Platform; • technology and sales channel partnerships; • international expansion; • acquisitions or strategic investments; and • general administration, including increased legal and accounting expenses associated with being a public company.

Any security breach or disruption could result in the loss or destruction of or unauthorized access to, or use, alteration, disclosure, or acquisition of 25 Table of Contents confidential and personal information, which may result in damage to our reputation, early termination of our contracts, litigation, regulatory investigations or other liabilities.

Any security breach or disruption could result in the loss or destruction of or unauthorized access to, or use, alteration, disclosure, or acquisition of confidential and personal information, which may result in damage to our reputation, early termination of our contracts, litigation, regulatory investigations or other liabilities.

This could have an adverse effect on our business, operating re sults and financial condition. Sales of substantial amounts of our Class A common stock in the public markets, or the perception that they might occur, could cause the market price of our Class A common stock to decline.

This could have an adverse effect on our business, operating results and financial condition. Sales of substantial amounts of our Class A common stock in the public markets, or the perception that they might occur, could cause the market price of our Class A common stock to decline.

We track certain performance metrics with internal tools and data models and do not independently verify such metrics. Certain of our performance metrics are subject to inherent 33 Table of Contents challenges in measurement, and real or perceived inaccuracies in such metrics may harm our reputation and negatively affect our business.

We track certain performance metrics with internal tools and data models and do not independently verify such metrics. Certain of our performance metrics are subject to inherent challenges in measurement, and real or perceived inaccuracies in such metrics may harm our reputation and negatively affect our business.

If regulators start to enforce the strict approach in recent guidance, this could lead to substantial costs, limit the effectiveness of our marketing activities, divert the attention of our technology personnel, adversely affect our margins, increase costs and subject us to additional liabilities.

If regulators start to enforce the strict approach in recent guidance, this could lead to substantial costs, limit the effectiveness of our marketing activities, divert the attention of our technology 39 Table of Contents personnel, adversely affect our margins, increase costs and subject us to additional liabilities.

Moreover, some customers may demand greater price concessions or additional functionality at the same price levels. As a result, in the future we may be required to reduce our prices or provide more features without corresponding increases in price, which could adversely affect our revenues, gross margin, profitability, financial position and cash flow.

Moreover, some customers may demand greater price concessions or additional functionality at the same price levels. As a result, in the future we may be 26 Table of Contents required to reduce our prices or provide more features without corresponding increases in price, which could adversely affect our revenues, gross margin, profitability, financial position and cash flow.

Alternatively, if a court were to find the choice of forum provisions contained in our restated certificate of incorporation or restated bylaws to be 58 Table of Contents inapplicable or unenforceable in an action, we may incur additional costs associated with resolving such action in other jurisdictions, which could harm our business, financial condition, and operating results.

Alternatively, if a court were to find the choice of forum provisions contained in our restated certificate of incorporation or amended and restated bylaws to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving such action in other jurisdictions, which could harm our business, financial condition, and operating results.

Our risks are likely to increase as we continue to expand The DevOps Platform, grow our customer base, and process, store, and transmit increasingly large amounts of proprietary and sensitive data. We face heightened risk of security breaches because we use third-party open source technologies and incorporate a substantial amount of open source code in our products.

Our risks are likely to increase as we continue to expand The DevSecOps Platform, grow our customer base, and process, store, and transmit increasingly large amounts of proprietary and confidential data. We face heightened risk of security breaches because we use third-party open source technologies and incorporate a substantial amount of open source code in our products.

It is not possible to predict the outcome of any such lawsuits, individually or in the aggregate. However, these lawsuits may consume substantial amounts of our financial and managerial resources and might result in adverse publicity, regardless of the ultimate outcome of the lawsuits.

Litigation is inherently unpredictable, and it is not possible to predict the outcome of any such lawsuits, individually or in the aggregate. However, these lawsuits may consume substantial amounts of our financial and managerial resources and might result in adverse publicity, regardless of the ultimate outcome of the lawsuits.

The Chinese government exercises significant control over the Chinese economy, including but not limited to controlling capital investments, allocating resources, setting monetary policy, controlling and monitoring foreign exchange rates, implementing and overseeing tax regulations, providing preferential treatment to certain industry 47 Table of Contents segments or companies and issuing necessary licenses to conduct business.

The Chinese government exercises significant control over the Chinese economy, including but not limited to controlling capital investments, allocating resources, setting monetary policy, controlling and monitoring foreign exchange rates, implementing and overseeing tax regulations, providing preferential treatment to certain industry segments or companies and issuing necessary licenses to conduct business.

Further, as our SaaS offering makes up an increasing percentage of our total revenue, we expect to see increased associated cloud-related costs, such as hosting and managing costs, which may adversely impact our gross margins.

Further, as our SaaS offering 21 Table of Contents makes up an increasing percentage of our total revenue, we expect to see increased associated cloud-related costs, such as hosting and managing costs, which may adversely impact our gross margins.

The European Data Protection Board issued additional guidance regarding the CJEU’s decision in November 2020, which imposes higher burdens on the use of data transfer mechanisms, such as the Standard Contractual Clauses, for cross-border data transfers.

The European Data Protection Board issued additional guidance regarding the 38 Table of Contents CJEU’s decision in November 2020, which imposes higher burdens on the use of data transfer mechanisms, such as the Standard Contractual Clauses, for cross-border data transfers.

The length of our sales cycle, from initial contact from a prospective customer to contractually committing to our paid subscriptions can vary substantia lly from customer to customer based on deal complexity as well as whether a sale is made directly by us.

The length of our sales cycle, from initial contact from a prospective customer to contractually committing to our paid subscriptions can vary substantially from customer to customer based on deal complexity as well as whether a sale is made directly by us.

Our re stated certificate of incorporation and restated bylaws contain exclusive forum provisions for certain claims, which may limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us or our directors, officers, or team members.

Our restated certificate of incorporation and amended and restated bylaws contain exclusive forum provisions for certain claims, which may limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us or our directors, officers, or team members.

The dual class structure of our common stock will have t he effect of concentrating voting control with those stockholders who hold our Class B capital stock, including our directors, executive officers, and beneficial owners of 5% or greater of our outstanding capital stock who hold in the aggregate 65.8% of the voting power of our capital stock, which will limit or preclude your ability to 55 Table of Contents influence corporate matters, including the election of directors and the approval of any change of control transaction.

The dual class structure of our common stock will have the effect of concentrating voting control with those stockholders who hold our Class B capital stock, including our directors, executive officers, and beneficial owners of 5% or greater of our outstanding capital stock who hold in the aggregate 65.8% of the voting power of our capital stock, which will limit or preclude your ability to influence corporate matters, including the election of directors and the approval of any change of control transaction.

Our failure to comply with the PIPL may result in enforcement action against us, including fines, and damage to our reputation, any of which may have an adverse effect on our business and operating results.

Our failure to comply with the PIPL may result in enforcement action against us, 40 Table of Contents including fines, and damage to our reputation, any of which may have an adverse effect on our business and operating results.

If our partners do not effectively assist our government entity customers in deploying our products, succeed in helping our government entity customers quickly resolve post-deployment issues, or provide effective ongoing 42 Table of Contents support, our ability to sell additional products to new and existing government entity customers would be adversely affected and our reputation could be damaged.

If our partners do not effectively assist our government entity customers in deploying our products, succeed in helping our government entity customers quickly resolve post-deployment issues, or provide effective ongoing support, our ability to sell additional products to new and existing government entity customers would be adversely affected and our reputation could be damaged.

We also engage team members through a PEO self-employed model in certain jurisdictions where we contract with the PEO, which in turn contracts with individual team members as independent contractors. In all locations where we utilize PEOs, we rely on those PEOs to comply with local employment laws and regulations.

We also engage team members through a PEO self-employed model in certain jurisdictions where we contract with the PEO, which in turn contracts with individual team members as independent 45 Table of Contents contractors. In all locations where we utilize PEOs, we rely on those PEOs to comply with local employment laws and regulations.

Competition for highly skilled personnel in our industry is intense, and we may not be successful in hiring or retaining qualified personnel to fulfill our current or future needs. We have, from time to time, experienced, and we expect to continue to experience, difficulty in hiring and retaining highly skilled team 44 Table of Contents members with appropriate qualifications.

For example, in December 2017, the U.S. federal government enacted the tax reform legislation known as the Tax Cuts and Jobs Act, or the 2017 Tax Act.

In December 2017, the U.S. federal government enacted the tax reform legislation known as the Tax Cuts and Jobs Act, or the 2017 Tax Act.

Our restated certificate of incorporation provides that the Cour t of Chancery of the State of Delaware, to the fullest extent permitted by law, will be the exclusive forum for any derivative action or proceeding brought on our behalf, any action asserting a breach of fiduciary duty, any action asserting a claim against us arising pursuant to the DGCL, our restated certificate of incorporation, or our restated bylaws, or any action asserting a claim against us that is governed by the internal affairs doctrine.

Our restated certificate of incorporation provides that the Court of Chancery of the State of Delaware, to the fullest extent permitted by law, will be the exclusive forum for any derivative action or proceeding brought on our behalf, any action asserting a breach of fiduciary duty, any action asserting a claim against us arising pursuant to the DGCL, our restated certificate of incorporation, or our amended and restated bylaws, or any action asserting a claim against us that is governed by the internal affairs doctrine.

Our success depends on our ability to provide users of our products and services with access to an abundance of useful, efficient, high-quality code which in turn depends on the quality and volume of code contributed by our users.

While we do not have a corporate headquarters, we have team members around the world, and any such catastrophic event could occur in areas where signific ant portions of our team members are located.

While we do not have a corporate headquarters, we have team members around the world, and any such catastrophic event could occur in areas where significant portions of our team members are located.

We also cannot be certain that we will be able to maintain successful relationships with any channel partners and, to the extent that our channel partners are unsuccessful in selling our products, our ability to sell our products and our business, operating results, and financial condition could be adversely affected.

We also cannot be certain that we will be able to maintain successful relationships with any channel partners and, to the extent that our channel partners are unsuccessful in selling our products, our ability 33 Table of Contents to sell our products and our business, operating results, and financial condition could be adversely affected.

Delays in developing, completing, or delivering new or enhanced offerings could cause our offerings to be less competitive, impair customer acceptance of our offerings and result in delayed or reduced revenue for our offerings.

Delays in developing, completing, or delivering new or enhanced offerings 34 Table of Contents could cause our offerings to be less competitive, impair customer acceptance of our offerings and result in delayed or reduced revenue for our offerings.

The 39 Table of Contents CCPA provides for civil penalties for violations, as well as a private right of action for security breaches that may increase the likelihood of, and the risks associated with, security breach litigation.

The CCPA provides for civil penalties for violations, as well as a private right of action for security breaches that may increase the likelihood of, and the risks associated with, security breach litigation.

The DevOps market is characterized by rapid technological change, fluctuating price points, and frequent new product and service introductions.

The DevSecOps market is characterized by rapid technological change, fluctuating price points, and frequent new product and service introductions.

Additionally, if we are not able to address user concerns regarding the safety and security of our products and services or if we are unable to successfully prevent abusive or other hostile behavior on The DevOps Platform, the size of our user base and user engagement may decline.

Additionally, if we are not able to address user concerns regarding the safety and security of our products and services or if we are unable to successfully prevent abusive or other hostile behavior on The DevSecOps Platform, the size of our customer base and contributor engagement may decline.

In addition, we could face additional risks resulting from changes in China’s data privacy and cybersecurity requirements, including China’s recent adoption of the Personal Information Protection Law, or PIPL, which went into effect on November 1, 2021.

In addition, we could face additional risks resulting from changes in China’s data privacy and cybersecurity requirements, including China’s adoption of the Personal Information Protection Law, or PIPL, which went into effect on 48 Table of Contents November 1, 2021.

In addition, regulations and standards relating to corporate governance and public disclosure, including the Sarbanes-Oxley Act, and the related rules and regulations implemented by the SEC, have 50 Table of Contents increased legal and financial compliance costs and will make some compliance activities more time consuming.

In addition, regulations and standards relating to corporate governance and public disclosure, including the Sarbanes-Oxley Act, and the related rules and regulations implemented by the SEC, have increased legal and financial compliance costs and will make some compliance activities more time consuming.

Further, we have discontinued our starter and bronze tier product offerings, and users of these products will be required to upgrade to our paid offerings, switch to our free product or discontinue using our products.

Further, we have discontinued our starter and bronze tier product offerings, and users of these products will be required to switch to another paid offering, switch to our free product or discontinue using our products.

Costs and potential problems and interruptions associated with the implementation of new or upgraded systems and technology or with maintenance or adequate support of existing systems could disrupt or reduce the efficiency of our operations.

Costs and potential problems and interruptions associated with the implementation 32 Table of Contents of new or upgraded systems and technology or with maintenance or adequate support of existing systems could disrupt or reduce the efficiency of our operations.

… 238 more changes not shown on this page.

Item 3. Legal Proceedings

Legal Proceedings — active lawsuits and investigations

3 edited+0 added−0 removed0 unchanged

2022 filing

2023 filing

Biggest changeITEM 3. LEGAL PROCEEDINGS We are, and from time to time, we may become involved in legal proceedings or be subject to claims arising in the ordinary course of our business.

Biggest changeITEM 3. LEGAL PROCEEDINGS We are, and from time to time we may become, involved in legal proceedings or be subject to claims arising in the ordinary course of our business. Defending such proceedings is costly and can impose a significant burden on management and team members.

The results of any current or future litigation cannot be predicted with certainty, and regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources and other factors. ITEM 4. MINE SAFETY DISCLOSURES None. 60 Table of Contents PART II

We are not presently a party to any legal proceedings that in the opinion of our management, if determined adversely to us, would individually or taken together have a material adverse effect on our business, financial condition or operating results. Defending such proceedings is costly and can impose a significant burden on management and team members.

Item 5. Market for Registrant's Common Equity

Market for Common Equity — stock, dividends, buybacks

4 edited+0 added−1 removed9 unchanged

2022 filing

2023 filing

Biggest changeIssuer Purchases of Equity Securities None. 61 Table of Contents Stock Performance Graph This performance graph shall not be deemed “soliciting material” or to be “filed” with the SEC for purposes of Section 18 of the Exchange Act, or otherwise subject to the liabilities under that Section, and shall not be deemed to be incorporated by reference into any of our filings under the Securities Act.

Biggest changeThis performance graph shall not be deemed “soliciting material” or to be “filed” with the SEC for purposes of Section 18 of the Exchange Act, or otherwise subject to the liabilities under that Section, and shall not be deemed to be incorporated by reference into any of our filings under the Securities Act. ITEM 6. [RESERVED] 63 Table of Contents

Any future determination regarding the declaration and payment of dividends, if any, will be at the discretion of our board of directors and will depend on then-existing conditions, including our financial condition, operating results, contractual restrictions, capital requirements, business prospects, and other factors our board of directors may deem relevant.

The graph below compares the cumulative total stockholder return on our Class A common stock from October 14, 2021 (the date our Class A common stock commenced trading on Nasdaq) through January 31, 2022 with the cumulative total return on the S&P 500 Index and the S&P 500 Information Technology Index.

Issuer Purchases of Equity Securities None. 62 Table of Contents Stock Performance Graph The graph below compares the cumulative total stockholder return on our Class A common stock from October 14, 2021 (the date our Class A common stock commenced trading on Nasdaq) through January 31, 2023 with the cumulative total return on the S&P 500 Index and the S&P 500 Information Technology Index.

Our Class B common stock is not listed or traded on any exchange. Holders of Record As of April 1, 2022, there wer e 42 holders of record of our Class A common stock and 187 holders o f record of our Class B common stock.

Our Class B common stock is not listed or traded on any exchange. Holders of Record As of March 20, 2023, there were 8 holders of record of our Class A common stock and 157 holders of record of our Class B common stock.

Removed

Recent Sales of Unregistered Equity Securities There have been no other sales of unregistered securities by the company in the quarter ended January 31, 2022.

Item 7. Management's Discussion & Analysis

Management's Discussion & Analysis (MD&A) — revenue / margin commentary

80 edited+36 added−82 removed14 unchanged

2022 filing

2023 filing

Biggest changeWe maintain a full valuation allowance in some jurisdictions against our deferred tax assets because we have concluded that it is more likely than not that the deferred tax assets will not be realized. 67 Table of Contents Results of Operations The following table sets forth our results of operations for the periods presented (in thousands): Fiscal Year Ended January 31, 2022 2021 2020 Revenue: Subscription—self-managed and SaaS $ 226,163 $ 132,763 $ 70,367 License—self-managed and other 26,490 19,413 10,860 Total revenue 252,653 152,176 81,227 Cost of revenue: (1) Subscription—self-managed and SaaS 23,668 14,453 6,467 License—self-managed and other 6,317 4,010 2,909 Total cost of revenue 29,985 18,463 9,376 Gross profit 222,668 133,713 71,851 Operating expenses: Sales and marketing (1) 190,754 154,086 99,225 Research and development (1) 97,217 106,643 59,364 General and administrative (1) 63,654 86,868 41,629 Total operating expenses 351,625 347,597 200,218 Loss from operations (128,957) (213,884) (128,367) Interest income 736 1,070 3,626 Other income (expense), net (30,850) 23,452 (4,800) Loss before income taxes (159,071) (189,362) (129,541) Provision for (benefit from) income taxes (1,511) 2,832 1,200 Net loss $ (157,560) $ (192,194) $ (130,741) Net loss attributable to noncontrolling interest (2) (2,422) — — Net loss attributable to GitLab $ (155,138) $ (192,194) $ (130,741) (1) Includes stock-based compensation expense as follows: Fiscal Year Ended January 31, 2022 2021 2020 (in thousands) Cost of revenue $ 1,300 $ 1,185 $ 365 Research and development 8,305 31,519 11,315 Sales and marketing 10,550 21,504 4,699 General and administrative 9,854 57,638 24,493 Total stock-based compensation expense $ 30,009 $ 111,846 $ 40,872 68 Table of Contents (2) Our consolidated financial statements include our v ariable interest entity, JiHu and majority owned subsidiary, Meltano Inc.

Biggest changeWe maintain a full valuation allowance against our deferred tax assets in certain jurisdictions because we have concluded that it is not more likely than not that the deferred tax assets will be realized. 68 Table of Contents Results of Operations The following table sets forth our results of operations for the periods presented (in thousands): Fiscal Year Ended January 31, 2023 2022 2021 Revenue: Subscription—self-managed and SaaS $ 369,349 $ 226,163 $ 132,763 License—self-managed and other 54,987 26,490 19,413 Total revenue 424,336 252,653 152,176 Cost of revenue: (1) Subscription—self-managed and SaaS 40,841 23,668 14,453 License—self-managed and other 10,839 6,317 4,010 Total cost of revenue 51,680 29,985 18,463 Gross profit 372,656 222,668 133,713 Operating expenses: Sales and marketing (1) 309,992 190,754 154,086 Research and development (1) 156,143 97,217 106,643 General and administrative (1) 117,932 63,654 86,868 Total operating expenses 584,067 351,625 347,597 Loss from operations (211,411) (128,957) (213,884) Interest income 14,496 736 1,070 Other income (expense), net (2) 21,585 (30,850) 23,452 Loss before income taxes and loss from equity method investment (175,330) (159,071) (189,362) Loss from equity method investment, net of tax (2,468) — — Provision for (benefit from) income taxes 2,898 (1,511) 2,832 Net loss $ (180,696) $ (157,560) $ (192,194) Net loss attributable to noncontrolling interest (3) (8,385) (2,422) — Net loss attributable to GitLab $ (172,311) $ (155,138) $ (192,194) (1) Includes stock-based compensation expense as follows: Fiscal Year Ended January 31, 2023 2022 2021 (in thousands) Cost of revenue $ 5,078 $ 1,300 $ 1,185 Research and development 36,325 8,305 31,519 Sales and marketing 48,001 10,550 21,504 General and administrative 33,163 9,854 57,638 Total stock-based compensation expense $ 122,567 $ 30,009 $ 111,846 69 Table of Contents (2) Includes $17.8 million gain for the year ended January 31, 2023 from the deconsolidation of Meltano Inc. in April 2022.

Since neither of these performance obligations are sold on a standalone basis, we estimate stand-alone selling price for each performance obligation using a model based on the “expected cost plus margin” approach and update the model on an annual basis or when facts and circumstances change.

Since neither of these performance obligations are sold on a standalone basis, we estimate the stand-alone selling price for each performance obligation using a model based on the “expected cost plus margin” approach and update the model on an annual basis or when facts and circumstances change.

We are currently unable to estimate the financial outcome of this examination due to its preliminary status. We regularly assess the likelihood of adverse outcomes resulting from these examinations to determine the adequacy of its provision for income taxes.

Our future capital requirements will depend on many factors, including our revenue growth rate, the timing and the amount of cash received from customers, the expansion of sales and marketing activities, the timing and extent of spending to support research and development efforts, the price at which we are able to procure third-party cloud infrastructure, expenses associated with our international expansion, the introduction of platform enhancements, and the continuing market adoption of The DevOps Platform.

We expect sales and marketing expenses to increase in absolute dollars as we continue to make significant investments in our sales and marketing organization to drive additional revenue, further penetrate the market, and expand our global customer base, but to decrease as a percentage of our total revenue over time, although our sales and marketing expenses may fluctuate as a percentage of our total revenue from period-to-period depending on the timing of these expenses.

We expect sales and marketing expenses to increase in absolute dollars as we continue to make strategic investments in our sales and marketing organization to drive additional revenue, further penetrate the market, and expand our global customer base, but to decrease as a percentage of our total revenue over time, although our sales and marketing expenses may fluctuate as a percentage of our total revenue from period-to-period depending on the timing of these expenses.

A single organization with separate subsidiaries, segments, or divisions that use The DevOps Platform is considered a single customer for determining each organization’s ARR. We do not count our reseller or distributor channel partners as customers. In cases where customers subscribe to The DevOps Platform through our channel partners, each end customer is counted separately.

A single organization with separate subsidiaries, segments, or divisions that use The DevSecOps Platform is considered a single customer for determining each organization’s ARR. We do not count our reseller or distributor channel partners as customers. In cases where customers subscribe to The DevSecOps Platform through our channel partners, each end customer is counted separately.

It removes the need for point tools and delivers enhanced operational efficiency by eliminating manual work, increasing productivity, and creating a culture of innovation and velocity. The DevSecOps Platform also embeds security earlier into the development process, improving our customers’ software security, quality, and overall compliance.

Our share of the undistributed earnings of foreign corporations not included in our consolidated federal income tax returns that could be subject to additional U.S. income tax if remitted is immaterial. As of January 31, 2022, the amount of unrecognized U.S federal deferred income tax liability for undistributed earnings is immaterial.

Our share of the undistributed earnings of foreign corporations not included in our consolidated federal income tax returns that could be subject to additional U.S. income tax if remitted is immaterial. As of January 31, 2023 , the amount of unrecognized U.S federal deferred income tax liability for undistributed earnings is immaterial.

Our primary uses of cash from operating activities are for personnel-related expenses, sales and marketing expenses, third-party cloud infrastructure expenses, and overhead expenses. We have generated negative cash flows from operating activities and have supplemented working capital through net proceeds from the sale of equity securities.

Cash used in operating activities during fiscal 2022 was $49.8 million, primarily consisting of our net loss of $157.6 million, adjusted for non-cash items of $85.2 million (including amortization of deferred contract acquisition costs of $33.4 million, stock-based compensation of $30.0 million, unrealized foreign 73 Table of Contents exchange loss of $20.4 million) and net cash inflows of $22.6 million provided by changes in our operating assets and liabilities.

Cash used in operating activities during fiscal 2022 was $49.8 million, primarily consisting of our net loss of $157.6 million, adjusted for non-cash items of $85.2 million (including amortization of deferred contract acquisition costs of $33.4 million, stock-based compensation of $30.0 million, and unrealized foreign exchange loss of $20.4 million) and net cash inflows of $22.6 million provided by changes in our operating assets and liabilities.

Evidence evaluated by us included operating results during the most recent three-year period and future projections, with more weight given to historical results than expectations of future profitability, which are inherently uncertain. Certain entities’ net losses in recent periods represented sufficient negative evidence to require a valuation allowance against its net deferred tax assets.

The evidence we evaluated included operating results during the most recent three-year period and future projections, with more weight given to historical results than expectations of future profitability, which are inherently uncertain. Certain entities’ net losses in recent periods represented sufficient negative evidence to require a valuation allowance against its net deferred tax assets.

A discussion regarding our financial condition and results of operations for the year ended January 31, 2022 compared to the year ended January 31, 2021 is presented below.

A discussion regarding our financial condition and results of operations for the year ended January 31, 2023 compared to the year ended January 31, 2022 is presented below.

In addition, in the U.S., any net operating losses or credits that were generated in prior years but not yet fully utilized in a year that is closed under the statute of limitations may also be subject to examination. We are currently under examination in the Netherlands for tax years 2015 and 2016.

In addition, in the United States, any net operating losses or credits that were generated in prior years but not yet fully utilized in a year that is closed under the statute of limitations may also be subject to examination. We are currently under examination in the Netherlands for the 2015 and 2016 tax years.

For purposes of determining the number of our active customers, we look at our customers with more than $5,000 of Annual Recurring Revenue, or ARR, in a given period, who we refer to as our Base Customers.

For purposes of determining the number of our active customers, we 64 Table of Contents look at our customers with more than $5,000 of Annual Recurring Revenue, or ARR, in a given period, who we refer to as our Base Customers.

We have concluded that the right to use the software, which is recognized upon delivery of the license, and the right to receive technical support and software fixes and updates, which is recognized ratably over the term of the arrangement, are two distinct performance obligations.

We have concluded that the right to use the software, which is recognized upon delivery of the license, and the right to receive technical support and software fixes and 77 Table of Contents updates, which is recognized ratably over the term of the arrangement, are two distinct performance obligations.

Cost of Revenue Subscription - self-managed and SaaS Cost of revenue for self-managed and SaaS subscriptions consists primarily of allocated cloud-hosting costs paid to third-party service providers, personnel-related costs, including stock-based compensation expenses, associated with our customer support personnel, including contractors, and allocated overhead.

Cost of Revenue Subscription - self-managed and SaaS Cost of revenue for self-managed and SaaS subscriptions consists primarily of allocated cloud-hosting costs paid to third-party service providers, personnel-related costs associated with our customer support personnel, including contractors, and allocated overhead. Personnel-related expenses consist of salaries, benefits, bonuses, and stock-based compensation.

Provision for (Benefit from) Income Taxes Provision for (benefit from) income taxes consists primarily of income taxes in certain foreign and state jurisdictions in which we conduct business.

Provision for (Benefit from) Income Taxes Provision for (benefit from) income taxes consists primarily of income taxes in the foreign and state jurisdictions in which we conduct business.

Investing Activities Cash used in investing activities during fiscal 2022 was $53.9 million, primarily consisting of purchases of s hort-term investments, net of maturities of $50.0 million and purchases of property and equipment of $3.5 million.

Cash used in investing activities during fiscal 2022 was $53.9 million, primarily consisting of purchases of short-term investments, net of maturities of $50.0 million and purchases of property and equipment of $3.5 million.

See the section entitled “Management’s Discussion and Analysis of Financial Condition and Results of Operations —Key Business Metrics—Dollar-Based Net Retention Rate and ARR” below for additional information about how we define ARR. 63 Table of Contents We make our plans available through our self-managed and software-as-a-service, or SaaS offerings.

In instances where performance obligations do not have observable standalone sales, we utilize available information that may include other observable inputs or use the expected cost-plus margin approach to estimate the price we would charge if the products and services were sold separately.

To determine SSP, we maximize the use of observable standalone sales and observable data, where available. In instances where performance obligations do not have observable standalone sales, we utilize available information that may include other observable inputs or use the expected cost-plus margin approach to estimate the price we would charge if the products and services were sold separately.

Financing Activities Cash provided by financing activities during fiscal 2022 was $701.2 million, primarily attributable to $654.6 million in proceeds from the IPO, net of underwriting discounts, $26.5 million of contributio ns received from noncontrolling interests and $25.4 million of proceeds from issuance of common stock upon stock options exercises .

Cash provided by financing activities during fiscal 2022 was $701.2 million, primarily attributable to $654.6 million in proceeds from our IPO, net of underwriting discounts, $26.5 million of contributions received from noncontrolling interests and $25.4 million of proceeds from issuance of common stock upon stock options exercises.

Other revenue consists of professional services revenue which is primarily derived from fixed fee offerings which are subject to customer acceptance. Given our limited history of providing professional services, uncertainty exists about customer acceptance and therefore, control is presumed to transfer upon confirmation from the customer, as defined in each professional services contract.

Other revenue consists of professional services revenue which is derived from fixed fee and time and materials offerings, subject to customer acceptance. Given the Company’s limited history of providing professional services, uncertainty exists about customer acceptance and therefore, control is presumed to transfer upon confirmation from the customer, as defined in each professional services contract.

We continue to monitor the progress of ongoing discussions with tax authorities and the effect, if any, of the expected expiration of the statute of limitations in various taxing jurisdictions. As of January 31, 2022, unrecognized tax benefits approximated $5.6 million, of which $0.8 million would affect the effective tax rate if recognized.

We continue to monitor the progress of ongoing discussions with tax authorities and the effect, if any, of the expected expiration of the statute of limitations in various taxing jurisdictions. As of January 31, 2023, unrecognized tax benefits were $7.5 million , of which $0.5 million would affect the effective tax rate if recognized.

Pursuant to the provisions of Accounting Standard Codification (ASC) 740, Income Taxes , the determination of our ability to recognize its deferred tax asset requires an assessment of both negative and positive evidence when determining our ability to recognize deferred tax assets. We determined that it was not more likely than not that we could recognize its deferred tax assets.

Under the provisions of Accounting Standard Codification (“ASC”) 740, Income Taxes , the determination of our ability to recognize our deferred tax assets requires an assessment of both negative and positive evidence when determining our ability to recognize deferred tax assets. We determined that it was not more likely than not that we could recognize certain deferred tax assets.

The RSUs contain a service condition and a performance condition based on the achievement of eight separate stock price hurdles/tranches ranging from $95 to $500 per share. The fair value of the RSUs was determined utilizing a Monte Carlo valuation model.

The RSUs involve a greater degree of judgment and complexity as they contain a service condition and a performance condition based on the achievement of eight separate stock price hurdles/tranches ranging from $95 to $500 per share. The fair value of the RSUs was determined utilizing a Monte Carlo valuation model.

As of January 31, 2022 2021 2020 Dollar-Based Net Retention Rate > 152% >145% >175% Customers with ARR of $100,000 or More We believe that our ability to increase the number of $100,000 ARR customers is an indicator of our market penetration and strategic demand for The DevOps Platform.

As of January 31, 2023 2022 2021 Dollar-Based Net Retention Rate > 130% >152% >145% 65 Table of Contents Customers with ARR of $100,000 or More We believe that our ability to increase the number of $100,000 ARR customers is an indicator of our market penetration and strategic demand for The DevSecOps Platform.

Personnel-related expenses are the most significant component of operating expenses and consist of salaries, benefits, bonuses, stock-based compensation, and sales commissions. Operating expenses also include IT overhead costs.

Operating Expenses Our operating expenses consist of sales and marketing, research and development, and general and administrative expenses. Personnel-related expenses are the most significant component of operating expenses and consist of salaries, benefits, bonuses, stock-based compensation, and sales commissions. Operating expenses also include IT overhead costs.

The following table shows a summary of our cash flows for the periods presented: Fiscal Year Ended January 31, 2022 2021 2020 (in thousands) Net cash used in operating activities $ (49,814) $ (73,580) $ (60,166) Net cash used in investing activities $ (53,895) $ (842) $ — Net cash provided by financing activities $ 701,185 $ 12,945 $ 271,265 Operating Activities Our largest source of operating cash is payments received from our customers.

The following table shows a summary of our cash flows for the periods presented: Fiscal Year Ended January 31, 2023 2022 2021 (in thousands) Net cash used in operating activities $ (77,408) $ (49,814) $ (73,580) Net cash used in investing activities $ (605,686) $ (53,895) $ (842) Net cash provided by financing activities $ 97,482 $ 701,185 $ 12,945 Operating Activities Our largest source of operating cash is payments received from our customers.

Our effective tax rate for the year ended January 31, 2022 was lower than the U.S. federal statutory tax rate of 21% primarily due to the change in valuation allowance associated with the net operating losses generated during the year.

Our effective tax rate for fiscal 2023 was lower than the U.S. federal statutory tax rate of 21%, primarily due to an increase in valuation allowance associated with the net operating losses generated during the year.

We calculate ARR by taking the monthly recurring revenue, or MRR, and multiplying it by 12. MRR for each month is calculated by aggregating, for all customers during that month, monthly revenue from committed contractual amounts of subscriptions, including our self-managed and SaaS offerings but excluding professional services.

MRR for each month is calculated by aggregating, for all customers during that month, monthly revenue from committed contractual amounts of subscriptions, including our self-managed and SaaS offerings but excluding professional services.

Based on this model, we allocated between 1 to 15% of the entire transaction price to the right to use the underlying software (License revenue - Self managed) and allocated the remaining value of the transaction to the right to receive post-contract customer support (Subscription revenue - Self managed) during the period covered by these consolidated financial statements.

Accordingly, we have allocated up to 23% of the entire transaction price to the right to use the underlying software (License revenue - Self managed) and allocated the remaining value of the transaction to the right to receive post-contract customer support (Subscription revenue - Self managed) during the period covered by these consolidated financial statements.

We expect our cost of revenue for self-managed and SaaS subscriptions to increase in absolute dollars as our self-managed and SaaS subscription revenue increases. As our SaaS offering makes up an increasing percentage of our total revenue, we expect to see increased associated cloud-related costs, such as hosting and managing costs, which may adversely impact our gross margins.

As our SaaS offering makes up an increasing percentage of our total revenue, we expect to see increased associated cloud-related costs, such as hosting and managing costs, which may adversely impact our gross margins.

For our self-managed offering, the customer installs The DevOps Platform in its own private or hybrid cloud environment. For our SaaS offering, the platform is managed by GitLab and hosted in the public cloud.

For our self-managed offering, the customer installs GitLab in their own on-premise or hybrid cloud environment. For our SaaS offering, the platform is managed by GitLab and hosted either in our public cloud or in our private cloud based on the customer’s preference.

We actively work to grow open source community engagement by operating with intentional transparency. We make our strategy, direction, and product roadmap available to the wider community, where we encourage and solicit their feedback. By making information public, we make it easier to solicit contributions and collaboration from our users and customers.

We actively work to grow open source community engagement by operating with transparency. We make our strategy, direction, and product roadmap available to the wider community, where we encourage and solicit their feedback.

Our calculation of ARR and by extension Dollar-Based Net Retention Rate, includes both self-managed and SaaS license revenue. We report Dollar-Based Net 64 Table of Contents Retention Rate on a threshold basis 130% each quarter, and provide a tighter threshold as of each fiscal year end.

Our calculation of ARR and by extension Dollar-Based Net Retention Rate, includes both self-managed and SaaS subscription revenue. We report Dollar-Based Net Retention Rate on a threshold basis of 130% each quarter, and provide a tighter threshold as of each fiscal year end. We calculate ARR by taking the monthly recurring revenue, or MRR, and multiplying it by 12.

As of January 31, 2022, our U.S. federal 2017 through 2020 tax years were open and subject to potential examination in one or more jurisdictions.

As of January 31, 2023 , the statutes for our U.S. federal 2018 through 2022 tax years were open and the results from such tax years remained subject to potential examination in one or more jurisdictions.

Costs related to research and development are expensed as incurred. 66 Table of Contents We expect research and development expenses to increase in absolute dollars as we continue to increase investments in our existing products and services.

We expect research and development expenses to increase in absolute dollars as we continue to increase investments in our existing products and services.

Revenue for support and maintenance is recognized ratably over the contract period based on the stand-ready nature of these subscription elements. Our SaaS subscriptions provide access to our latest managed version of our product hosted in a public cloud. Revenue from our SaaS offering is recognized ratably over the contract period when the performance obligation is satisfied.

SaaS Our SaaS subscriptions provide access to our latest managed version of our product hosted in a public or private cloud based on the customer’s preference. Revenue from our SaaS offerings is recognized ratably over the contract period when the performance obligation is satisfied.

This model uses observable data points to develop the main inputs and assumptions which include the estimated historical costs to develop the paid features in the software license and the estimated future costs to provide post-contract customer support. Based on this model, we determined the SSP allocation for each of our paid tiers across various subscription tenures.

Interest Income, and Other Income (Expense), Net Interest income consists primarily of interest earned on our cash equivalents and short-term investments. Other income (expense), net consists primarily of foreign currency transaction gains and losses.

Interest Income, and Other Income (Expense), Net Interest income consists primarily of interest earned on our cash equivalents and short-term inve stments. Other income (expense), net consists primarily of the gain from the deconsolidation of Meltano Inc., as well as foreign currency transaction gains and losses.

Joint Venture and Majority Owned Subsidiary” to our consolidated financial statements for additional details.

Joint Venture and Equity Method Investment” to our consolidated financial statements for additional details.

As of January 31, 2022 2021 2020 $100,000 ARR customers 492 283 173 Components of Our Results of Operations Revenue Subscription - self-managed and SaaS Our self-managed and SaaS subscriptions consist of support, maintenance, upgrades and updates on a when-and-if-available basis.

As of January 31, 2023 2022 2021 $100,000 ARR customers 697 492 283 Components of Our Results of Operations Revenue Subscription - self-managed and SaaS Subscription - self-managed Our self-managed subscriptions include support, maintenance, upgrades, and updates on a when-and-if-available basis. Revenue for self-managed subscriptions is recognized ratably over the contract period based on the stand-ready nature of subscription elements.

Accordingly, 65 Table of Contents revenue is recognized upon satisfaction of all requirements per the applicable contract. Revenue from professional services provided on a time and material basis is recognized over the periods services are delivered .

Accordingly, revenue is recognized upon satisfaction of all requirements per the applicable contract. Revenue from professional services provided on a time and material basis is recognized over the periods services are delivered. Revenue from professional services accounted for 2%, 2% and 3% of our total revenue for the years ended January 31, 2023, 2022 and 2021, respectively.

The following table sets forth the components of our consolidated statements of operations as a percentage of total revenue for each of the periods presented: Fiscal Year Ended January 31, 2022 2021 2020 (as a percentage of total revenue) Revenue 100 % 100 % 100 % Cost of revenue 12 12 12 Gross profit 88 88 88 Operating expenses: Sales and marketing 76 101 122 Research and development 38 70 73 General and administrative 25 57 51 Total operating expenses 139 228 246 Loss from operations (51) (141) (158) Interest income — 1 4 Other income (expense), net (12) 15 (6) Loss before income taxes (63) (124) (159) Provision for (benefit from) income taxes (1) (2) (1) Net loss (62) % (126) % (161) % Net loss attributable to noncontrolling interest (1) % — % — % Net loss attributable to GitLab (61) % (126) % (161) % Comparison of the Fiscal Year Ended January 31, 2022 and 2021 Revenue Fiscal Year Ended January 31, Change 2022 2021 $ % (in thousands, except percentages) Subscription—self-managed and SaaS $ 226,163 $ 132,763 $ 93,400 70 % License—self-managed and other 26,490 19,413 7,077 36 Total revenue $ 252,653 $ 152,176 $ 100,477 66 % Revenue increased $100.5 million, or 66%, to $252.7 million for fiscal 2022 from $152.2 million for fiscal 2021, primarily due to the ongoing demand for The DevOps Platform: adding new customers, the expansion within our existing paid customers, as well as an increase in our number of $100,000 ARR customers.

The following table sets forth the components of our consolidated statements of operations as a percentage of total revenue for each of the periods presented: Fiscal Year Ended January 31, 2023 2022 2021 (as a percentage of total revenue) Revenue 100 % 100 % 100 % Cost of revenue 12 12 12 Gross profit 88 88 88 Operating expenses: Sales and marketing 73 76 101 Research and development 37 38 70 General and administrative 28 25 57 Total operating expenses 138 139 228 Loss from operations (50) (51) (141) Interest income 3 — 1 Other income (expense), net 5 (12) 15 Loss before income taxes and loss from equity method investment (41) (63) (124) Loss from equity method investment, net of tax (1) — — Provision for (benefit from) income taxes 1 (1) (2) Net loss (43) % (62) % (126) % Net loss attributable to noncontrolling interest (2) % (1) % — % Net loss attributable to GitLab (41) % (61) % (126) % Comparison of the Fiscal Year Ended January 31, 2023 and 2022 Revenue Fiscal Year Ended January 31, Change 2023 2022 $ % (in thousands, except percentages) Subscription—self-managed and SaaS $ 369,349 $ 226,163 $ 143,186 63 % License—self-managed and other 54,987 26,490 28,497 108 Total revenue $ 424,336 $ 252,653 $ 171,683 68 % 70 Table of Contents Revenue increased $171.7 million, or 68%, to $424.3 million for fiscal 2023 from $252.7 million for fiscal 2022.

Such costs are capitalized and amortized over an estimated period of benefit of three years, and any such expenses paid for the renewal of a subscription are capitalized and amortized over the contractual term of the renewal.

Such costs incurred on acquisition of an initial contract are capitalized and amortized over an estimated period of benefit of three years, and any such expenses paid for the renewal of a subscription are capitalized and amortized over the contractual term of the renewal. However, costs for commissions that are incremental to obtain a self-managed license contract are expensed immediately.

The ownership interest of other investors is recorded as a noncontrolling interest. See “Note 10. Joint Venture and Majority Owned Subsidiary” to our consolidated financial statements for additional details.

See “Note 11. Joint Venture and Equity Method Investment” to our consolidated financial statements for additional details . (3) Our results of operations include our v a riable interest entity, JiHu. The ownership interest of other investors is recorded as a noncontrolling interest. See “Note 11. Joint Venture and Equity Method Investment” to our consolidated financial statements for additional details.

As of January 31, 2022 and 2021, our principal source of liquidity was cash, cash equivalents, and short-term investments of $934.7 million and $282.9 million, respectively, which were held for working capital purposes. Cash and cash equivalents consist of cash in banks and money market accounts, while short-term investments consist of certificates of deposit.

As of January 31, 2023 and January 31, 2022, our principal source of liquidity was cash, cash equivalents, and short-term investments aggregating to $936.7 million and $934.7 million, respectively, which were held for working capital and strategic investment purposes.

The main drivers of the changes in operating assets and liabilities were the increase in deferred revenue of $52.4 million, partially offset by the increase in costs deferred related to contract acquisition of $34.1 million and the increase in accounts receivable of $14.7 million.

The main drivers of the changes in operating assets and liabilities were the decrease in accrued compensation and related expenses of $11.7 million, the increase in deferred contract acquisition costs of $48.6 million, and the increase in accounts receivable of $54.2 million, partially offset by the increase in deferred revenue of $73.0 million.

Post-contract customer support comprises maintenance services (including updates and upgrades to the software on a when and if available basis) and support services.

Self-managed subscriptions include both (i) a right to use the underlying software and (ii) a right to receive post-contract customer support during the subscription term. Post-contract customer support comprises maintenance services (including updates and upgrades to the software on a when and if available basis) and support services.

If the contract contains a single performance obligation, the entire transaction price is allocated to the single performance obligation. For contracts that contain multiple performance obligations, we allocate the transaction price for each contract to each performance obligation based on the relative standalone selling price, or SSP for each performance obligation.

Revenue Recognition For contracts that contain multiple performance obligations, we allocate the transaction price for each contract to each performance obligation based on the relative standalone selling price or SSP for each performance obligation. We use judgment in determining SSP for our products and services.

A discussion regarding our financial condition and results of operations for the year ended January 31, 2021 compared to the year ended January 31, 2020 can be found in “Management's Discussion and Analysis of Financial Condition and Results of Operations” in our final prospectus dated October 13, 2021 and filed with the SEC pursuant to Rule 424(b)(4) on October 14, 2021.

A discussion regarding our financial condition and results of operations for the year ended January 31, 2022 compared to the year ended January 31, 2021 can be found in “Management's Discussion and Analysis of Financial Condition and Results of Operations” in our Annual Report on Form 10-K for the fiscal year ended January 31, 2022, which was filed with the SEC on April 8, 2022.

We expect to incur additional expenses as a result of operating as a public company, including costs to comply with the rules and regulations applicable to companies listed on a national securities exchange, costs related to compliance and reporting obligations, and increased expenses for insurance, investor relations, and professional services.

General and administrative expenses also include external legal, accounting, and director and officer insurance, as well as other consulting and professional services fees, software and subscription services, other corporate expenses, and any contract termination fees. 67 Table of Contents We have incurred and expect to incur additional expenses as a result of operating as a public company, including costs to comply with the rules and regulations applicable to companies listed on a national securities exchange, costs related to compliance and reporting obligations, costs related to Sarbanes-Oxley compliance, costs related to Environmental, Social, and Governance (ESG) compliance and increased expenses for insurance, investor relations, and related professional services.

See “Note 10. Joint Venture and Majority Owned Subsidiary” to our consolidated financial statements for additional details.

Joint Venture and Equity Method Investment” to our consolidated financial statements for additional details.

As of January 31, 2022 and 2021, our expansion is reflected by our Dollar-Based Net Retention Rate being above 152% and above 145%, respectively. We had 492 $100,000 ARR customers as of January 31, 2022, increasing from 283 as of January 31, 2021. Revenue for fiscal 2022 includes $1.2 million attributable to our variable interest entity, JiHu. See “Note 10.

As of January 31, 2023 and 2022, our expansion is reflected by our Dollar-Based Net Retention Rate being above 130% and above 152%, respectively. We had 697 customers with ARR over $100,000 as of January 31, 2023, increasing from 492 customers with ARR over $100,000 as of January 31, 2022.

We believe that our existing cash, cash equivalents, and short-term investments will be sufficient to support working capital and capital expenditure requirements for at least the next 12 months.

As of January 31, 2023, cash and cash equivalents consist of cash in banks, money markets funds, agency securities, and treasuries , while short-term investments mainly consist of treasuries, corporate debt securities, and commercial paper. 75 Table of Contents We believe that our existing cash, cash equivalents, and short-term investments will be sufficient to support working capital and capital expenditure requirements for at least the next 12 months.

We will recognize total stock-based compensation expense over the derived service period of each tranche using the accelerated attribution method, regardless of whether the stock price hurdles are achieved. Refer to “Note 9. Equity” to our consolidated financial statements for further discussion.

We will recognize total stock-based compensation expense over the derived service period of each tranche using the accelerated attribution method, regardless of whether the stock price hurdles are achieved. Our performance stock units (“PSUs”), issued to the senior members of the management team are subject to a revenue performance condition and service conditions.

We do not have any deferred tax assets for which subsequently recognized tax benefits will be credited directly to contributed capital. We have not recorded a provision for deferred U.S. tax expense that could result from the remittance of foreign undistributed earnings since we intend to reinvest the earnings of the foreign subsidiaries indefinitely.

This valuation allowance will be evaluated periodically and could be reversed partially or totally if business results have sufficiently improved to support realization of deferred tax assets. We have not recorded a provision for deferred U.S. tax expense that could result from the remittance of foreign undistributed earnings since we intend to reinvest the earnings of the foreign subsidiaries indefinitely.

We do not anticipate any of the unrecognized tax benefits to reverse in the next 12 months. 72 Table of Contents It is our policy to classify accrued interest and penalties related to unrecognized tax benefits in the provision for income taxes.

We anticipate an immaterial amount of unrecognized tax benefits to reverse in the next 12 months. We are unable to reasonably estimate the timing of the long-term payments or the amount by which the liability will increase or decrease. It is our policy to classify accrued interest and penalties related to unrecognized tax benefits in the provision for income taxes.

Cash used in operating activities during fiscal 2021 was $73.6 million, primarily consisting of our net loss of $192.2 million, adjusted for non-cash items of $106.7 million and net cash inflows of $11.9 million provided by changes in our operating assets and liabilities.

Cash used in operating activities during fiscal 2023 was $77.4 million, primarily consisting of our net loss of $180.7 million, adjusted for non-cash items of $148.1 million (mainly attributable to stock-based compensation expense of $122.6 million), and net cash outflows of $44.9 million used by changes in our operating assets and liabilities.

Today, every industry, business, and function within a company is dependent on software. To remain competitive and survive, nearly all companies must digitally transform and become experts at building and delivering software. GitLab is The DevOps Platform, a single application that brings together development, operations, IT, security, and business teams to deliver desired business outcomes.

Overview In today’s world, software defines the speed of innovation. Every industry, business, and function within a company is dependent on software. To remain competitive and survive, nearly all companies must digitally transform and become experts at building, delivering, and securing software.

For purposes of determining our Base Customers, a single organization with separate subsidiaries, segments, or divisions that use The DevOps Platform is considered a single customer for determining each organization’s ARR. Our company exists today in large part thanks to the vast and growing community of open source contributors around the world.

For purposes of determining our Base Customers, a single organization with separate subsidiaries, segments, or divisions that use The DevSecOps Platform is considered a single customer for determining each organization’s ARR. GitLab is the only DevSecOps platform built on an open-core business model. We enable any customer and contributor to add functionality to our platform.

Joint Venture and Majority Owned Subsidiary” to our consolidated financial statements for additional details. 69 Table of Contents Cost of Revenue, Gross Profit, and Gross Margin Fiscal Year Ended January 31, Change 2022 2021 $ % (in thousands, except percentages) Cost of revenue $ 29,985 $ 18,463 $ 11,522 62 % Gross profit 222,668 133,713 88,955 67 Gross margin 88 % 88 % Cost of revenue increased by $11.5 million, to $30.0 million for fiscal 2022 from $18.5 million for fiscal 2021, primarily due to a $5.0 million increase in personnel-related expenses, which includes stock-based compensation expense, driven by a 26% increase in our average customer support and professional services headcount.

Cost of Revenue, Gross Profit, and Gross Margin Fiscal Year Ended January 31, Change 2023 2022 $ % (in thousands, except percentages) Cost of revenue $ 51,680 $ 29,985 $ 21,695 72 % Gross profit 372,656 222,668 149,988 67 Gross margin 88 % 88 % Cost of revenue increased by $21.7 million, to $51.7 million for fiscal 2023 from $30.0 million for fiscal 2022, primarily due to an increase of $8.1 million in personnel-related expenses, driven by an increase in our average customer support and professional services headcount and an increase of $3.8 million in stock-based compensation expenses (as discussed in the section titled “ Stock-Based Compensation Expense” below).

Research and development expenses for fiscal 2022 includes $2.3 million attributable to our variable interest entity, JiHu. See “Note 10. Joint Venture and Majority Owned Subsidiary” to our consolidated financial statements for additional details.

Revenue attributed to our variable interest entity, JiHu, was $4.7 million and $1.2 million for fiscal 2023 and 2022, respectively. See “Note 11. Joint Venture and Equity Method Investment” to our consolidated financial statements for additional details.

For the years ended January 31, 2022 , 2021, and 2020, we recognized interest and penalties of $0.1 million, zero, and zero, respectively. Liquidity and Capital Resources Since inception, we have financed operations primarily through proceeds received from issuances of equity securities and payments received from our custo mers.

Liquidity and Capital Resources Since inception, we have financed operations primarily through proceeds received from issuances of equity securities, preferred stock and payments received from our customers.

Basis of Presentation and Summary of Significant Accounting Policies” to our consolidated financial statements included elsewhere i n this Annual Report for more information regarding recently issued accounting pronouncements. 79 Table of Contents JOBS Act Accounting Election We are an emerging growth company, as defined in the Jumpstart Our Business Startups Act, or JOBS Act.

The estimate of awards expected to vest is reassessed by management at each reporting period. 78 Table of Contents Recently Issued Accounting Pronouncements See “Note 2. Basis of Presentation and Summary of Significant Accounting Policies” to our consolidated financial statements included elsewhere in this Annual Report for more information regarding recently issued accounting pronouncements. 79 Table of Contents

Research and Development Research and development expenses consist primarily of personnel-related expenses associated with our research and development personnel, including internal hosting, contractors and allocated overhead associated with developing new features or enhancing existing features as well as a portion of the costs for our gathering of staff and leaders at one site we call “Contribute” once a year.

Research and Development Research and development expenses consist primarily of personnel-related expenses, including contractors, as well as third-party cloud infrastructure expenses to support our internal development efforts, allocated overhead associated with developing new features or enhancing existing features, and software and subscription services. Costs related to research and development are expensed as incurred.

License - self-managed and other Cost of self-managed license sales includes personnel-related expenses, including stock-based compensation expenses. Other costs of sales include professional services, personnel-related costs associated with our customer support personnel, including contractors, and allocated overhead. Operating Expenses Our operating expenses consist of sales and marketing, research and development and general and administrative expenses.

License - self-managed and other Cost of self-managed license and other revenue consists primarily of contractor and personnel-related costs, including stock-based compensation expenses, associated with the professional services team and customer support team, and allocated overhead. We expect our cost of revenue for self-managed license and other to increase in absolute dollars as our self-managed and other revenue increases.

The DevOps Platform is available to any company, regardless of the size, scope, and complexity of their deployment. As a result, we have a large number of customers on paid trials or with single-digit users.

GitLab is available to any team, regardless of the size, scope, and complexity of their deployment. As a result, we have more than 30 million registered users and more than 50% of the Fortune 100 companies are GitLab customers.

Sales and Marketing Sales and marketing expenses consist primarily of personnel-related expenses associated with our sales and marketing personnel, advertising, travel and entertainment related expenses, including a portion of the costs for our gathering of staff and leaders at one site we call “Contribute” once a year, branding and marketing events, promotions, subscription services and our hosting expenses for our free tier.

Sales and Marketing Sales and marketing expenses consist primarily of personnel-related expenses associated with our sales and marketing personnel, advertising, travel and entertainment related expenses, branding and marketing events, promotions, software subscriptions, and our allocated hosting expenses for our free tier. Sales and marketing expenses also include sales commissions paid to our sales force.

Research and Development Fiscal Year Ended January 31, Change 2022 2021 $ % (in thousands, except percentages) Research and development expenses $ 97,217 $ 106,643 $ (9,426) (9) % Research and development expenses decreased by $9.4 million, to $97.2 million for fiscal 2022 from $106.6 million for fiscal 2021, primarily due to a decrease of $8.4 million in personnel-related expenses.

Research and Development Fiscal Year Ended January 31, Change 2023 2022 $ % (in thousands, except percentages) Research and development expenses $ 156,143 $ 97,217 $ 58,926 61 % Research and development expenses increased by $58.9 million, to $156.1 million for fiscal 2023 from $97.2 million for fiscal 2022, primarily due to an increase of $52.6 million in personnel-related expenses, driven by an increase in our average research and development headcount and an increase of $28.0 million in stock-based compensation expenses (as discussed in the section titled “Stock-Based Compensation Expense” below).

Given the uncertainty, we cannot reasonably estimate the impact on our future results of operations, cash flows, or financial condition. Key Business Metrics We monitor the following key metrics to help us evaluate our business, identify trends affecting our business, formulate business plans, and make strategic decisions.

For more information regarding our customers, refer to the section titled “Business—Our Customers.” Key Business Metrics We monitor the following key metrics to help us evaluate our business, identify trends affecting our business, formulate business plans, and make strategic decisions.

The change in other income (expense), net is primarily due to net foreign currency exchange losses caused by the intercompany loans of short-term nature advanced to select subsidiaries whose functional currency is not the U.S. dollar, primarily our Euro functional subsidiaries. 71 Table of Contents Provision for (Ben efit from) Income Taxes Fiscal Year Ended January 31, Change 2022 2021 $ % (in thousands, except percentages) Provision for (benefit from) income taxes $ (1,511) $ 2,832 $ (4,343) (153) % Effective tax rate 0.9 % (1.5) % Our effective tax rate increased by approximately 2.4% during the year ended January 31, 2022 as compared to the year ended January 31, 2021.

Provision for (Benefit from) Income Taxes Fiscal Year Ended January 31, Change 2023 2022 $ % (in thousands, except percentages) Provision for (benefit from) income taxes $ 2,898 $ (1,511) $ 4,409 (292) % Effective tax rate (1.7) % 0.9 % (2.6)% Our effective tax rate decreased by approximately 2.6% in the fiscal year ended January 31, 2023 as compared to the fiscal year ended January 31, 2022.

Sales and Marketing Fiscal Year Ended January 31, Change 2022 2021 $ % (in thousands, except percentages) Sales and marketing expenses $ 190,754 $ 154,086 $ 36,668 24 % Sales and marketing expenses increased by $36.7 million, to $190.8 million for fiscal 2022 from $154.1 million for fiscal 2021, primarily due to an increase of $20.6 million in personnel-related expenses, driven by an increase of 21% in our average sales and marketing headcount, an increase of $5.6 million in marketing expenses, an increase of $3.3 million in hosting expenses, and an increase of $2.9 million in software and consultin g expenses as a result of our investment activities to increase the effectiveness of our sales motions, increase our sales capacity and acquire more customers.

Joint Venture and Equity Method Investment” to our consolidated financial statements for additional details. 71 Table of Contents Sales and Marketing Fiscal Year Ended January 31, Change 2023 2022 $ % (in thousands, except percentages) Sales and marketing expenses $ 309,992 $ 190,754 $ 119,238 63 % Sales and marketing expenses increased by $119.2 million, to $310.0 million for fiscal 2023 from $190.8 million for fiscal 2022, primarily due to an increase of $94.9 million in personnel-related expenses, driven by an increase in our average sales and marketing headcount, and an increase of $37.5 million in stock-based compensation expenses (as discussed in the section titled “Stock-Based Compensation Expense” below).

Having all teams on a single application with a single interface represents a step function change in how organizations plan, build, secure, and deliver software. The DevOps Platform accelerates our customers’ ability to create business value and innovate by reducing their software development cycle times from weeks to minutes.

We believe GitLab is the shortest path to unlocking business and technology transformation results. Our DevSecOps Platform accelerates our customers’ ability to create business value and innovate by reducing their software development cycle times from weeks to minutes.

The remaining change was primarily attributable to an increase in third-party hosting costs of $3.1 million and an increase in total Infrastructure and Customer Support expense allocated to paid users of $1.9 million. Gross margin was consistent at 88% for fiscal 2022 and 2021. Cost of revenue for fiscal 2022 includes $0.9 million attributable to our variable interest entity, JiHu.

Gross margin remained at 88% for fiscal 2023 compared to fiscal 2022. Cost of revenue attributed to our variable interest entity, JiHu, was $1.7 million and $0.9 million fiscal 2023 and 2022, respectively. See “Note 11.

General and Administrative Fiscal Year Ended January 31, Change 2022 2021 $ % (in thousands, except percentages) General and administrative expenses $ 63,654 $ 86,868 $ (23,214) (27) % General and administrative expenses decreased by $23.2 million, to $63.7 million for fiscal 2022 from $86.9 million for fiscal 2021, primarily due to a decrease in stock-based compensation expense of $47.8 million, mainly as a result of a tender offer further discussed in “Note 13.

Joint Venture and Equity Method Investment” to our consolidated financial statements for additional details. 72 Table of Contents General and Administrative Fiscal Year Ended January 31, Change 2023 2022 $ % (in thousands, except percentages) General and administrative expenses $ 117,932 $ 63,654 $ 54,278 85 % General and administrative expenses increased by $54.3 million, to $117.9 million for fiscal 2023 from $63.7 million for fiscal 2022, primarily due to an increase of $43.0 million in personnel-related expenses, mainly attributable to an increase in our average general and administrative headcount and an increase of $23.3 million in stock-based compensation expenses (as discussed in the section titled “Stock-Based Compensation Expense” below).

General and administrative expenses for fiscal 2022 includes $3.6 million attributable to our variable interest entity, JiHu. See “Note 10. Joint Venture and Majority Owned Subsidiary” to our consolidated financial statements for additional details.

The remaining change was primarily driven by an increase of $6.1 million in consulting and software expenses to support our growth. General and administrative expenses attributed to our variable interest entity, JiHu, was $10.5 million and $3.6 million for fiscal 2023 and 2022, respectively. See “Note 11.

We amortize our acquired intangible assets in business combinations and asset acquisitions on a straight-line basis with definite lives over a period of three years. 78 Table of Contents Stock-Based Compensation In May 2021, we granted restricted stock units (“RSUs”) settleable for 3 million shares of our Class B common stock to Mr. Sijbrandij, our founder and CEO.

The compensation costs related to these awards are recognized on a graded attribution method as the grants include a performance condition. The Company granted restricted stock units (“RSUs”) settleable for 3 million shares of our Class B common stock to Mr. Sijbrandij, our founder and CEO.

The increase in pe rsonnel-related expenses was partially offset by a decrease in stock-based compensation of $11.0 million, primarily due to a fiscal 2021 tender offer as further discussed in “Note 13. Related Party Transactions.” Sales and marketing expenses for fiscal 2022 includes $3.2 million attributable to our variable interest entity, JiHu. See “Note 10.

The remaining change was mainly due to an increase of $2.7 million in hosting expenses. Research and development expenses attributed to our variable interest entity, JiHu, was $6.8 million and $2.3 million for fiscal 2023 and 2022, respectively. See “Note 11.

We base these estimates on historical and anticipated results, trends, and various other assumptions that it believes are reasonable under the circumstances, including assumptions as to future events. Actual results could differ from those estimates.

We base our estimates on past experience and other assumptions that we believe are reasonable under the circumstances, and we evaluate these estimates on an ongoing basis.

… 118 more changes not shown on this page.

Item 7A. Quantitative and Qualitative Disclosures About Market Risk

Market Risk — interest-rate, FX, commodity exposure

4 edited+4 added−1 removed5 unchanged

2022 filing

2023 filing

Biggest changeWe do not believe a 10% increase or decrease in interest rates would have resulted in a material impact to our operating results. Foreign Currency Exchange Risk To date, all of our sales contracts have been denominated in U.S. dollars, therefore our revenue is not subject to foreign currency risk.

Biggest changeThe weighted-average life of our investment portfolio was approximately 7 months as of January 31, 2023. Foreign Currency Exchange Risk To date, all of our sales contracts have been denominated in U.S. dollars, except for our variable interest entity, JiHu, which sells in local currency in its designated area. Our revenue is not subject to a material foreign currency risk.

Our market risk exposure is primarily the result of fluctuations in interest rates and foreign currency exchange rates. Interest Rate Risk As of January 31, 2022 and 2021 , we had $934.7 million and $282.9 million of cash, cash equivalents, and short-term investments, respectively.

Our market risk exposure is primarily the result of fluctuations in interest rates and foreign currency exchange rates. Interest Rate Risk As of January 31, 2023 and January 31, 2022 , we had $936.7 million and $934.7 million of cash, cash equivalents, and short-term investments, respectively.

In the event our foreign currency denominated assets, liabilities, or expenses increase, our operating results may be more greatly affected by fluctuations in the exchange rates of the currencies in which we do business. We have not engaged in the hedging of foreign currency transactions to date, although we may choose to do so in the future.

Our cash equivalents and short-term investments of $830.2 million and $245.3 million as of January 31, 2022 and 2021, respectively, mainly consist of money market accounts and certificates of deposit. Our cash, cash equivalents, and short-term investments are held for working capital purposes. We do not enter into investments for trading or speculative purposes.

Our cash equivalents and short-term investments of $704.3 million as of January 31, 2023, mainly consist of money market funds, treasuries, corporate debt securities and commercial paper. Our cash equivalents and short-term investments of $830.2 million as of January 31, 2022, mainly consist of money market accounts and certificates of deposit.

Removed

The volatility of exchange rates depends on many factors that we cannot forecast with reliable accuracy. In the event our foreign currency denominated assets, liabilities, sales or expenses increase, our operating results may be more greatly affected by fluctuations in the exchange rates of the currencies in which we do business. 81 Table of Contents

Added

Our cash, cash equivalents, and short-term investments are held for working capital and strategic investment purposes. We do not enter into investments for trading or speculative purposes. Our fixed-income portfolio is subject to fluctuations in interest rates, which could affect our results of operations.

Added

Based on our investment portfolio balance as of January 31, 2023, a hypothetical increase or decrease in interest rates of 1% (100 basis points) would result in a decrease or an increase in the fair value of our portfolio of approximately $4.4 million. Such losses would only be realized if we sell the investments prior to maturity.

Added

Moreover, as of January 31, 2023, we h ave $83.6 million of cash and cash equivalents denominated in currencies other than the U.S. dollar, predominantly Chin ese yuan for our variable interest entity, JiHu. The value of these cash balances may materially change along with the weakness or strength of the U.S. dollar.

Added

As of January 31, 2023, a hypothetical 10% change in foreign currency exchange rates would have a material impact on our consolidated financial statements. We have not engaged in the hedging of foreign currency transactions to date, although we may choose to do so in the future. 80 Table of Contents

Top changes in Gitlab Inc.'s 2023 10-K

Item 1. Business

Item 1A. Risk Factors

Item 3. Legal Proceedings

Item 5. Market for Registrant's Common Equity

Item 7. Management's Discussion & Analysis

Item 7A. Quantitative and Qualitative Disclosures About Market Risk

Other GTLB 10-K year-over-year comparisons