What changed in Gitlab Inc.'s 2024 10-K compared to 2023?

Across the narrative sections we track, Gitlab Inc. (GTLB) added 502 paragraphs, removed 504, and edited 425 between the 2023 and 2024 10-K filings. The biggest movers are Item 1A. Risk Factors (+253/−257), Item 1. Business (+124/−128), Item 7. Management's Discussion & Analysis (+110/−101).

Did Gitlab Inc. add new Risk Factors in the 2024 10-K?

Yes — Item 1A Risk Factors shows 253 new/edited paragraphs and 257 removed paragraphs versus the 2023 10-K.

What changed in Gitlab Inc.'s MD&A (Item 7) in 2024?

Item 7 Management's Discussion & Analysis shows 110 new/edited paragraphs and 101 removed paragraphs year-over-year. Read the side-by-side diff to see exactly which revenue, margin, and outlook commentary was rewritten.

Did Gitlab Inc.'s Legal Proceedings (Item 3) change in 2024?

Item 3 shows 2 added/edited paragraphs and 2 removed paragraphs — usually indicating new litigation disclosed or settled cases removed.

Where does this GTLB 10-K diff come from?

The source filings are Gitlab Inc.'s official 2023 and 2024 Form 10-K annual reports from SEC EDGAR. 10q10k.net parses each filing, aligns paragraphs by section (Item 1, 1A, 1C, 2, 3, 7, 7A), and highlights every added, removed and edited sentence side-by-side.

What changed in Gitlab Inc.'s 10-K — 2023 vs 2024

Paragraph-level year-over-year comparison of Gitlab Inc.'s 2023 and 2024 10-K annual filings, covering the Business, Risk Factors, Legal Proceedings, Cybersecurity, MD&A and Market Risk sections. Every new, removed and edited paragraph is highlighted side-by-side so you can see exactly what management changed in the 2024 report.

+502 added−504 removedSource: 10-K (2024-03-26) vs 10-K (2023-03-30)

Top changes in Gitlab Inc.'s 2024 10-K

502 paragraphs added · 504 removed · 425 edited across 6 sections

Item 1A. Risk Factors+253 / −257 · 219 edited
Item 1. Business+124 / −128 · 108 edited
Item 7. Management's Discussion & Analysis+110 / −101 · 87 edited
Item 7A. Quantitative and Qualitative Disclosures About Market Risk+8 / −8 · 6 edited
Item 5. Market for Registrant's Common Equity+5 / −8 · 4 edited

Item 1. Business

Business — how the company describes what it does

108 edited+16 added−20 removed53 unchanged

2023 filing

2024 filing

Biggest changeWhile our Free tier platform includes significant functionality for individual users, our paid tiers include features that are more relevant for managers, directors, and executives. • Our Free tier caters to capabilities needed by individual contributors to do their daily jobs. • Our Premium tier builds on the capabilities of the Free Plan while also adding functionality intended specifically for managers and directors to help teams enhance collaboration between development and operations teams, manage projects and portfolios, and accelerate the deployment of code. • Our Ultimate tier provides further functionality for executives and has functions to help teams establish better collaboration between development, operations, and security teams, instill organizational wide security, compliance and planning practices, and implement full value stream measurement, analytics, and reporting, across the DevSecOps lifecycle. 14 Table of Contents Our subscription plans are available as a self-managed offering which customers download to run in their own on-premise environment or hybrid cloud environments, and also a SaaS offering which is managed by us and is hosted in either the public cloud or in a private cloud based on the customer’s preference.

Biggest changeThe DevSecOps Platform and Plans We offer GitLab in three different subscription tiers: Free, Premium and Ultimate. • Our Free tier caters to capabilities needed by individual contributors. • Our Premium tier is intended specifically for managers and directors to help teams enhance collaboration between development and operations teams, manage projects and portfolios, and accelerate the deployment of code. • Our Ultimate tier enables organization-wide change, helping teams establish better collaboration between development, operations, and security teams, instilling organizational-wide security, compliance, and planning practices, and implementing full value stream measurement, analytics, and reporting, across the DevSecOps lifecycle.

ITEM 1. BUSINESS Overview In today’s world, software defines the speed of innovation. Every industry, business, and function within a company is dependent on software. To remain competitive and survive, nearly all companies must digitally transform and become experts at building, delivering, and securing software.

ITEM 1. BUSINESS Overview In today’s world, software defines the speed of innovation. Every industry, business, and every function within a company is dependent on software. Nearly all companies must digitally transform and become experts at building, delivering, and securing software to remain competitive and survive.

Across every industry – and across companies of every size – technology leaders want to make developers more productive so they can deliver better products faster; they want to measure productivity, so they can increase operational efficiency; they want to secure the software supply chain, so they can reduce security and compliance risk; and, they want to accelerate cloud migration, so they can unlock digital transformation results.

Across every industry – and across companies of every size – technology leaders want to make developers more productive so they can deliver better products faster; they want to measure productivity so they can increase operational efficiency; they want to secure the software supply chain so they can reduce security and compliance risk; and, they want to accelerate secure cloud migration, so they can unlock digital transformation results.

These technology leaders need a platform that enables a value stream-driven mindset – a mindset that shortens the time from idea to customer value – and establishes a powerful flywheel for data collection and aggregation.

These technology leaders need a platform that enables a value stream-driven mindset that shortens the time from idea to customer value and establishes a powerful flywheel for data collection and aggregation.

GitLab team members also use The DevSecOps Platform to power our own DevSecOps lifecycle. By doing so, we benefit from the inherent advantages of using a single application. We leverage these learnings to establish a rapid feedback loop to continually and rapidly improve The DevSecOps Platform.

Further, The DevSecOps Platform also delivers cost savings to our customers by eliminating the hidden costs and time it takes to manually integrate these point products and drives greater efficiency gains and productivity.

Further, The DevSecOps Platform also delivers cost savings to our customers by eliminating the hidden costs and time it takes to integrate these point products manually and drives greater efficiency gains and productivity.

We plan to continue investing in sales and marketing, with a focus on driving expansion of The DevSecOps Platform within existing customers, particularly for our larger customers. • Further grow adoption of our SaaS offering.

We plan to continue investing in sales and marketing, with a focus on driving the expansion of The DevSecOps Platform within existing customers, particularly for our larger customers. • Further grow adoption of our SaaS offering.

We have established six core C.R.E.D.I.T. values: ◦ C ollaboration - Helping others is a priority; we rely on each other for help and advice; ◦ R esults - We follow through on our promises to each other, customers, users, and investors; ◦ E fficiency - We are about working on the right things to achieve more progress faster; ◦ D iversity, Inclusion & Belonging - We aim to foster an environment where everyone can thrive; ◦ I teration - We do the smallest thing possible and get it out as quickly as possible; and ◦ T ransparency - We strive to be open about as many things as possible to reduce the threshold to contribution and to make collaboration easier. • Measure results, not hours.

We have established six core C.R.E.D.I.T. values: ◦ C ollaboration - Helping others is a priority; we rely on each other for help and advice; ◦ R esults for Customers - We follow through on our promises to each other, customers, users, and investors; ◦ E fficiency - We are about working on the right things to achieve more progress faster; ◦ D iversity, Inclusion & Belonging - We aim to foster an environment where everyone can thrive; ◦ I teration - We do the smallest thing possible and get it out as quickly as possible; and ◦ T ransparency - We strive to be open about as many things as possible to reduce the threshold to contribution and to make collaboration easier. • Measure results, not hours.

We believe we have a strong and open relationship with our team members and our unique mission, culture and values differentiate us and continue to be key drivers of our business success. Diversity, Inclusion and Belonging Mission Diversity, Inclusion & Belonging is fundamental to our success. We include it in every way possible and in all that we do.

We believe we have a strong and open relationship with our team members and our unique mission, culture and values differentiate us and continue to be key drivers of our business success. Diversity, Inclusion and Belonging Diversity, Inclusion & Belonging is fundamental to our success. We include it in every way possible and in all that we do.

For self-managed users, GitLab is the only truly public-cloud-agnostic solution. Customers can also run The DevSecOps Platform in their own data centers if they wish. They can further choose to run GitLab on traditional servers, or they can use containers and an orchestration system like Kubernetes.

For self-managed users, GitLab is the only truly public-cloud-agnostic solution. Customers can also run The DevSecOps Platform in their own data centers if they wish. They can further choose to run GitLab on traditional servers or use containers and an orchestration system like Kubernetes.

Developers use these solutions to collaborate together on the same code base without conflicting or accidentally overwriting each other's changes. Create also maintains a running history of software contributions from each developer to allow for version control. Teams use Verify to ensure changes to code go through defined quality standards with automatic testing and reporting.

Developers use these solutions to collaborate on the same code base without conflicting or accidentally overwriting each other's changes. Create also maintains a running history of software contributions from each developer to allow for version control. Teams use Verify to ensure changes to code go through defined quality standards with automatic testing and reporting.

The DevSecOps Platform brings together developers, operations, and security professionals and elevates their innovation to new levels, making it faster, safer, and more accessible. We are an all-remote company, and we pride ourselves in how we work through enabling our team members the individualized flexibility to reach their business results.

The DevSecOps Platform brings together developers, operations, and security professionals and elevates their innovation to new levels, making it faster, safer, and more accessible. We are an all-remote company, and we pride ourselves in how we work through enabling our team members with the individualized flexibility to reach their business results.

With pipelines that enable concurrent testing and parallel execution, teams quickly get insight about every commit, allowing them to deliver higher quality code faster. • Package. Enables teams to package their applications and dependencies, manage containers, and build artifacts with ease.

With pipelines that enable concurrent testing and parallel execution, teams quickly get insight about every commit, allowing them to deliver higher quality code faster. • Package. GitLab enables teams to package their applications and dependencies, manage containers, and build artifacts with ease.

As a result, we trust that our values have led and will continue to lead to results that distinguish us from other companies. They include: • Our mission is to ensure that everyone can contribute. This mission guides our path, and we live our values along that path.

As a result, we trust that our values have led and will continue to lead to results that distinguish us from other companies. Our values include: • Our mission is to ensure that everyone can contribute. This mission guides our path, and we live our values along that path.

We will also continue to invest in building out our partnerships to deliver transformation services to help our enterprise customers accelerate the deployment of The DevSecOps Platform. • Expand our global footprint. We believe there is significant opportunity to continue to expand internationally.

We will also continue to invest in building out our partnerships to deliver transformation services to help our enterprise customers accelerate the deployment of The DevSecOps Platform. • Expand our global footprint. We believe there is a significant opportunity to continue to expand internationally.

We believe that our transparency creates more value than it captures, and our ability to execute on our strategy far exceeds the abilities of our competitors. • We do the smallest thing possible and get it out as quickly as we can.

We believe that our transparency creates more value than it captures, and our ability to execute our strategy far exceeds the abilities of our competitors. • We do the smallest thing possible and get it out as quickly as we can.

Our marketing department is focused on generating awareness of The DevSecOps Platform to our developer community, existing customers and users, and potential customers. We utilize diverse tactics such as digital demand generation, account based marketing, nurture programs, sales development, virtual and field events, sponsored webinars, gated content downloads, whitepapers, display advertising and integrated campaigns to connect with prospective customers.

Our marketing department is focused on generating awareness of our DevSecOps Platform to the developer community, existing customers and users, and potential customers. We utilize diverse strategies such as digital demand generation, account-based marketing, nurture programs, sales development, virtual and field events, sponsored webinars, gated content downloads, whitepapers, display advertising and integrated campaigns to connect with prospective customers.

It helps teams attract and retain top talent by creating a superior developer experience that allows people to focus more time on their job and less time managing tools. The majority of our customers begin their GitLab journey by using our Source Code Management, Continuous Integration and Continuous Delivery (CI/CD) solutions, referred to as Create and Verify.

It helps teams attract and retain top talent by creating a superior developer experience that allows people to focus more time on their jobs and less time managing tools. The majority of our customers begin their GitLab journey by using our Source Code Management, Continuous Integration and Continuous Delivery (CI/CD) solutions, referred to as Create and Verify.

For IT system administrators and internal security teams this also means they have one application environment and authentication system to inspect and certify according to their team’s standards. Our Customers We serve organizations of all sizes across industries and regions. As of January 31, 2023, we had customers in over 140 countries.

We use our investor relations page on our website (https://ir.gitlab.com/), press releases, public conference calls, public webcasts, our Twitter account (@gitlab), our Facebook page, our LinkedIn page, our company news site (https://about.gitlab.com/press/) and our corporate blog (https://about.gitlab.com/blog/) as means of disclosing material nonpublic information and for complying with our disclosure obligations under Regulation FD.

We use our investor relations page on our website (https://ir.gitlab.com/), press releases, public conference calls, public webcasts, our X account (@gitlab), our Facebook page, our LinkedIn page, our company news site (https://about.gitlab.com/press/) and our corporate blog (https://about.gitlab.com/blog/) as means of disclosing material nonpublic information and for complying with our disclosure obligations under Regulation FD.

Investors should not rely on any such information in deciding whether to conduct any transactions involving our Class A common stock. Unless otherwise indicated, the terms “GitLab,” the “Company,” “we,” “us,” and “our” refer to GitLab Inc. and our subsidiaries, and our variable interest entity as “JiHu”.

Investors should not rely on any such information in deciding whether to conduct any transactions involving our Class A common stock. Unless otherwise indicated, the terms “GitLab,” the “Company,” “we,” “us,” and “our” refer to GitLab Inc., our subsidiaries, and our consolidated variable interest entity, “JiHu”.

Any updates to the list of disclosure channels through which we announce information will be posted on the investor relations page on our website. The contents of the websites referred to above are not incorporated into this Annual Report on Form 10-K.

Any updates to the list of disclosure channels through which we announce information will be posted on the investor relations page on our website. 18 Table of Contents The contents of the websites referred to above are not incorporated into this Annual Report on Form 10-K.

GitLab’s DevSecOps platform is used globally by teams of all sizes across a broad range of industries. To reach, engage and help drive success at each, we have strong partnerships with cloud hyperscalers, including Google Cloud and Amazon Web Services, or AWS, who offer GitLab on their marketplaces.

GitLab’s DevSecOps platform is used globally by teams of all sizes across a broad range of industries. To reach, engage, and help drive success broadly, we have strong partnerships with cloud hyperscalers, including Google Cloud and Amazon Web Services, or AWS, who offer GitLab on their marketplaces.

We seek to clearly and consistently articulate our monetization strategy on teams and organizations to provide predictability to both our customers as well as the community of contributors. Our open source approach is intended to increase our development velocity as the developer pool who contributes to our codebase is greater than the size of any single engineering team.

We seek to clearly and consistently articulate our monetization strategy on teams and organizations to provide predictability to both our customers as well as the community of contributors. 13 Table of Contents Our open source approach is intended to increase our development velocity as the developer pool who contributes to our codebase is greater than the size of any single engineering team.

Helps teams design, develop, and securely manage code and project data from a single distributed version control system to enable rapid iteration and delivery of business value. GitLab repositories provide a scalable single source of truth for collaborating on projects and code which enables teams to be productive without disrupting their workflows. • Verify.

GitLab helps teams design, develop, and securely manage code and project data from a single distributed version control system to enable rapid iteration and delivery of business value. GitLab repositories provide a scalable single source of truth for collaborating on projects and code, enabling teams to be productive without disrupting their workflows. • Verify.

As customers realize the benefits of a single application, they typically increase their spend with us by adding more users or purchasing higher tiered plans. As a result, for fiscal 2023 and fiscal 2022, our Dollar-Based Net Retention Rate was above 130% and above 152%, respectively.

As customers realize the benefits of a single application, they typically increase their spend with us by adding more users or purchasing higher-tiered plans. As a result, for fiscal 2024 and fiscal 2023, our Dollar-Based Net Retention Rate was 130% and above 130% , respectively.

Approaching work this way, we are able to rapidly get input from end-users who are actively using our platform, continuously revisit what we are doing with a fresher perspective, and gradually gain a greater 12 Table of Contents sense of visibility into what the end picture should look like.

Approaching work this way, we are able to rapidly get input from end-users who are actively using our platform, continuously revisit what we are doing with a fresher perspective, and gradually gain a greater sense of visibility into what the end picture should look like.

Available Information 18 Table of Contents We file electronically with the Securities and Exchange Commission, or the SEC, our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K, and amendments to reports filed or furnished pursuant to Section 13(a) or 15(d) of the Securities Exchange Act of 1934, as amended.

Available Information We file electronically with the Securities and Exchange Commission, or the SEC, our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K, and amendments to reports filed or furnished pursuant to Section 13(a) or 15(d) of the Securities Exchange Act of 1934, as amended.

Provides Static Application Security Testing, or SAST, Dynamic Application Security Testing, or DAST, Fuzz Testing, Container Scanning, and Dependency Scanning to help users deliver secure applications along with license compliance. • Release. Helps automate the release and delivery of applications, shortening the delivery lifecycle, streamlining manual processes, and accelerating team velocity.

GitLab provides Static Application Security Testing, or SAST, Dynamic Application Security Testing, or DAST, Fuzz Testing, Container Scanning, and Dependency Scanning to help customers deliver secure applications along with license compliance. • Release. GitLab helps automate the release and delivery of applications, shortening the delivery lifecycle, streamlining manual processes, and accelerating team velocity.

We also host and present at regional, national and global industry events. We offer our free tier and/or a free trial to prospective customers allowing them to try before they buy, allowing customers to see the strengths of The DevSecOps Platform and the business benefits.

We also host and present at regional, national and global industry events. 15 Table of Contents We offer our free tier and/or a free trial to prospective customers, allowing them to try before they buy, and allowing customers to see the strengths of The DevSecOps Platform and the business benefits.

Our Technology Our single application strategy means that we have one codebase to author, test, secure, package, and distribute. This also means that we are able to give users the most choice. Our customers can use a SaaS subscription or run The DevSecOps Platform themselves in a self-managed way in their own cloud environments.

Helps software teams fully embrace Continuous Integration, or CI, to automate the builds, integration, and verification of their code. GitLab’s CI capabilities enable automated accessibility, usability, performance testing, and code quality analysis to provide fast feedback to developers and testers about the quality of their code.

GitLab helps software engineering teams fully embrace Continuous Integration, or CI, to automate the builds, integration, and verification of their code. GitLab’s secure CI capabilities enable automated accessibility, usability, performance testing, and code quality analysis to provide fast feedback to developers and testers about the quality of their code.

We will continue to make many of our features open source or source-code available to encourage contributions, which in turn, accelerates our ability to innovate and provide a better platform to our customers. • Drive growth through enhanced sales and marketing.

We will continue to make many of our features open source or source code available to encourage contributions, which, in turn, accelerates our ability to innovate and provide a better platform to our customers. 10 Table of Contents • Drive growth through enhanced sales and marketing.

Through our commitment to open collaboration, we also have select technology and channel partners who increase efficient access to new customers and support growth of existing customers through trusted relationships, existing contracts, service delivery capability and capacity, and collaboration on large digital transformations.

Through our commitment to open collaboration, we also have select technology and channel partners who increase efficient access to new and existing customers, and support the existing customer growth through trusted relationships, existing contracts, service delivery capability and capacity, and collaboration on large digital transformations.

We also engage team members through a PEO self-employed model in certain jurisdictions where we contract with the PEO, which in turn contracts with individual team members as independent contractors. None of our team members are represented by a labor union.

We also engage team members through a PEO self-employed model in certain jurisdictions where we contract with the PEO, 12 Table of Contents which in turn contracts with individual team members as independent contractors. None of our team members are represented by a labor union.

These are essentially third-party DIY DevOps and are not a single application. 16 Table of Contents We believe we compete favorably based on the following competitive factors: • ability to provide a single application that is purpose-built to span the entire DevSecOps lifecycle; • ability to rapidly innovate and consistently ship and release more features and versions of our software; • maturity of features in the Create (Source Code Management) and Verify (Continuous Integration) stages; • ability to run natively across any public cloud, private cloud, hybrid cloud, or on-premises environment; • ability to enable collaboration between developers, IT operations, and security teams; • ability to reduce handoffs, friction, and switching costs across different stages of the DevSecOps lifecycle; • ability to reduce software development times to release better software faster; • ability to consolidate multiple tools into a single platform; • ability to eliminate manual integrations that are costly and time-effective to maintain; • ability to provide a seamless, consistent, and single user experience through one user interface; • ability to deliver a large, engaging community of open source contributors; • performance, scalability, and reliability; • ability to implement more differentiated security and governance; • quality of service and overall customer satisfaction; and • strong documentation and transparency of information.

Furthermore, we believe we compete favorably based on the following factors: • ability to provide a single application that is purpose-built to span the entire DevSecOps lifecycle; • ability to rapidly innovate and consistently ship and release more features and versions of our software; • maturity of features in the Create (Source Code Management) and Verify (Continuous Integration) stages; • ability to run natively across any public cloud, private cloud, hybrid cloud, or on-premises environment; • ability to include AI features across the DevSecOps lifecycle: • ability to enable collaboration between developers, IT operations, and security teams; • ability to reduce handoffs, friction, and switching costs across different stages of the DevSecOps lifecycle; • ability to reduce software development times to release better software faster; • ability to consolidate multiple tools into a single platform; • ability to eliminate manual integrations that are costly and time-effective to maintain; • ability to provide a seamless, consistent, and single user experience through one user interface; • ability to deliver a large, engaging community of open source contributors; • performance, scalability, and reliability; 16 Table of Contents • ability to implement more differentiated security and governance; • quality of service and overall customer satisfaction; and • strong documentation and transparency of information.

With The DevSecOps Platform, our customers can often increase the number of their software releases from the tens to thousands and reduce the time it takes to release new software from months to days, helping them generate more revenue. • Reduce vulnerabilities and increase security.

With GitLab, our customers can often increase the number of their software releases from the tens to thousands and reduce the time it takes to release new software from months to days, helping them generate more revenue. • Reduce vulnerabilities and increase security.

Further, during the same period, we grew our $1.0 million ARR customers to 63 from 39, an increase of 62%. We have key reference customers across a breadth of industry verticals that we believe validate The DevSecOps Platform, and our customers range from small and medium-sized teams to Fortune 500 companies.

Further, during the same period, we grew our $1.0 million ARR customers to 96 from 63, an increase of 52%. We have key reference customers across a breadth of industry verticals that we believe validate The DevSecOps Platform, and our customers range from small and medium-sized teams to Fortune 500 companies.

This has also been a big contribution to enabling us to release a new version of our software for 136 months in a row and counting as of January 31, 2023. We believe our open source approach helps us acquire, retain, and grow our paying customer base.

This has also been a big contribution to enabling us to release a new version of our software for 148 months in a row and counting as of January 31, 2024 . We believe our open source approach helps us acquire, retain, and grow our paying customer base.

It helps Chief Technology Officers, or CTOs, modernize their software development and delivery environment and drive developer productivity. It helps Chief Information Officers, or CIOs, adopt microservices and cloud native development to improve the efficiency, scale, and performance of their software architecture. It helps Chief Information Security Officers, or CISOs, reduce security vulnerabilities without compromising speed to market.

It helps Chief Technology Officers, or CTOs, modernize their software development and delivery environment and drive developer productivity. It helps Chief Information Officers, or CIOs, adopt microservices and cloud native development to improve their software architecture’s efficiency, scale, and performance. It helps Chief Information Security Officers, or CISOs, reduce security vulnerabilities without compromising speed to market.

Human Capital Our Unique Culture and Values Our success is driven by our culture. We believe that our values and culture are a competitive advantage within our industry, and we will continue to invest time and resources in building our culture to 11 Table of Contents drive superior business results.

The DevSecOps Platform enables our customers to spend more time building, deploying, and securing software, and less time managing, integrating, and triaging across different tools. In a single application, each team member can follow the entire lifecycle from beginning to end with contextual history and understanding at each process.

GitLab enables our customers to spend more time building, deploying, and securing software and less time managing, integrating, and triaging across different tools. In a single application, each team member can follow the entire lifecycle from beginning to end with contextual history and understanding of each process.

As more stages are addressed within a single application, the benefits of The DevSecOps Platform are enhanced. 6 Table of Contents Innovation is a key differentiated competitive advantage. We have a dual flywheel innovation strategy that leverages both development spend from our research and development team members as well as community contributions via our open-core business model.

As more stages are addressed within a single application, the benefits of The DevSecOps Platform are enhanced. GitLab’s innovation strategy is a key differentiated competitive advantage. We have a dual flywheel innovation strategy that leverages both development efforts from our research and development team members as well as community contributions via our open-core business model.

From an end user standpoint, our single application strategy provides one consistent user interface across all stages of the DevSecOps lifecycle. We see this result in a manifold reduction in lifecycle time for software development teams. For integrators, GitLab has a single application programming interface (“API”) to write integrations against, as opposed to a fragmented tool chain.

From an end-user standpoint, our single application strategy provides one consistent user interface across all stages of the DevSecOps lifecycle. We see this result in a manifold reduction in lifecycle time for software development teams. For integrators, GitLab has a single application programming interface (“API”) to write integrations against instead of a fragmented toolchain.

With capabilities such as Value Streams Dashboard and Value Stream Analytics, GitLab is uniquely positioned to be the tool of choice for data-driven organization – enabling teams to understand software delivery performance and value to the business without complex configurations or data scientists.

With capabilities such as Value Streams Dashboard and Value Stream Analytics, GitLab is uniquely positioned to be the tool of choice for data-driven organizations – enabling 7 Table of Contents teams to understand software delivery performance and value to the business without complex configurations or data scientists.

We believe that we are in material compliance with such laws and regulations and do not expect continued compliance to have a material impact on our capital 17 Table of Contents expenditures, earnings, or competitive position.

We believe that we are in material compliance with such laws and regulations and do not expect continued compliance to have a material impact on our capital expenditures, earnings, or competitive position.

Organizations can deploy The DevSecOps Platform as a self-managed offering in their own hybrid-cloud, or on-premises environments, and as a SaaS offering is hosted in either the public cloud or in a private cloud based on the customer’s preference.

Organizations can deploy GitLab as a self-managed offering in their own hybrid cloud, or on-premises environments and as a SaaS offering hosted in either the public cloud or in a private cloud based on the customer’s preference.

The DevSecOps Platform replaces the DIY DevOps approach. It enables teams to realize the full potential of DevOps and become software-led businesses.

The DevSecOps Platform – pioneered by GitLab – replaces the DIY DevOps approach. It enables teams to realize the full potential of DevOps and become software-led businesses.

With feature flags, built-in auditing/traceability, on-demand environments, and GitLab Pages for static content delivery, users are able to deliver faster and with more confidence than ever before. • Configure. Helps teams to configure and manage their application environments. Strong integration to Kubernetes reduces the effort needed to define and configure the infrastructure required to support an application.

With feature flags, built-in auditing/traceability, on-demand environments, and GitLab Pages for static content delivery, users can deliver faster and more confidently than ever before. • Configure. GitLab helps software development and delivery teams to configure and manage their application environments. Strong integration to Kubernetes reduces the effort needed to define and configure the infrastructure required to support an application.

The DevSecOps Platform provides a single consolidated view of vulnerabilities across software increasing the efficiency of vulnerability management and remediation. This enables our customers to find and correct security vulnerabilities in their software earlier or eliminate inefficiencies in the software development process altogether. 9 Table of Contents • Enable audit and compliance.

GitLab provides a single consolidated view of vulnerabilities across software, increasing the efficiency of vulnerability management and remediation. This enables our customers to find and correct security vulnerabilities in their software earlier or eliminate inefficiencies in the software development process altogether. • Enable audit and compliance.

For the year ended January 31, 2023, more than 69% of our ARR came from public sector and enterprise customers. Our success has been exemplified by the growth in our $100,000 ARR customers to 697 as of January 31, 2023 from 492 as of January 31, 2022.

For the year ended January 31, 2024, more than 70% of our ARR came from public sector and enterprise customers. Our success has been exemplified by the growth in our $100,000 ARR customers to 955 as of January 31, 2024, from 697 as of January 31, 2023.

We generally enter into confidentiality agreements and invention or work product assignment agreements with our officers, team members, agents, contractors, and business partners to control access to, and clarify ownership of, our proprietary information. As of January 31, 2023, we had five issued patents and four pending patent applications in the United States and abroad.

We generally enter into confidentiality agreements and invention or work product assignment agreements with our officers, team members, agents, contractors, and business partners to control access to, and clarify ownership of, our proprietary information. 17 Table of Contents As of January 31, 2024 , we had ten issued patents and six pending patent applications in the United States and abroad.

During this period, we continued to invest in growing our business to capitalize on our market opportunity. The net loss attributable to GitLab was $172.3 million and $155.1 million in fiscal 2023 and fiscal 2022 , respectively.

During this period, we continued to invest in growing our business to capitalize on our market opportunity. The net loss attributable to GitLab was $424.2 million and $172.3 million in fiscal 2024 and fiscal 2023, respectively.

We grew our international revenue to $71.4 million for fiscal 2023 from $41.1 million for fiscal 2022, representing an increase of 73%. We intend to grow our international revenue by increasing our investments strategically in our internatio nal sales and marketing operations, including headcount in the EMEA and APAC regions.

We grew our international revenue to $106.9 million for fiscal 2024 from $71.4 million for fiscal 2023, representing an increase of 50%. We intend to grow our international revenue by strategically increasing our investments in internatio nal sales and marketing operations, including headcount in the EMEA and APAC regions.

Our values are a living document, and we encourage our team members to make suggestions to improve our company values constantly.

Our values are a living document, and we encourage our team 11 Table of Contents members to make suggestions to improve our company values constantly.

By leveraging the power of each, we create a virtuous cycle where more contributions lead to more features, which leads to more users, leading back to more contributions. We emphasize iteration to drive rapid innovation in our development strategy.

By leveraging the power 6 Table of Contents of each, we create a virtuous cycle where more contributions lead to more features, leading more users and more contributions. We emphasize iteration to drive rapid innovation in our development strategy.

Based on a 2022 study conducted by Forrester Consulting, commissioned by us and covering a limited number of our customers, the cost savings and business benefits achievable by deploying The DevSecOps Platform to revenue-generating applications can enable customers to deliver a 427% r eturn on investment within three years of deployment. • Embrace the benefits of a portable workload and multi-cloud strategy.

Based on a 2022 study conducted by Forrester Consulting, commissioned by us and covering a limited number of our customers, the cost savings and business benefits achievable by deploying GitLab to revenue-generating applications can enable customers to deliver a 427% r eturn on investment within three years of deployment, and a potential payback period of under 6 months. 9 Table of Contents • Embrace the benefits of a portable workload and multi-cloud strategy.

The DevSecOps Platform GitLab has pioneered The DevSecOps Platform, a single application that brings together development, operations, IT, security, and business teams to deliver desired business outcomes through efficient software development. It represents a step change in how teams plan, build, secure and deliver software. The DevSecOps Platform is built on a single codebase, unified data model, and user interface.

The DevSecOps Platform GitLab has pioneered The DevSecOps Platform, a single application that brings together development, operations, IT, security, and business teams to deliver better, more secure software faster. It represents a step change in how teams plan, develop, secure and deploy software. GitLab is built on a single codebase, unified data model, and user interface.

To further this mission, in September 2021, our board of directors approved the reservation of up to 1,635,545 shares of Class A common stock for the issuance to charitable organizations, to be further designated by our board of directors. To date, we have made no contributions.

To further this mission, in September 2021, our board of directors approved the reservation o f up to 1,635,545 shares of Class A common stock for the issuance to charitable organizations, to be further designated by our board of directors.

And, we have no preferential treatment for any specific cloud, which enables our customers to avoid vendor lock-in. • User Experience – GitLab has a superior user experience with an integrated platform enabling developers to prevent context switching. • Open Core Platform – GitLab is open core built with our customers creating a fast pace of innovation. 10 Table of Contents Our Growth Strategy We intend to invest in our business to advance adoption of The DevSecOps Platform.

Our cohort of customers generating $1.0 million or more in ARR grew to 63 as of January 31, 2023 from 39 as of January 31, 2022. Our business has experienced rapid growth. We generated revenue of $424.3 million and $252.7 million in fiscal 2023 and 2022 , respectively, representing growth of 68%.

Our cohort of customers generating $1.0 million or more in ARR grew to 96 as of January 31, 2024 from 63 as of January 31, 2023. Our business has experienced rapid growth. We generated revenue of $579.9 million and $424.3 million in fiscal 2024 and 2023, respectively, representing growth of 37%.

In 2022, nearly 800 people contributed more than 3,000 merge requests back to the core product, extending GitLab’s in-house R&D efforts and empowering our most passionate users to make improvements to the DevOps tool they use every day.

In calendar year 2023, nearly 700 people contributed more than 2,100 merge requests back to the core product, extending GitLab’s in-house R&D efforts and empowering our most passionate users to make improvements to the DevOps tool they use every day.

As of January 31, 2023 and 2022, our Dollar-Based Net Retention Rate was above 130% and above 152%, respectively. Our Base Customers grew to 7,002 as of January 31, 2023 from 4,593 as of January 31, 2022.

As of January 31, 2024 and 2023, our Dollar-Based Net Retention Rate was 130% and above 130%, respectively. Our Base Customers grew to 8,602 as of January 31, 2024 from 7,002 as of January 31, 2023.

The DevSecOps Platform is designed in a way that enables our customers to move their DevOps workflow across any hybrid or multi-cloud environment while maintaining full feature parity and a single application experience. The DevSecOps Platform is purpose-built to address every stage of the software development and delivery DevSecOps lifecycle: • Manage.

GitLab is designed to enable our customers to move their software development and delivery workflows across any hybrid or multi-cloud environment while maintaining full feature parity and a single application experience. GitLab’s DevSecOps platform is purpose-built and includes AI to address every stage of the software development lifecycle: • Manage.

Our all-remote culture helps us to practice our values. As an all-remote company, we are able to recruit from a wider, more diverse, and more uniquely skilled pool of talent across the world.

Our all-remote culture helps us to practice our values. As an all-remote company, we can recruit from a wider, more diverse, and uniquely skilled pool of talent across the world. • We seek to be transparent in everything we do.

We enable portfolio planning and management through epics, groups (programs) and milestones to organize and track progress. GitLab helps teams organize, plan, align, and track project work to ensure teams are working on the right things at the right time and maintain end to end visibility and traceability of issues throughout the delivery lifecycle from idea to production. • Create.

GitLab helps teams organize, plan, align, and track project work to ensure teams are working on the right things at the right time and maintain end-to-end visibility and traceability of issues throughout the delivery lifecycle from idea to production. • Create.

The private, secure, container, and package registries are built-in 8 Table of Contents and preconfigured out-of-the box to work seamlessly with GitLab source code management, or SCM, security scanners, and Continuous Integration/Continuous Delivery, or CI/CD, pipelines. • Secure.

The private, secure, container, and package registries are built-in and preconfigured out-of-the-box to work seamlessly with GitLab source code management, or SCM, security scanners, and Continuous Integration/Continuous Delivery, or CI/CD, pipelines. • Secure. GitLab’s offering is differentiated with built in, not bolted on, security capabilities.

By making non-sensitive information public, 5 Table of Contents we create a deeper level of trust with our customers and we make it easier to solicit contributions and collaboration from our users and customers.

By making non-sensitive information public, we create a deeper level of trust with our customers and make it easier to solicit contributions and collaboration from our users and customers. 5 Table of Contents We make our plans available through our self-managed and software-as-a-service (SaaS) offering.

As of January 31, 2023, more than 3,500 individuals have contributed to The DevSecOps Platform and since April 30, 2019, merge code contributions have averaged more than 250 per month. Because people outside of our organization can read our code, users can contribute to identifying and solving issues, which accelerates the time we can release new software to market.

As of January 31, 2024, more than 4,000 individuals have contributed to The DevSecOps Platform and since January 1, 2021, code contributions have averaged more than 259 per month. Because people outside of our organization can read our code, users can contribute to identifying and solving issues, which accelerates the time we can release new software to market.

Our open-core approach has enabled us to build trust with our customers, and to maintain our high velocity of innovation so that we can rapidly create the most comprehensive DevSecOps platform. GitLab exists today in large part thanks to the vast and growing community of open source contributors around the world.

Our open-core approach has enabled us to build trust with our customers and maintain our high velocity of innovation so that we can rapidly create the most comprehensive DevSecOps platform. GitLab largely exists today thanks to the vast and growing community of open source contributors worldwide. We actively work to grow open source community engagement by operating with transparency.

The DevSecOps Platform eliminates fragmented tools and point integrations that create blind spots and poor visibility across work streams. This allows compliance and audit teams to more easily log, track, and trace different steps across the DevSecOps lifecycle, better understand governance, and improve their compliance posture. • Boost team member morale and productivity.

GitLab eliminates fragmented tools and point integrations that create blind spots and poor visibility across work streams. This allows compliance and audit teams to more easily log, track, and trace different steps across the software delivery lifecycle, better understand governance, and improve their compliance posture. • Adopt AI throughout the software development lifecycle.

This iterative approach has enabled us to release a new version of our software on the 22 nd day of every month for 136 months in a row as of January 31, 2023. This is also due in part to our over 3,500 contributors in our global open source community as of January 31, 2023.

This iterative approach has enabled us to release a new version of our software every month for 148 months in a row as of January 31, 2024. This is also due in part to our over 4,000 contributors in our global open source community as of January 31, 2024.

Our operating cash flow margin, which we define as operating cash flows as a percentage of revenue, 7 Table of Contents was (18.2)% and (19.7)% for fiscal 2023 and fiscal 2022 , respectively. Our gross profit margin was 88% for each of fiscal 2023 and fiscal 2022.

Our operating cash flow margin, which we define as operating cash flows as a percentage of revenue, was 6.0% and (18.2)% for fiscal 2024 and fiscal 2023, respectively. Our gross profit margin was 90% and 88% for fiscal 2024 and fiscal 2023, respectively.

For more information regarding our customers, refer to the section titled “Business—Our Customers.” DevOps is the set of practices that combines software development (dev) and IT operations (ops). It allows teams to collaborate and work together to shorten the development lifecycle and evolve from delivering software on a slow, periodic basis to rapid, continuous updates.

GitLab and the Evolution of DevSecOps DevOps is the set of practices that combines software development (dev) and IT operations (ops). It allows teams to collaborate and work together to shorten the development lifecycle and evolve from delivering software on a slow, periodic basis to rapid, continuous updates.

Our subscription plans are available as a self-managed offering, where the customer installs GitLab in their own on-premise or hybrid cloud environment or a SaaS offering where the platform is managed by GitLab and hosted either in the public cloud or in a private cloud based on the customer’s preference.

Our subscription plans are available as a self-managed offering that customers download to run in their own on-premise environment or hybrid cloud environments, and also a SaaS offering that is managed by us and is hosted in either the public cloud or in a private cloud based on the customer’s preference.

We believe that our customer growth is best represented by the number of our Base Customers, which increased to 7,002 as of January 31, 2023 from 4,593 as of January 31, 2022. In 2019, we began to invest more heavily in our enterprise sales motion and have had strong success in attracting, retaining, and growing ARR from our larger customers.

We believe that our customer growth is best represented by the number of our Base Customers, which increased to 8,602 as of January 31, 2024 from 7,002 as of January 31, 2023. We are continuously investing in our enterprise sales motion and have achieved strong success in attracting, retaining, and growing ARR from our larger customers.

GitLab is available to any team, regardless of the size, scope, and complexity of their deployment. As a result, we have more than 30 million registered users and more than 50% of the Fortune 100 companies are GitLab customers.

GitLab also embeds security earlier into the development process, improving our customers’ software security, quality, and overall compliance. GitLab is available to any team, regardless of the size, scope, and complexity of their deployment. As a result, we have more than 30 million registered users, and more than 50% of the Fortune 100 companies are GitLab customers.

Our platform is uniquely built as a single application and interface with a unified data model, enabling all stakeholders in the software delivery lifecycle – from development teams to operations teams to security teams – to work together in a single tool with a single workflow. With GitLab, they can build better, more secure software faster.

Our platform is uniquely built as a single application with native artificial intelligence, or AI, assisted workflows, and a single interface with a unified data model, enabling all stakeholders in the software delivery lifecycle – from development teams to operations teams to security teams – to work together in a single tool with a single workflow.

This helps to deliver outsized productivity gains, helping our customers increase their revenue, and generate greater profits. • Reduce costs by enhancing productivity, consolidating point tools, and eliminating integrations. The DevSecOps Platform fulfills the functionality of multiple point products, enabling teams to consolidate the number of tools they use.

This helps to deliver outsized productivity gains, helping our customers increase their revenue and generate greater profits. • Reduce costs through toolchain consolidation. GitLab’s unique DevSecOps platform approach provides the capabilities of multiple point products, enabling teams to consolidate the number of tools they use.

When considering buyers as part of product tiering decisions, we use the following guidance: • Premium is for team(s) usage, with the purchasing decision led by one or more managers or directors • Ultimate is for strategic organizational usage, with the purchasing decision led by one or more executives We want to be good stewards of our open source solution, so we aim to provide much of The DevSecOps Platform to the market for free.

When considering buyers as part of product tiering decisions, we use the following guidance: • Premium is for team(s) usage, with the purchasing decision led by one or more managers or directors • Ultimate is for strategic organizational usage, with the purchasing decision led by one or more executives We want to be good stewards of our open source solution, so we aim to ensure all stages of the DevOps lifecycle (plan, create, verify, package, release, configure, monitor) will have some open source features.

… 64 more changes not shown on this page.

Item 1A. Risk Factors

Risk Factors — what could go wrong, per management

219 edited+34 added−38 removed312 unchanged

2023 filing

2024 filing

Biggest changeOur quarterly or annual financial results may fluctuate as a result of several factors, many of which are outside of our control and may be difficult to predict, including: • our ability to attract and retain new customers; • the addition or loss of material customers, including through acquisitions or consolidations; • the timing of recognition of revenues; • the amount and timing of operating expenses related to the maintenance and expansion of our business, operations and infrastructure; • general economic, industry and market conditions, in both domestic and our foreign markets, including increasing interest rates and inflation, the potential effects of health pandemics or epidemics global events, including the ongoing armed conflict in Ukraine; • customer renewal rates; • our ability to convert users of our free product offerings into subscribing customers; • increases or decreases in the number of elements of our services or pricing changes upon any renewals of customer agreements; • software development allocation decisions by customers; • seasonal variations in sales of our products; • the timing and success of new service introductions by us or our competitors or any other change in the competitive dynamics of our industry, including consolidation among competitors, customers or strategic partners; • decisions by potential customers to use products of our competitors; • the timing of expenses related to the development or acquisition of technologies or businesses and potential future charges for impairment of goodwill from acquired companies; • extraordinary expenses such as litigation or other dispute-related settlement payments or outcomes; 25 Table of Contents • future accounting pronouncements or changes in our accounting policies or practices; • negative media coverage or publicity; • political events; • the amount and timing of operating costs and capital expenditures related to the expansion of our business, in the U.S. and foreign markets; • the cost to develop and upgrade The DevSecOps Platform to incorporate new technologies; and • increases or decreases in our expenses caused by fluctuations in foreign currency exchange rates.

Biggest changeOur quarterly or annual financial results may fluctuate as a result of several factors, many of which are outside of our control and may be difficult to predict, including: • our ability to attract and retain new customers; • the addition or loss of material customers, including through acquisitions or consolidations; • the timing of recognition of revenues; • the amount and timing of operating expenses related to the maintenance and expansion of our business, operations and infrastructure; • general economic, industry and market conditions, in both domestic and our foreign markets, including inflation, volatile interest rates, uncertainty with respect to the federal budget and debt ceiling and potential government shutdowns related thereto, volatility of the global debt and equity 29 Table of Contents markets, and actual or perceived instability in the global banking sector, the potential effects of health pandemics or epidemics and other global events, including ongoing armed conflicts in different regions of the world; • customer renewal rates; • the timing and success of new service introductions by us or our competitors or any other change in the competitive dynamics of our industry, including consolidation among competitors, customers or strategic partners; • our ability to convert users of our free product offerings into subscribing customers; • increases or decreases in the number of elements of our services or pricing changes upon any renewals of customer agreements; • allocation of software development in customers’ budget; • seasonal variations in sales of our products; • decisions by potential customers to use products of our competitors; • the timing of expenses related to the development or acquisition of technologies or businesses and potential future charges for impairment of goodwill from acquired companies; • extraordinary expenses such as litigation or other dispute-related settlement payments or outcomes; • future accounting pronouncements or changes in our accounting policies or practices; • negative media coverage or publicity; • political events; • the amount and timing of operating costs and capital expenditures related to the expansion of our business, in the U.S. and foreign markets; • the cost to develop and upgrade The DevSecOps Platform to incorporate new technologies; and • increases or decreases in our expenses caused by fluctuations in foreign currency exchange rates.

Our operating results may fluctuate significantly, which could make our future results difficult to predict and could adversely affect the trading price of our Class A common stock. Our operating results may vary significantly from period to period, which could adversely affect our business, operating results and financial condition.

Any security breach of The DevSecOps Platform, our operational systems, physical facilities, or the systems of our third-party processors, or the perception that a breach has occurred, could result in litigation, indemnity obligations, regulatory enforcement actions, investigations, compulsory audits, fines, penalties, mitigation and remediation costs, disputes, reputational harm, diversion of management’s attention, and other liabilities and damage to our business.

Any security breach of our DevSecOps platform, our operational systems, physical facilities, or the systems of our third-party processors, or the perception that a breach has occurred, could result in litigation, indemnity obligations, regulatory enforcement actions, investigations, compulsory audits, fines, penalties, mitigation and remediation costs, disputes, reputational harm, diversion of management’s attention, and other liabilities and damage to our business.

The success of our business will depend, in part, on our ability to adapt and respond effectively to these changes on a timely basis, including our ability to provide enhancements and new features for our existing services or new services that achieve market acceptance or that keep pace with rapid technological developments and the competitive landscape.

The success of our business will depend, in part, on our ability to adapt and respond effectively to these changes on a timely basis, including our ability to timely provide enhancements and new features for our existing services or new services that achieve market acceptance or that keep pace with rapid technological developments and the competitive landscape.

To the extent required by applicable law, we attempt to mitigate the associated risks of using third parties by performing security assessments and detailed due diligence, entering into contractual arrangements to ensure that providers only process personal data according to our instructions or equivalent instructions to the instructions of our customer (as applicable), and that they have sufficient technical and organizational security measures in place.

To the extent required by applicable law, we attempt to mitigate the associated risks of using third parties by performing security assessments and detailed due diligence, entering into contractual arrangements to ensure that providers only process personal data according to our instructions or equivalent instructions to that of our customer (as applicable), and that they have sufficient technical and organizational security measures in place.

Changing definitions of personal information and information may also limit or inhibit our ability to operate or expand our business, including limiting strategic partnerships that may involve the sharing of data. Also, some jurisdictions require that certain types of data be retained on servers within these jurisdictions.

Changing definitions of personal data and information may also limit or inhibit our ability to operate or expand our business, including limiting strategic partnerships that may involve the sharing of data. Also, some jurisdictions require that certain types of data be retained on servers within these jurisdictions.

As a new public company, the analysts who publish information about our Class A common stock will have had relatively little experience with our company, which could affect their ability to accurately forecast our results and make it more likely that we fail to meet their estimates.

As a relatively new public company, the analysts who publish information about our Class A common stock will have had relatively little experience with our company, which could affect their ability to accurately forecast our results and make it more likely that we fail to meet their estimates.

As supervisory authorities continue to issue further guidance on personal information (including regarding data export and circumstances in which we cannot use the standard contractual clauses), we could suffer additional costs, complaints, or regulatory investigations or fines, and if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results.

As supervisory authorities continue to issue further guidance on personal data (including regarding data export and circumstances in which we cannot use the Standard Contractual Clauses), we could suffer additional costs, complaints, or regulatory investigations or fines, and if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results.

If we are unable to find efficient ways to deploy our marketing spend or to hire, develop, and retain talent in numbers required to maintain and support our growth, if our new sales talent are unable to achieve desired productivity levels in a reasonable period of time, or if our sales and marketing programs are not effective, our ability to increase our customer base and achieve broader market acceptance of our services could be harmed.

If we are unable to find efficient ways to deploy our marketing spend or to hire, develop, and retain talent required to maintain and support our growth, if our new sales talent are unable to achieve desired productivity levels in a reasonable period of time, or if our sales and marketing programs are not effective, our ability to increase our customer base and achieve broader market acceptance of our services could be harmed.

Among other things, our restated certificate of incorporation and amended and restated bylaws include provisions that: • provide that our board of directors is classified into three classes of directors with staggered three-year terms; • permit our board of directors to establish the number of directors and fill any vacancies and newly created directorships; • require supermajority voting to amend some provisions in our restated certificate of incorporation and amended and restated bylaws; • authorize the issuance of “blank check” preferred stock that our board of directors could use to implement a stockholder rights plan; • provide that only our chief executive officer or a majority of our board of directors will be authorized to call a special meeting of stockholders; • eliminate the ability of our stockholders to call special meetings of stockholders; • do not provide for cumulative voting; 58 Table of Contents • provide that directors may only be removed “for cause” and only with the approval of two-thirds of our stockholders; • provide for a dual class common stock structure in which holders of our Class B common stock may have the ability to control the outcome of matters requiring stockholder approval, even if they own significantly less than a majority of the outstanding shares of our common stock, including the election of directors and other significant corporate transactions, such as a merger or other sale of our company or its assets; • prohibit stockholder action by written consent, which requires all stockholder actions to be taken at a meeting of our stockholders; • provide that our board of directors is expressly authorized to make, alter, or repeal our amended and restated bylaws; and • establish advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted upon by stockholders at annual stockholder meetings.

Among other things, our restated certificate of incorporation and amended and restated bylaws include provisions that: • provide that our board of directors is classified into three classes of directors with staggered three-year terms; • permit our board of directors to establish the number of directors and fill any vacancies and newly created directorships; • require supermajority voting to amend some provisions in our restated certificate of incorporation and amended and restated bylaws; • authorize the issuance of “blank check” preferred stock that our board of directors could use to implement a stockholder rights plan; • provide that only our chief executive officer or a majority of our board of directors will be authorized to call a special meeting of stockholders; • eliminate the ability of our stockholders to call special meetings of stockholders; • do not provide for cumulative voting; • provide that directors may only be removed “for cause” and only with the approval of two-thirds of our stockholders; • provide for a dual class common stock structure in which holders of our Class B common stock may have the ability to control the outcome of matters requiring stockholder approval, even if they own significantly less than a majority of the outstanding shares of our common stock, including the election of directors and other significant corporate transactions, such as a merger or other sale of our company or its assets; • prohibit stockholder action by written consent, which requires all stockholder actions to be taken at a meeting of our stockholders; • provide that our board of directors is expressly authorized to make, alter, or repeal our amended and restated bylaws; and • establish advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted upon by stockholders at annual stockholder meetings.

Our risks are likely to increase as we continue to expand The DevSecOps Platform, grow our customer base, and process, store, and transmit increasingly large amounts of proprietary and confidential data. We face heightened risk of security breaches because we use third-party open source technologies and incorporate a substantial amount of open source code in our products.

Our risks are likely to increase as we continue to expand The DevSecOps Platform, grow our customer base, and host, process, store, and transmit increasingly large amounts of proprietary and confidential data. We face heightened risk of security breaches because we use third-party open source technologies and incorporate a substantial amount of open source code in our products.

GDPR requires, among other things, that personal information only be transferred outside of the European Economic Area, or the E.E.A., or the U.K., respectively, to jurisdictions that have not been deemed adequate by the European Commission or by the U.K. data protection regulator, respectively, including the United States, if certain safeguards are taken to legitimize those data transfers.

GDPR requires, among other things, that personal data only be transferred outside of the European Economic Area, or the E.E.A., or the U.K., respectively, to jurisdictions that have not been deemed adequate by the European Commission or by the U.K. data protection regulator, respectively, including the United States, if certain safeguards are taken to legitimize those data transfers.

In order to protect our proprietary technologies and processes, we rely in part on trade secret laws and confidentiality agreements with our team members, licensees, independent contractors, commercial partners, and other advisors. These agreements may not effectively prevent disclosure of confidential information and may not provide an adequate remedy in the event of unauthorized disclosure of confidential information.

In order to protect our proprietary technologies and processes, we rely in part on patent and trade secret laws and confidentiality agreements with our team members, licensees, independent contractors, commercial partners, and other advisors. These agreements may not effectively prevent disclosure of confidential information and may not provide an adequate remedy in the event of unauthorized disclosure of confidential information.

Our agreements with certain customers may require us to use industry-standard or reasonable measures to safeguard sensitive personal information or confidential information. A security breach could lead to claims by our customers, their end-users, or other relevant stakeholders that we have failed to comply with such legal or contractual obligations.

Our agreements with certain customers may require us to use industry-standard or reasonable measures to safeguard sensitive personal data or confidential information. A security breach could lead to claims by our customers, their end-users, or other relevant stakeholders that we have failed to comply with such legal or contractual obligations.

Also, the Inflation Reduction Act of 2022 (the “IRA”), enacted on August 16, 2022, further amended the U.S. federal tax code, imposing a 15% minimum tax on “adjusted financial statement income” of certain corporations as well as an excise tax on the repurchase or redemption of stock by certain corporations, beginning in the 2023 tax year.

Also, the Inflation Reduction Act of 2022, enacted on August 16, 2022, further amended the U.S. federal tax code, imposing a 15% minimum tax on “adjusted financial statement income” of certain corporations as well as an excise tax on the repurchase or redemption of stock by certain corporations, beginning in the 2023 tax year.

If we are, or are perceived to be, not in compliance with data protection, consumer privacy, or other legal or regulatory requirements or operational norms bearing on the collection, processing, storage, or other treatment of data records, including personal information, our reputation and operating performance may suffer.

If we are, or are perceived to be, not in compliance with data protection, consumer privacy, or other legal or regulatory requirements or operational norms bearing on the collection, processing, storage, or other treatment of data records, including personal data, our reputation and operating performance may suffer.

We currently rely on a combination of copyright, trademark, trade secret, and unfair competition laws, as well as confidentiality agreements and procedures and licensing arrangements, to establish and protect our intellectual property rights. We have devoted substantial resources to the development of our proprietary technologies and related processes.

We currently rely on a combination of copyright, trademark, patent, trade secret, and unfair competition laws, as well as confidentiality agreements and procedures and licensing arrangements, to establish and protect our intellectual property rights. We have devoted substantial resources to the development of our proprietary technologies and related processes.

We have from time to time been, and are likely to in the future become, defendants in actual or threatened lawsuits brought by or on behalf of our current and former team members, competitors, governmental or regulatory bodies, or third parties who use The DevSecOps Platform.

We have from time to time been, and are likely to in the future become, defendants in actual or threatened lawsuits brought by or on behalf of our current and former team members, competitors, vendors, governmental or regulatory bodies, or third parties who use The DevSecOps Platform.

Risks Related to Our Business and Financial Position Our business and operations have experienced rapid growth, and if we do not appropriately manage future growth, if any, or are unable to improve our systems, processes and controls, our business, financial condition, results of operations, and prospects will be adversely affected.

Risks Related to Our Business and Financial Position Our business and operations have experienced rapid growth, and if we do not appropriately and effectively manage future growth, if any, or are unable to improve our systems, processes and controls, our business, financial condition, results of operations, and prospects will be adversely affected.

We may have to pay cash, incur debt, or issue equity securities to pay for any such acquisition or joint venture, each of which could affect our financial condition or the value of our capital stock and could result in dilution to our stockholders.

Further, we may have to pay cash, incur debt, or issue equity securities to pay for any such acquisition or joint venture, each of which could affect our financial condition or the value of our capital stock and could result in dilution to our stockholders.

In addition, job candidates and existing team members often consider the value of the equity awards they receive in connection with their employment. If the perceived value of our equity or equity awards declines, it may adversely affect our ability to retain highly skilled team members.

In addition, job candidates and existing team members often consider the value of the benefits and equity awards they receive in connection with their employment. If the perceived value of our benefits, equity, or equity awards declines, it may adversely affect our ability to retain highly skilled team members.

In addition, our customers have no obligation to renew their subscriptions for our services after the expiration of the initial subscription period. A majority of our subscriptions are on a one-year period. Our customers may renew for fewer elements of our services or negotiate for different pricing terms.

In addition, our customers have no obligation to renew their subscriptions for our services after the expiration of the initial subscription period. A majority of our subscriptions are on a one-year period. Our customers may renew for fewer or other elements of our services or negotiate for different pricing terms.

In addition, we experience seasonal fluctuations in our financial results as we typically receive a higher percentage of our annual orders from new customers, as well as renewal orders from existing customers, in our last two fiscal quarters as compared to the first two fiscal quarters due to the annual budget approval process of many of our customers, the timing of our customers’ decisions to make a purchase, changes our customers experienced, or may experience, in their businesses, and other variables some of which are outside of our and our customers’ control, such as macroeconomic and general economic conditions, including inflation and increased interest rates.

Our current and future customers may demand more configuration and integration services, which increase our up-front investment in sales and deployment efforts, with no guarantee that these customers will increase the scope of their subscription.

Our current and future customers may demand more customized configuration and integration services, which increase our up-front investment in sales and deployment efforts, with no guarantee that these customers will increase the scope of their subscription.

Risk Related to Our International Operations We plan to continue expanding our international operations which could subject us to additional costs and risks, and our continued expansion internationally may not be successful. We plan to expand our operations internationally in the future.

Risks Related to Our International Operations We plan to continue expanding our international operations which could subject us to additional costs and risks, and our continued expansion internationally may not be successful. We plan to expand our operations internationally in the future.

Customers may demand more configuration and integration services, or customized features and functions that we do not offer, which could adversely affect our business and operating results.

Customers may demand more customized configuration and integration services, or custom features and functions that we do not offer, which could adversely affect our business and operating results.

In particular, the law is intended to protect the rights and interests of individuals, to regulate personal information processing activities, to safeguard the lawful and “orderly flow” of data, and to facilitate reasonable use of personal information.

In particular, the law is intended to protect the rights and interests of individuals, to regulate personal data processing activities, to safeguard the lawful and “orderly flow” of data, and to facilitate reasonable use of personal data.

Additional risks we may face in connection with acquisitions include: • diversion of management time and focus from operating our business to addressing acquisition integration challenges; 52 Table of Contents • coordination of research and development and sales and marketing functions; • integration of product and service offerings; • retention of key team members from the acquired company; • changes in relationships with strategic partners as a result of product acquisitions or strategic positioning resulting from the acquisition; • integration of customers from the acquired company; • cultural challenges associated with integrating team members from the acquired company into our organization; • integration of the acquired company’s accounting, management information, human resources and other administrative systems; • the need to implement or improve controls, procedures and policies at a business that prior to the acquisition may have lacked sufficiently effective controls, procedures and policies; • additional legal, regulatory or compliance requirements; • financial reporting, revenue recognition or other financial or control deficiencies of the acquired company that we do not adequately address and that cause our reported results to be incorrect; • liability for activities of the acquired company before the acquisition, including intellectual property infringement claims, violations of laws, commercial disputes, tax liabilities and other known and unknown liabilities; • unanticipated write-offs or charges; and • litigation or other claims in connection with the acquired company, including claims from terminated team members, customers, former stockholders or other third parties.

We may face additional risks in connection with acquisitions and joint ventures, including: 37 Table of Contents • diversion of management time and focus from operating our business to addressing acquisition integration challenges; • coordination of research and development and sales and marketing functions; • integration of product and service offerings; • retention of key team members from the acquired company; • changes in relationships with strategic partners as a result of product acquisitions or strategic positioning resulting from the acquisition; • integration of customers from the acquired company; • cultural challenges associated with integrating team members from the acquired company into our organization; • integration of the acquired company’s accounting, management information, human resources and other administrative systems; • the need to implement or improve controls, procedures and policies at a business that prior to the acquisition may have lacked sufficiently effective controls, procedures and policies; • additional legal, regulatory or compliance requirements; • financial reporting, revenue recognition or other financial or control deficiencies of the acquired company that we do not adequately address and that cause our reported results to be incorrect; • liability for activities of the acquired company before the acquisition, including intellectual property infringement claims, violations of laws, commercial disputes, tax liabilities and other known and unknown liabilities; • unanticipated write-offs or charges; and • litigation or other claims in connection with the acquired company, including claims from terminated team members, customers, former stockholders or other third parties.

Because of the ten-to-one voting ratio between our Class B and Class A common stock, the holders of our Class B common stock collectively will continue to control a majority of the combined voting power of our common stock and therefore will be able to control all matters submitted to our stockholders for approval until the earlier of (i) October 14, 2031, (ii) the death or disability, as defined in our restated certificate of incorporation, of Sytse Sijbrandij, (iii) the date specified by a vote of the holders of two-thirds of the then outstanding shares of Class B common stock and (iv) the first date on which the number of shares of outstanding Class B common stock (including shares of Class B common stock subject to outstanding stock options) is less than 5% of the aggregate number of shares of outstanding common stock.

Because of the ten-to-one voting ratio between our Class B and Class A common stock, the holders of our Class B common stock collectively will continue to control a majority of the combined voting power of our common stock and therefore will be able to control all matters submitted to our stockholders for approval until the earlier of (i) October 14, 2031, (ii) the death or disability, as defined in our restated certificate of incorporation, of Sytse Sijbrandij, (iii) the date specified 57 Table of Contents by a vote of the holders of two-thirds of the then outstanding shares of Class B common stock and (iv) the first date on which the number of shares of outstanding Class B common stock (including shares of Class B common stock subject to outstanding stock options) is less than 5% of the aggregate number of shares of outstanding common stock.

There are significant costs and risks inherent in conducting business in international markets, including: • establishing and maintaining effective controls at foreign locations and the associated increased costs; • adapting our technologies, products, and services to non-U.S. consumers’ preferences and customs; 47 Table of Contents • increased competition from local providers; • compliance with foreign laws and regulations; • adapting to doing business in other languages and/or cultures; • compliance with the laws of numerous taxing jurisdictions where we conduct business, potential double taxation of our international earnings, and potentially adverse tax consequences due to U.S. and foreign tax laws as they relate to our international operations; • compliance with anti-bribery laws, such as the FCPA and the U.K.

There are significant costs and risks inherent in conducting business in international markets, including: • establishing and maintaining effective controls at foreign locations and the associated increased costs; • adapting our technologies, products, and services to non-U.S. consumers’ preferences and customs; • increased competition from local providers; • compliance with foreign laws and regulations; • adapting to doing business in other languages and/or cultures; • compliance with the laws of numerous taxing jurisdictions where we conduct business, potential double taxation of our international earnings, and potentially adverse tax consequences due to U.S. and foreign tax laws as they relate to our international operations; • compliance with anti-bribery laws, such as the FCPA and the U.K.

Additionally, in November 2020, California passed the California Privacy Rights Act, or the CPRA, which expands the CCPA significantly, including by expanding consumers’ rights with respect to certain personal information and creating a new state agency to oversee implementation and enforcement efforts, potentially resulting in further uncertainty and requiring us to incur additional costs and expenses in an effort to comply.

Additionally, in November 2020, California passed the California Privacy Rights Act, or the CPRA, which expands the CCPA significantly, including by expanding consumers’ rights with respect to certain personal data and creating a new state agency to oversee implementation and enforcement efforts, potentially resulting in further uncertainty and requiring us to incur additional costs and expenses in an effort to comply.

Similarly, the European Commission and several countries have issued proposals that would apply to various aspects of the current tax framework under which we are taxed. These proposals include changes to the existing framework to calculate income tax, as well as proposals to change or impose new types of non-income taxes, including taxes based on a percentage of revenue.

Similarly, the European Union and several countries have issued proposals that would apply to various aspects of the current tax framework under which we are taxed. These proposals include changes to the existing framework to calculate income tax, as well as proposals to change or impose new types of non-income taxes, including taxes based on a percentage of revenue.

We believe that our ability to compete depends upon many factors both within and beyond our control, including the following: • the ability of our products or of those of our competitors to deliver the positive business outcomes prioritized and valued by our customers and prospects; • our ability to price our products competitively, including our ability to transition users of our free product offering to a paid version of The DevSecOps Platform; • the amount and quality of communications, postings, and sharing by our users on public forums, which can promote improvements on The DevSecOps Platform but may also lead to disclosure of commercially sensitive details; • the timing and market acceptance of services, including the developments and enhancements to those services offered by us or our competitors; • our ability to monetize activity on our services; • customer service and support efforts; • sales and marketing efforts; 22 Table of Contents • ease of use, performance and reliability of solutions developed either by us or our competitors; • our ability to manage our operations in a cost effective manner; • insolvency or credit difficulties confronting our customers, affecting their ability to purchase or pay for our product offering; • our reputation and brand strength relative to our competitors; • introduction of new technologies or standards that compete with or are unable to be adopted in our products; • ability to attract new team members or retain existing team members which could affect our ability to attract new customers, service existing customers, enhance our product or handle our business needs; • our ability to maintain and grow our community of users; and • the length and complexity of our sales cycles.

We believe that our ability to compete depends upon many factors both within and beyond our control, including the following: • the ability of our products or of those of our competitors to deliver the positive business outcomes prioritized and valued by our customers and prospects; • our ability to price our products competitively, including our ability to transition users of our free product offering to a paid version of The DevSecOps Platform; • the timing and market acceptance of services, including the developments and enhancements to those services offered by us or our competitors, including incorporation of AI into such services; 24 Table of Contents • the amount and quality of communications, postings, and sharing by our users on public forums, which can promote improvements on The DevSecOps Platform but may also lead to disclosure of commercially sensitive details; • our ability to monetize activity on our services; • customer service and support efforts; • sales and marketing efforts; • ease of use, performance and reliability of solutions developed either by us or our competitors; • our ability to manage our operations in a cost effective manner; • insolvency or credit difficulties confronting our customers, affecting their ability to purchase or pay for our product offering; • our reputation and brand strength relative to our competitors; • introduction of new technologies or standards that compete with or are unable to be adopted in our products; • ability to attract new team members or retain existing team members which could affect our ability to attract new customers, service existing customers, enhance our product or handle our business needs; • our ability to maintain and grow our community of users; and • the length and complexity of our sales cycles.

Over the last several years, the Organization for Economic Cooperation and Development has been working on a Base Erosion and Profit Shifting Project that, if implemented, would change various aspects of the existing framework under which our tax obligations are determined in many of the countries in which we do business.

Over the last several years, the Organization for Economic Cooperation and Development, or the OECD, has been working on a Base Erosion and Profit Shifting project that, if implemented, would change various aspects of the existing framework under which our tax obligations are determined in many of the countries in which we do business.

Recent macroeconomic conditions, including inflation and rising interest rates, have, and may continue to, put pressure on overall spending for our products and services, and may cause our customers to modify spending priorities or delay or abandon purchasing decisions, thereby lengthening sales cycles, and may make it difficult for us to forecast our sales and operating results and to make decisions about future investments.

Recent macroeconomic conditions, including inflation and volatile interest rates, have, and may continue to, put pressure on overall spending for our products and services, and may cause our customers to modify spending priorities or delay or abandon purchasing decisions, thereby lengthening sales cycles, and may make it difficult for us to forecast our sales and operating results and to make decisions about future investments.

Any impediments to preserving our corporate culture and fostering 46 Table of Contents collaboration could harm our future success, including our ability to retain and recruit personnel, innovate and operate effectively, and execute on our business strategy. Unfavorable media coverage could negatively impact our business. We receive a high degree of media coverage, including due to our commitment to transparency.

Any impediments to preserving our corporate culture and fostering collaboration could harm our future success, including our ability to retain and recruit personnel, innovate and operate effectively, and execute on our business strategy. 48 Table of Contents Unfavorable media coverage could negatively impact our business. We receive a high degree of media coverage, including due to our commitment to transparency.

Our participation in this joint venture in China is subject to general, as well as industry-specific, economic, political and legal developments and risks in China.

Our participation in this joint venture in China is subject to general, as well as industry-specific, economic, political, tax, and legal developments and risks in China.

The CCPA requires covered companies to, among other things, provide new disclosures to California consumers and affords such consumers new privacy rights such as the ability to opt out of certain sales of personal information and expanded rights to access and require deletion of their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is collected, used and shared.

The CCPA requires covered companies to, among other things, provide new disclosures to California consumers and affords such consumers new privacy rights such as the ability to opt out of certain sales of personal data and expanded rights to access and deletion of their personal data, opt out of certain personal data sharing, and receive detailed information about how their personal data is collected, used and shared.

There are numerous federal, state, local and foreign laws regarding privacy and the storing, sharing, access, use, processing, disclosure and protection of personal information, personal data and other customer data, the scope of which are changing, subject to differing interpretations, and which may be inconsistent among countries or conflict with other rules.

There are numerous federal, state, local and foreign laws regarding privacy and the storing, sharing, access, use, processing, disclosure and protection of personal data and other customer data, the scope of which is changing, subject to differing interpretations, and which may be inconsistent among countries or conflict with other rules.

If there is a decline in the number of contributors, customer or contributor growth rate or engagement, including as a result of the loss of influential contributors and companies who provide innovative code on GitLab, paying customers 43 Table of Contents of our online services may be deterred from using our products or services or reduce their spending with us or cease doing business with us, which would harm our business and operating results.

If there is a decline in the number of contributors, customer or contributor growth rate or engagement, including as a result of the loss of influential contributors and companies who provide innovative code on GitLab, paying customers of our online services may be deterred from using our products or services or reduce their spending with us or cease doing business with us, which would harm our business and operating results.

Any security breach or disruption could result in the loss or destruction of or unauthorized access to, or use, alteration, disclosure, or acquisition of confidential and personal information, which may result in damage to our reputation, early termination of our contracts, litigation, regulatory investigations or other liabilities.

Any security breach or disruption could result in the loss or destruction of or unauthorized access to, or use, alteration, disclosure, or acquisition of confidential and/or personal data, which may result in damage to our reputation, early termination of our contracts, litigation, regulatory investigations or other liabilities.

Outside of the United States, we currently have direct and indirect subsidiaries in the United Kingdom, Netherlands, Germany, France, Ireland, Japan, South Korea, Canada, Singapore, and Australia and have team members in over 60 countries. We also have a joint venture in China.

Outside of the United States, we currently have direct and indirect subsidiaries in Canada, Germany, France, Ireland, the Netherlands, Spain, the United Kingdom, Australia, India, Japan, South Korea, and Singapore, and have team members in over 60 countries. We also have a joint venture in China.

Natural disasters, pandemics, and epidemics, or other catastrophic events such as fire or power shortages, along with man-made problems such as acts of war and terrorism, including the war in Ukraine, and other events beyond our control may cause damage or disruption to our operations, international commerce, and the global economy, and could have an adverse effect on our business, operating results, and financial condition.

Natural disasters, pandemics, and epidemics, or other catastrophic events such as fire or power shortages, along with man-made problems such as acts of war and terrorism, and other events beyond our control may cause damage or disruption to our operations, international commerce, and the global economy, and could have an adverse effect on our business, operating results, and financial condition.

Additionally, we are subject to the California Consumer Privacy Act, or the CCPA, which came into effect in 2020 and increases privacy rights for California consumers and imposes obligations on companies that process their personal information.

As of January 31, 2023, the holders of our outstanding Class B common stock hold a substantial majority of the voting power of our outstanding capital stock, with our directors, executive officers, and holders of more than 5% of our common stock, and their respective affiliates, holding a majority of the voting power of our capital stock.

As of January 31, 2024, the holders of our outstanding Class B common stock hold a substantial majority of the voting power of our outstanding capital stock, with our directors, executive officers, and holders of more than 5% of our common stock, and their respective affiliates, holding a majority of the voting power of our capital stock.

Any failure or perceived failure by us to comply with applicable privacy and data security laws and regulations, our privacy policies, or our privacy-related obligations to users or other third parties, or any compromise of security that results in the unauthorized release or transfer of personal information or other customer data, may result in governmental enforcement actions, litigation, or public statements against us by consumer advocacy groups or others and could cause our users to lose trust in us, which would have an adverse effect on our reputation and business.

Any failure or perceived failure by us to comply with applicable privacy and data security laws and regulations, our privacy policies, or our privacy-related obligations to users or other third parties, or any compromise of 42 Table of Contents security that results in the unauthorized release or transfer of personal data or other customer data, may result in governmental enforcement actions, litigation, or public statements against us by consumer advocacy groups or others and could cause our users to lose trust in us, which would have an adverse effect on our reputation and business.

If the project committees and contributors fail to adequately further develop and enhance open source technologies, or if the leadership committees fail to oversee and guide the evolution of the open source technologies in the manner that we believe is appropriate to maximize the market potential of our offerings, then we would have to rely on other parties, or we would need to expend additional resources, to develop and enhance our offerings.

If the project committees and contributors fail to adequately further develop and enhance open source technologies, or if the leadership committees fail to oversee and guide the evolution of the open source technologies in the manner that we believe is appropriate to maximize the market potential of our offerings, then we would have to rely on other parties, or we would need to 35 Table of Contents expend additional resources, to develop and enhance our offerings.

Risks Related to Financial and Accounting Matters We have identified material weaknesses in our internal controls over financial reporting and if our remediation of such material weaknesses is not effective, or if we fail to develop and maintain an effective system of disclosure controls and internal controls over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable laws and regulations could be impaired.

Risks Related to Financial and Accounting Matters We have identified a material weakness in our internal controls over financial reporting and if our remediation of such material weakness is not effective, or if we fail to develop and maintain an effective system of disclosure controls and internal controls over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable laws and regulations could be impaired.

If we incur more debt it would result in increased fixed obligations and could also subject us to covenants or 36 Table of Contents other restrictions that would impede or may be beyond our ability to manage our operations. Additionally, we may receive indications of interest from other parties interested in acquiring some or all of our business.

If we incur more debt it would result in increased fixed obligations and could also subject us to covenants or other restrictions that would impede or may be beyond our ability to manage our operations. Additionally, we may receive indications of interest from other parties interested in acquiring some or all of our business.

If we cannot adequately monitor the use of our technologies and products, or enforce our intellectual property rights in China or contractual restrictions relating to use of our intellectual property by Chinese companies, our revenue from JiHu could be adversely affected. Our joint venture is subject to laws and regulations applicable to foreign investment in China.

If we cannot adequately monitor the use of our technologies and products, or enforce our intellectual property rights in China or 50 Table of Contents contractual restrictions relating to use of our intellectual property by Chinese companies, our revenue from JiHu could be adversely affected. Our joint venture is subject to laws and regulations applicable to foreign investment in China.

Paying customers may decline or fluctuate as a result of a number of factors, including their satisfaction with our services and our end-customer support, the frequency and severity of product outages, our product uptime or latency, their satisfaction with the speed of delivering new features, the pricing of our, or competing, services, and the impact of macroeconomic conditions on our customers and their corporate spending.

Paying customers 28 Table of Contents may decline or fluctuate as a result of a number of factors, including their satisfaction with our services and our end-customer support, the frequency and severity of product outages, our product uptime or latency, their satisfaction with the speed of delivering new features, the pricing of our, or competing, services, and the impact of macroeconomic conditions on our customers and their corporate spending.

We also issue equity to a substantial portion of our team members, including team members engaged through PEOs and to independent contractors, and must ensure we remain compliant with securities laws of the applicable jurisdiction where such team members are located. Additionally, in some cases, we contract directly with team members who are independent contractors.

We also issue equity to a substantial portion of our team members, including team members engaged through PEOs and to independent contractors, and must ensure we 47 Table of Contents remain compliant with securities laws of the applicable jurisdiction where such team members are located. Additionally, in some cases, we contract directly with team members who are independent contractors.

As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act, and the rules and regulations of the applicable listing standards of the Nasdaq Global Select Market. 49 Table of Contents The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting.

As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act, and the rules and regulations of the applicable listing standards of the Nasdaq Global Select Market. The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting.

Such mandatory disclosures are costly, could lead to negative publicity, may cause our customers to lose confidence in the effectiveness of our security measures, and require us to expend significant capital and other resources to respond to or alleviate problems caused by the actual or perceived security breach. A security breach may cause us to breach customer contracts.

All of these efforts will require us to invest significant financial and other resources.

All of these efforts will require us to invest financial and other resources.

To comply with the requirements of being a public company, we have undertaken, and may need to further undertake in the future, various actions, such as implementing new internal controls and procedures and hiring additional accounting staff. As a public company, significant resources and management oversight are required.

To comply with the requirements of being a public company, we have undertaken, and may need to further 52 Table of Contents undertake in the future, various actions, such as implementing new internal controls and procedures and hiring additional accounting staff. As a public company, significant resources and management oversight are required.

With respect to E.U. and U.K. team members, contractors and other personnel, as well as for our customers’ and prospective customers’ personal data, such as contact and business information, we are subject to the E.U. General Data Protection Regulation, or the GDPR, and applicable national implementing legislation of the GDPR, and the U.K. General Data Protection Regulation and U.K.

With respect to E.U. and U.K. team members, contractors and other personnel, as well as for our customers’ and prospective customers’ personal data, such as contact and business information, we are subject to the E.U. General Data Protection Regulation, or the GDPR, and applicable national 39 Table of Contents implementing legislation of the GDPR, and the U.K.

GDPR impose stringent data protection requirements and, where we are acting as a controller, includes requirements to: provide detailed disclosures about how personal data is collected and processed (in a concise, intelligible and easily accessible form); demonstrate that an appropriate legal basis is in place or otherwise exists to justify data processing activities; grant rights for data subjects in regard to their personal data including the right to be “forgotten,” the right to data portability and data subject access requests; notify data protection regulators or supervisory authorities (and in certain cases, affected individuals) of significant data breaches; define pseudonymized (key-coded) data; limit the retention of personal data; maintain a record of data processing; and comply with the principle of accountability and the obligation to demonstrate compliance through policies, procedures, training and audit.

GDPR impose stringent data protection requirements and, where we are acting as a controller, includes requirements to: provide detailed disclosures about how personal data is collected and processed (in a concise, intelligible and easily accessible form); demonstrate that an appropriate legal basis is in place or otherwise exists to justify data processing activities; grant rights for data subjects in regard to their personal data including the right to be “forgotten,” the right to data portability, the right to correct personal data, and the right to access personal data; notify data protection regulators or supervisory authorities (and in certain cases, affected individuals) of significant data breaches; define pseudonymized (key-coded) data; limit the retention of personal data; maintain a record of data processing; and comply with the principle of accountability and the obligation to demonstrate compliance through policies, procedures, trainings and audits.

The dual class structure of our common stock will have the effect of concentrating voting control with those stockholders who hold our Class B capital stock, including our directors, executive officers, and beneficial owners of 5% or greater of our outstanding capital stock who hold in the aggregate 65.8% of the voting power of our capital stock, which will limit or preclude your ability to influence corporate matters, including the election of directors and the approval of any change of control transaction.

The dual class structure of our common stock will have the effect of concentrating voting control with those stockholders who hold our Class B capital stock, including our directors, executive officers, and beneficial owners of 5% or greater of our outstanding capital stock who hold in the aggregate a majority of the voting power of our capital stock, which will limit or preclude your ability to influence corporate matters, including the election of directors and the approval of any change of control transaction.

Bribery Act, by us, our team members, our service providers, and our business partners; • difficulties in staffing and managing global operations and the increased travel, infrastructure, and compliance costs associated with multiple international locations; • complexity and other risks associated with current and future foreign legal requirements, including legal requirements related to data privacy frameworks, such as the GDPR and U.K.

Bribery Act, by us, our team members, our service providers, and our business partners; 49 Table of Contents • difficulties in staffing and managing global operations and the increased travel, infrastructure, and compliance costs associated with multiple international locations; • complexity and other risks associated with current and future foreign legal requirements, including legal requirements related to data privacy frameworks, such as the GDPR and U.K.

You should carefully consider the risks and uncertainties described below, together with all of the other information in this Annual Report, including the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” and our consolidated financial statements and the accompanying notes included elsewhere in this Annual Report before making a decision to invest in our Class A common stock.

You should carefully consider the risks and uncertainties described below, together with all of the other information in this Annual Report on Form 10-K, including the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” and our consolidated financial statements and the accompanying notes included elsewhere in this Annual Report on Form 10-K before making a decision to invest in our Class A common stock.

As the markets for our services mature, or as new competitors introduce new products or services that are similar to or compete with ours, we may be unable to attract new customers at the same price or based on the same pricing model as we have used historically.

As our product offerings and the markets for our services mature, or as new competitors introduce new products or services that are similar to or compete with ours, we may be unable to attract new customers at the same price or based on the same pricing model as we have used historically.

If regulators start to enforce the strict approach in recent guidance, this could lead to substantial costs, limit the effectiveness of our marketing activities, divert the attention of our technology 39 Table of Contents personnel, adversely affect our margins, increase costs and subject us to additional liabilities.

If regulators start to enforce the strict approach in recent guidance, this could lead to substantial costs, limit the effectiveness of our marketing activities, divert the attention of our technology personnel, adversely affect our margins, increase costs and subject us to additional liabilities.

Moreover, some customers may demand greater price concessions or additional functionality at the same price levels. As a result, in the future we may be 26 Table of Contents required to reduce our prices or provide more features without corresponding increases in price, which could adversely affect our revenues, gross margin, profitability, financial position and cash flow.

Moreover, some customers may demand greater price concessions or additional functionality at the same price levels. As a result, in the future we may be required to reduce our prices or provide more features without corresponding increases in price, which could adversely affect our revenues, gross margin, profitability, financial position and cash flow.

In addition, an increase in the use of online and social media for product promotion and marketing may increase the burden on us to monitor compliance of such 24 Table of Contents materials and increase the risk that such materials could contain problematic product or marketing claims in violation of applicable regulations.

In addition, an increase in the use of online and social media for product promotion and marketing may increase the burden on us to monitor compliance of such materials and increase the risk that such materials could contain problematic product or marketing claims in violation of applicable regulations.

In addition, we could face additional risks resulting from changes in China’s data privacy and cybersecurity requirements, including China’s adoption of the Personal Information Protection Law, or PIPL, which went into effect on 48 Table of Contents November 1, 2021.

Factors that could cause fluctuations in the market price of our Class A common stock include the following: • actual or anticipated changes or fluctuations in our operating results; • the financial projections we may provide to the public, any changes in these projections or our failure to meet these projections; • announcements by us or our competitors of new products or new or terminated significant contracts, commercial relationships or capital commitments; • industry or financial analyst or investor reaction to our press releases, other public announcements and filings with the SEC; • rumors and market speculation involving us or other companies in our industry; • price and volume fluctuations in the overall stock market from time to time; 55 Table of Contents • changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular; • failure of industry or financial analysts to maintain coverage of us, changes in financial estimates by any analysts who follow our company, or our failure to meet these estimates or the expectations of investors; • actual or anticipated developments in our business or our competitors’ businesses or the competitive landscape generally; • litigation involving us, our industry or both, or investigations by regulators into our operations or those of our competitors; • developments or disputes concerning our intellectual property rights or our solutions, or third-party proprietary rights; • announced or completed acquisitions of businesses or technologies by us or our competitors; • new laws or regulations or new interpretations of existing laws or regulations applicable to our business; • the impact of interest rate increases on the overall stock market and the market for technology company stocks; • any major changes in our management or our board of directors; • effects of public health crises, pandemics, and epidemics; • general economic conditions, changes in the capital markets generally, inflation and slow or negative growth of our markets; and • other events or factors, including those resulting from war, incidents of terrorism or responses to these events, including those related to the ongoing armed conflict in Ukraine.

Factors that could cause fluctuations in the market price of our Class A common stock include the following: • actual or anticipated changes or fluctuations in our operating results; • the financial projections we may provide to the public, any changes in these projections or our failure to meet these projections; • announcements by us or our competitors of new products or new or terminated significant contracts, commercial relationships or capital commitments; • industry or financial analyst or investor reaction to our press releases, other public announcements and filings with the SEC; • rumors and market speculation involving us or other companies in our industry; • price and volume fluctuations in the overall stock market from time to time; • changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular; • failure of industry or financial analysts to maintain coverage of us, changes in financial estimates by any analysts who follow our company, or our failure to meet these estimates or the expectations of investors; • actual or anticipated developments in our business or our competitors’ businesses or the competitive landscape generally; • litigation involving us, our industry or both, or investigations by regulators into our operations or those of our competitors; • developments or disputes concerning our intellectual property rights or our solutions, or third-party proprietary rights; • announced or completed acquisitions of businesses or technologies by us or our competitors; • new laws or regulations or new interpretations of existing laws or regulations applicable to our business; 56 Table of Contents • the impact of interest rate increases on the overall stock market and the market for technology company stocks; • any major changes in our management or our board of directors; • effects of public health crises, pandemics, and epidemics; • general economic conditions, changes in the capital markets generally, inflation, slow or negative growth of our markets and instability in the global banking sector; and • other events or factors, including those resulting from political instability, war, incidents of terrorism or responses to these events, including those related to the ongoing armed conflicts in different regions of the world.

In addition, various countries regulate the import of certain encryption technology, including through import permit and license requirements, and have enacted laws that could limit our ability to distribute our products or could limit our end-customers’ ability to implement our products in those countries.

In addition, various countries regulate the import of certain encryption technology, including through import permit and license requirements, and have enacted laws that could limit our ability to distribute our 43 Table of Contents products or could limit our end-customers’ ability to implement our products in those countries.

A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of our annual or interim financial statements will not be prevented or detected on a timely basis.

The European Data Protection Board issued additional guidance regarding the 38 Table of Contents CJEU’s decision in November 2020, which imposes higher burdens on the use of data transfer mechanisms, such as the Standard Contractual Clauses, for cross-border data transfers.

The European Data Protection Board issued additional guidance regarding the CJEU’s decision in November 2020, which imposes higher burdens on the use of data transfer mechanisms, such as the Standard Contractual Clauses, for cross-border data transfers.

Any violation of data or security laws by our third-party processors could have a material adverse effect on our business and result in the fines and penalties under the GDPR and the U.K. GDPR outlined above.

Any violation of data or 41 Table of Contents security laws by our third-party processors could have a material adverse effect on our business and result in the fines and penalties under the GDPR and the U.K. GDPR outlined above.

Those Trade Controls, which are unprecedented and expansive, continue to evolve and further restrict our ability to do business in that region. Processing payments from those customers, even when legally permissible, has become very 41 Table of Contents difficult, in part because most U.S. and E.U. banks are unwilling to facilitate those transactions.

Those Trade Controls, which are unprecedented and expansive, continue to evolve and further restrict our ability to do business in that region. Processing payments from those customers, even when legally permissible, has become very difficult, in part because most U.S. and E.U. banks are unwilling to facilitate those transactions.

Our failure to address these risks or other problems encountered in connection with acquisitions and investments could cause us to fail to realize the anticipated benefits of these acquisitions or investments, cause us to incur unanticipated liabilities, and harm our business generally.

Our failure to address these risks or other problems encountered in connection with acquisitions activities and joint ventures could cause us to fail to realize the anticipated benefits of these acquisitions, investments or joint ventures, cause us to incur unanticipated liabilities, and harm our business generally.

While we consistently evaluate opportunities to reduce our operating costs and optimize efficiencies, including, for example, through our workforce reduction in February 2023, we cannot guarantee that these efforts will be successful or that we will not re-accelerate operating expenditures in the future in order to capitalize on growth opportunities.

While we consistently 21 Table of Contents evaluate opportunities to reduce our operating costs and optimize efficiencies, including, for example, through our workforce reduction in February 2023, we cannot guarantee that these efforts will be successful or that we will not re-accelerate operating expenditures in the future in order to capitalize on growth opportunities.

In the United States and other countries where we conduct business and in jurisdictions in which we are subject to taxes, including those covered by governing bodies that enact tax laws applicable to us, such as the European Commission of the European Union, we are subject to potential changes in relevant tax, accounting and other laws, regulations, guidance, and interpretations, including changes to tax laws applicable to corporate multinationals such as GitLab.

In the United States and other countries where we conduct business and in jurisdictions in which we are subject to taxes, including those covered by governing bodies that enact tax laws applicable to us, we are subject to potential changes in relevant tax, accounting and other laws, regulations, guidance, and interpretations, including changes to tax laws applicable to corporate multinationals such as GitLab.

Our failure to comply with the PIPL may result in enforcement action against us, 40 Table of Contents including fines, and damage to our reputation, any of which may have an adverse effect on our business and operating results.

Our failure to comply with the PIPL may result in enforcement action against us, including fines, and damage to our reputation, any of which may have an adverse effect on our business and operating results.

We also engage team members through a PEO self-employed model in certain jurisdictions where we contract with the PEO, which in turn contracts with individual team members as independent 45 Table of Contents contractors. In all locations where we utilize PEOs, we rely on those PEOs to comply with local employment laws and regulations.

We also engage team members through a PEO self-employed model in certain jurisdictions where we contract with the PEO, which in turn contracts with individual team members as independent contractors. In all locations where we utilize PEOs, we rely on those PEOs to comply with local employment laws and regulations.

Data Protection Act 2018, or the U.K. GDPR, respectively. We are a controller with respect to this data. The GDPR and U.K.

General Data Protection Regulation and U.K. Data Protection Act 2018, or the U.K. GDPR, respectively. We are a controller with respect to this data. The GDPR and U.K.

As a result, the dual class structure of our common stock may prevent the inclusion of our Class A common stock in such indices, may cause stockholder advisory firms to publish negative commentary about our corporate governance practices or otherwise seek to cause us to change our capital structure, and may result in large institutional investors not purchasing shares of our Class A common stock.

As a result, the dual class structure of our common stock may cause stockholder advisory firms to publish negative commentary about our corporate governance practices or otherwise seek to cause us to change our capital structure, and may result in large institutional investors not purchasing shares of our Class A common stock.

Because of the large amount of data that our customers collect and manage by means of our services, it is possible that failures or errors in our systems could result in data loss or corruption, or cause the information that we or our customers collect to be incomplete or contain inaccuracies that our customers regard as material.

Because of the (nature and importance of the data) that our customers collect and manage by means of our services, it is possible that failures or errors in our systems could result in data loss or corruption, and/or cause the information that we or our customers collect to be incomplete or contain inaccuracies that our customers regard as material.

… 211 more changes not shown on this page.

Item 3. Legal Proceedings

Legal Proceedings — active lawsuits and investigations

1 edited+1 added−1 removed1 unchanged

2023 filing

2024 filing

Biggest changeWe are not presently a party to any legal proceedings that in the opinion of our management, if determined adversely to us, would individually or taken together have a material adverse effect on our business, financial condition or operating results. 62 Table of Contents The results of any current or future litigation cannot be predicted with certainty, and regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources and other factors.

Removed

The results of any current or future litigation cannot be predicted with certainty, and regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources and other factors. ITEM 4. MINE SAFETY DISCLOSURES None. 61 Table of Contents PART II

Added

ITEM 4. MINE SAFETY DISCLOSURES None. 63 Table of Contents PART II

Item 5. Market for Registrant's Common Equity

Market for Common Equity — stock, dividends, buybacks

4 edited+1 added−4 removed5 unchanged

2023 filing

2024 filing

Biggest changeThis performance graph shall not be deemed “soliciting material” or to be “filed” with the SEC for purposes of Section 18 of the Exchange Act, or otherwise subject to the liabilities under that Section, and shall not be deemed to be incorporated by reference into any of our filings under the Securities Act. ITEM 6. [RESERVED] 63 Table of Contents

Biggest changeThe comparisons are based on historical data and are not indicative of, nor intended to forecast, the future performance of our Class A common stock. 64 Table of Contents This performance graph shall not be deemed “soliciting material” or to be “filed” with the SEC for purposes of Section 18 of the Exchange Act, or otherwise subject to the liabilities under that Section, and shall not be deemed to be incorporated by reference into any of our filings under the Securities Act.

Issuer Purchases of Equity Securities None. 62 Table of Contents Stock Performance Graph The graph below compares the cumulative total stockholder return on our Class A common stock from October 14, 2021 (the date our Class A common stock commenced trading on Nasdaq) through January 31, 2023 with the cumulative total return on the S&P 500 Index and the S&P 500 Information Technology Index.

Stock Performance Graph The graph below compares the cumulative total stockholder return on our Class A common stock from October 14, 2021 (the date our Class A common stock commenced trading on Nasdaq) through January 31, 2024 with the cumulative total return on the S&P 500 Index and the S&P 500 Information Technology Index.

Our Class B common stock is not listed or traded on any exchange. Holders of Record As of March 20, 2023, there were 8 holders of record of our Class A common stock and 157 holders of record of our Class B common stock.

Our Class B common stock is not listed or traded on any exchange. Holders of Record As of March 15, 2024, there were 14 holders of record of our Class A common stock and 65 holders of record of our Class B common stock.

All values assume a $100 initial investment and data for the S&P 500 Composite Index and the S&P Information Technology Index assume reinvestment of dividends. The comparisons are based on historical data and are not indicative of, nor intended to forecast, the future performance of our Class A common stock.

All values assume a $100 initial investment and data for the S&P 500 Composite Index and the S&P Information Technology Index assume reinvestment of dividends.

Removed

Use of Proceeds On October 18, 2021, we closed our initial public offering, or IPO, of 8,940,000 shares of our Class A common stock at an offering price of $77.00 per share, including 520,000 shares pursuant to the exercise of the underwriters’ option to purchase additional shares of our Class A common stock, resulting in net proceeds to us of $654.6 million, after deducting underwriting discounts of $33.8 million.

Added

Use of Proceeds None. Issuer Purchases of Equity Securities None.

Removed

All of the shares issued and sold in our IPO were registered under the Securities Act pursuant to a registration statement on Form S-1 (File No. 333-259602), which was declared effective by the SEC on October 13, 2021. As of such date, we also incurred offering costs of $4.7 million.

Removed

No payments were made to our directors or officers or their associates, holders of 10% or more of any class of our equity securities, or to our affiliates in connection with the issuance and sale of the securities registered.

Removed

There has been no material change in the planned use of proceeds from our IPO from those disclosed in the Final Prospectus for our IPO dated as of October 13, 2021 and filed with the SEC pursuant to Rule 424(b)(4) on October 14, 2021.

Item 7. Management's Discussion & Analysis

Management's Discussion & Analysis (MD&A) — revenue / margin commentary

87 edited+23 added−14 removed29 unchanged

2023 filing

2024 filing

Biggest changeStock-Based Compensation Expense Fiscal Year Ended January 31, Change 2023 2022 $ % (in thousands, except percentages) Cost of revenue $ 5,078 $ 1,300 $ 3,778 291 % Research and development 36,325 8,305 28,020 337 Sales and marketing 48,001 10,550 37,451 355 General and administrative 33,163 9,854 23,309 237 Total stock-based compensation expense $ 122,567 $ 30,009 $ 92,558 308 % Stock-based compensation expense increased by $92.6 million, to $122.6 million for fiscal 2023 from $30.0 million for fiscal 2022, primarily due to a $60.9 million expense from restricted stock units, or RSUs, we started granting since December 2021 and $20.5 million expense from our 2021 Employee Stock Purchase Plan, or ESPP, introduced in November 2021.

Biggest changeJoint Venture and Equity Method Investment” to our consolidated financial statements for additional details. 74 Table of Contents Stock-Based Compensation Expense Fiscal Year Ended January 31, Change 2024 2023 $ % (in thousands, except percentages) Cost of revenue $ 6,400 $ 5,078 $ 1,322 26 % Sales and marketing 68,766 48,001 20,765 43 Research and development 50,804 36,325 14,479 40 General and administrative 37,079 33,163 3,916 12 Total stock-based compensation expense $ 163,049 $ 122,567 $ 40,482 33 % Stock-based compensation expense increased by $40.5 million, to $163.0 million for fiscal 2024 from $122.6 million for fiscal 2023, primarily due to a n increase of $56.0 million of expense from RSUs, offset by a decrease of $6.6 million related to our ESPP and a decrease of $9.2 million in the stock-based compensation of our variable interest entity.

Overview In today’s world, software defines the speed of innovation. Every industry, business, and function within a company is dependent on software. To remain competitive and survive, nearly all companies must digitally transform and become experts at building, delivering, and securing software.

Overview In today’s world, software defines the speed of innovation. Every industry, business, and every function within a company is dependent on software. Nearly all companies must digitally transform and become experts at building, delivering, and securing software to remain competitive and survive.

Across every industry – and across companies of every size – technology leaders want to make developers more productive so they can deliver better products faster; they want to measure productivity so they can increase operational efficiency; they want to secure the software supply chain so they can reduce security and compliance risk; and, they want to accelerate secure cloud migration, so they can unlock digital transformation results.

Dollar-Based Net Retention Rate and ARR We believe that our ability to retain and expand our revenue generated from our existing customers is an indicator of the long-term value of our customer relationships and our potential future business opportunities. Dollar-Based Net Retention Rate measures the percentage change in our ARR derived from our customer base at a point in time.

Dollar-Based Net Retention Rate We believe that our ability to retain and expand our revenue generated from our existing customers is an indicator of the long-term value of our customer relationships and our potential future business opportunities. Dollar-Based Net Retention Rate measures the percentage change in our ARR derived from our customer base at a point in time.

Financing Activities Cash provided by financing activities during fiscal 2023 was $97.5 million, primarily attributable to $61.7 million of contributions received from noncontrolling interests, $24.5 million of proceeds from the issuance of common stock upon stock options exercises, and $14.4 million of proceeds from the issuance of common stock under our ESPP, offset by the partial settlement of acquisition related contingent consideration of $3.1 million.

Cash provided by financing activities during fiscal 2023 was $97.5 million, primarily attributable to $61.7 million of contributions received from noncontrolling interests, $24.5 million of proceeds from the issuance of common stock upon stock options exercises, and $14.4 million of proceeds from the issuance of common stock under our ESPP, offset by the partial settlement of acquisition related contingent consideration of $3.1 million.

The typical term of a subscription contract for self-managed or SaaS offering is one to three years. License - self-managed and other The license component of our self-managed subscriptions reflects the revenue recognized by providing customers with access to proprietary software features. License revenue is recognized up-front when the software license is made available to our customer.

The typical term of a subscription contract for SaaS offering is one to three years. License - self-managed and other The license component of our self-managed subscriptions reflects the revenue recognized by providing customers with access to proprietary software features. License revenue is recognized up-front when the software license is made available to our customers.

Contractual Obligations and Commitments For more information regarding our contractual obligations, refer to “Note 14. Commitments and Contingencies” to our consolidated financial statements . Critical Accounting Estimates We prepare our consolidated financial statements in accordance with accounting principles generally accepted in the United States of America. In doing so, we have to make estimates and assumptions.

Contractual Obligations and Commitments For more information regarding our contractual obligations, refer to “Note 15. Commitments and Contingencies” to our consolidated financial statements . Critical Accounting Estimates We prepare our consolidated financial statements in accordance with accounting principles generally accepted in the United States of America. In doing so, we have to make estimates and assumptions.

Our primary uses of cash from operating activities are for personnel-related expenses, sales and marketing expenses, third-party cloud infrastructure expenses, and overhead expenses. We have generated negative cash flows from operating activities and have supplemented working capital through net proceeds from the issuance of equity securities.

Our primary uses of cash from operating activities are for personnel-related expenses, sales and marketing expenses, third-party cloud infrastructure expenses, and overhead expenses. We have generated positive cash flows from operating activities and have supplemented working capital through net proceeds from the issuance of equity securities.

For purposes of determining our Base Customers, a single organization with separate subsidiaries, segments, or divisions that use The DevSecOps Platform is considered a single customer for determining each organization’s ARR. GitLab is the only DevSecOps platform built on an open-core business model. We enable any customer and contributor to add functionality to our platform.

For purposes of determining our Base Customers, a single 66 Table of Contents organization with separate subsidiaries, segments, or divisions that use The DevSecOps Platform is considered a single customer for determining each organization’s ARR. GitLab is the only DevSecOps platform built on an open-core business model. We enable any customer and contributor to add functionality to our platform.

We expect that our general and administrative expenses will increase in absolute dollars as our business grows but will decrease as a percentage of our total revenue over time, although our general and administrative expenses may fluctuate as a percentage of our total revenue from period-to-period depending on the timing of these expenses.

We expect that our general and administrative expenses will 69 Table of Contents increase in absolute dollars as our business grows but will decrease as a percentage of our total revenue over time, although our general and administrative expenses may fluctuate as a percentage of our total revenue from period-to-period depending on the timing of these expenses.

As of January 31, 2023 2022 2021 $100,000 ARR customers 697 492 283 Components of Our Results of Operations Revenue Subscription - self-managed and SaaS Subscription - self-managed Our self-managed subscriptions include support, maintenance, upgrades, and updates on a when-and-if-available basis. Revenue for self-managed subscriptions is recognized ratably over the contract period based on the stand-ready nature of subscription elements.

As of January 31, 2024 2023 2022 $100,000 ARR customers 955 697 492 Components of Our Results of Operations Revenue Subscription - self-managed and SaaS Subscription - self-managed Our self-managed subscriptions include support, maintenance, upgrades, and updates on a when-and-if-available basis. Revenue for self-managed subscriptions is recognized ratably over the contract period based on the stand-ready nature of subscription elements.

A discussion regarding our financial condition and results of operations for the year ended January 31, 2023 compared to the year ended January 31, 2022 is presented below.

A discussion regarding our financial condition and results of operations for the year ended January 31, 2024 compared to the year ended January 31, 2023 is presented below.

A single organization with separate subsidiaries, segments, or divisions that use The DevSecOps Platform is considered a single customer for determining each organization’s ARR. We do not count our reseller or distributor channel partners as customers. In cases where customers subscribe to The DevSecOps Platform through our channel partners, each end customer is counted separately.

A single organization with separate subsidiaries, segments, or divisions that use The DevSecOps Platform is considered a single 67 Table of Contents customer for determining each organization’s ARR. We do not count our reseller or distributor channel partners as customers. In cases where customers subscribe to The DevSecOps Platform through our channel partners, each end customer is counted separately.

For purposes of determining the number of our active customers, we 64 Table of Contents look at our customers with more than $5,000 of Annual Recurring Revenue, or ARR, in a given period, who we refer to as our Base Customers.

For purposes of determining the number of our active customers, we look at our customers with more than $5,000 of Annual Recurring Revenue, or ARR, in a given period, who we refer to as our Base Customers.

We have concluded that the right to use the software, which is recognized upon delivery of the license, and the right to receive technical support and software fixes and 77 Table of Contents updates, which is recognized ratably over the term of the arrangement, are two distinct performance obligations.

We have concluded that the right to use the software, which is recognized upon delivery of the license, and the right to receive technical support and software fixes and updates, which is recognized ratably over the term of the arrangement, are two distinct performance obligations.

Sales and Marketing Sales and marketing expenses consist primarily of personnel-related expenses associated with our sales and marketing personnel, advertising, travel and entertainment related expenses, branding and marketing events, promotions, software subscriptions, and our allocated hosting expenses for our free tier. Sales and marketing expenses also include sales commissions paid to our sales force.

Sales and Marketing Sales and marketing expenses consist primarily of personnel-related expenses associated with our sales and marketing personnel, advertising, travel and entertainment related expenses, branding and marketing events, promotions, software subscriptions, and our allocated cloud infrastructure expenses for our free tier. Sales and marketing expenses also include sales commissions paid to our sales force.

If we are unable to raise additional capital or generate cash flows necessary to expand our operations and invest in continued innovation, we may not be able to compete successfully, which would harm our business, operating results, and financial condition.

If we are unable to raise additional capital or generate cash flows necessary to expand our operations and 77 Table of Contents invest in continued innovation, we may not be able to compete successfully, which would harm our business, operating results, and financial condition.

As of January 31, 2023 2022 2021 Dollar-Based Net Retention Rate > 130% >152% >145% 65 Table of Contents Customers with ARR of $100,000 or More We believe that our ability to increase the number of $100,000 ARR customers is an indicator of our market penetration and strategic demand for The DevSecOps Platform.

As of January 31, 2024 2023 2022 Dollar-Based Net Retention Rate 130% >130% >152% Customers with ARR of $100,000 or More We believe that our ability to increase the number of $100,000 ARR customers is an indicator of our market penetration and strategic demand for The DevSecOps Platform.

We expect our cost of revenue for self-managed and SaaS subscriptions to increase in absolute dollars as our self-managed and SaaS 66 Table of Contents subscription revenue increases.

We expect our cost of revenue for self-managed and SaaS subscriptions to increase in absolute dollars as our self-managed and SaaS subscription revenue increases.

A discussion regarding our financial condition and results of operations for the year ended January 31, 2022 compared to the year ended January 31, 2021 can be found in “Management's Discussion and Analysis of Financial Condition and Results of Operations” in our Annual Report on Form 10-K for the fiscal year ended January 31, 2022, which was filed with the SEC on April 8, 2022.

A discussion regarding our financial condition and results of operations for the year ended January 31, 2023 compared to the year ended January 31, 2022 can be found in “Management's Discussion and Analysis of Financial Condition and Results of Operations” in our Annual Report on Form 10-K for the fiscal year ended January 31, 2023, which was filed with the SEC on March 30, 2023.

Effective April 4, 2022, due to a loss of control over Meltano Inc., we account for Meltano investment under the equity method.

Effective April 4, 2022, due to a loss of control over Arch, we account for Arch investment under the equity method.

Loss from Equity Method Investment, Net of Tax Loss from equity method investment, net of tax consists of our share of losses from the results of operations of Meltano Inc., following its deconsolidation, net of tax.

Loss from Equity Method Investment, Net of Tax Loss from equity method investment, net of tax, consists of our share of losses from the results of operations of Arch , following its deconsolidation.

Other revenue consists of professional services revenue which is derived from fixed fee and time and materials offerings, subject to customer acceptance. Given the Company’s limited history of providing professional services, uncertainty exists about customer acceptance and therefore, control is presumed to transfer upon confirmation from the customer, as defined in each professional services contract.

Other revenue consists of professional services revenue which is derived from fixed fee and time and materials offerings, subject to customer acceptance for fixed fee offerings. Uncertainty exists about customer acceptance and therefore, control is presumed to transfer upon confirmation from the customer, as defined in each professional services contract.

Revenue attributed to our variable interest entity, JiHu, was $4.7 million and $1.2 million for fiscal 2023 and 2022, respectively. See “Note 11. Joint Venture and Equity Method Investment” to our consolidated financial statements for additional details.

Cost of revenue attributed to our variable interest entity, JiHu, was $2.4 million and $1.7 million for fiscal 2024 and 2023 , respectively. See “Note 12. Joint Venture and Equity Method Investment” to our consolidated financial statements for additional details.

Joint Venture and Equity Method Investment” to our consolidated financial statements for additional details.

See “Note 12. Joint Venture and Equity Method Investment” to our consolidated financial statements for additional details.

We continue to monitor the progress of ongoing discussions with tax authorities and the effect, if any, of the expected expiration of the statute of limitations in various taxing jurisdictions. As of January 31, 2023, unrecognized tax benefits were $7.5 million , of which $0.5 million would affect the effective tax rate if recognized.

We continue to monitor the progress of ongoing discussions with tax authorities and the effect, if any, of the expected expiration of the statute of limitations in various taxing jurisdictions. As of January 31, 2024, unrecognized tax benefits were $396.8 million , of which $207.8 million would affect the effective tax rate if recognized.

Operating Expenses Our operating expenses consist of sales and marketing, research and development, and general and administrative expenses. Personnel-related expenses are the most significant component of operating expenses and consist of salaries, benefits, bonuses, stock-based compensation, and sales commissions. Operating expenses also include IT overhead costs.

Personnel-related expenses are the most significant component of operating expenses and consist of salaries, benefits, bonuses, stock-based compensation, and sales commissions. Operating expenses also include IT overhead costs.

SaaS Our SaaS subscriptions provide access to our latest managed version of our product hosted in a public or private cloud based on the customer’s preference. Revenue from our SaaS offerings is recognized ratably over the contract period when the performance obligation is satisfied.

The typical term of a subscription contract for self-managed offering is one to three years. SaaS Our SaaS subscriptions provide access to our latest managed version of our product hosted in a public or private cloud based on the customer’s preference. Revenue from our SaaS offerings is recognized ratably over the contract period when the performance obligation is satisfied.

Accordingly, we have allocated up to 23% of the entire transaction price to the right to use the underlying software (License revenue - Self managed) and allocated the remaining value of the transaction to the right to receive post-contract customer support (Subscription revenue - Self managed) during the period covered by these consolidated financial statements.

Accordingly, we have allocated between 1 to 23%, with the majority being less than 14%, of the entire transaction price to the right to use the underlying software (License revenue - Self managed) and allocated the remaining value of the transaction to the right to receive post-contract customer support (Subscription revenue - Self managed) during the period covered by these consolidated financial statements.

As of January 31, 2023 and 2022, our expansion is reflected by our Dollar-Based Net Retention Rate being above 130% and above 152%, respectively. We had 697 customers with ARR over $100,000 as of January 31, 2023, increasing from 492 customers with ARR over $100,000 as of January 31, 2022.

As of January 31, 2024 and 2023, our expansion is reflected by our Dollar-Based Net Retention Rate being 130% and above 130%, respectively. We had 72 Table of Contents 955 customers with ARR over $100,000 as of January 31, 2024, increasing from 697 customers with ARR over $100,000 as of January 31, 2023.

Our calculation of ARR and by extension Dollar-Based Net Retention Rate, includes both self-managed and SaaS subscription revenue. We report Dollar-Based Net Retention Rate on a threshold basis of 130% each quarter, and provide a tighter threshold as of each fiscal year end. We calculate ARR by taking the monthly recurring revenue, or MRR, and multiplying it by 12.

Our calculation of ARR and by extension Dollar-Based Net Retention Rate, includes both self-managed and SaaS subscription revenue. We report Dollar-Based Net Retention Rate on a threshold basis of 130% each quarter or the actual number if below 130%. We calculate ARR by taking the monthly recurring revenue, or MRR, and multiplying it by 12.

The following table shows a summary of our cash flows for the periods presented: Fiscal Year Ended January 31, 2023 2022 2021 (in thousands) Net cash used in operating activities $ (77,408) $ (49,814) $ (73,580) Net cash used in investing activities $ (605,686) $ (53,895) $ (842) Net cash provided by financing activities $ 97,482 $ 701,185 $ 12,945 Operating Activities Our largest source of operating cash is payments received from our customers.

The following table shows a summary of our cash flows for the periods presented: Fiscal Year Ended January 31, 2024 2023 2022 (in thousands) Net cash provided by (used in) operating activities $ 35,040 $ (77,408) $ (49,814) Net cash used in investing activities $ (86,238) $ (605,686) $ (53,895) Net cash provided by financing activities $ 45,235 $ 97,482 $ 701,185 Operating Activities Our largest source of operating cash is payments received from our customers.

We believe our judgments and estimates associated with the determination of standalone selling price for each performance obligation in revenue recognition and the accounting for stock-based compensation, which we discuss further below, could have a material impact on our consolidated financial statements. See “Note 2.

We believe our judgments and estimates associated with the determination of standalone selling price for each performance obligation in revenue recognition, the accounting for stock-based compensation, and income taxes as it relates to the potential BAPA, which we discuss further below, could have a material impact on our consolidated financial statements. 79 Table of Contents See “Note 2.

As of January 31, 2023 and January 31, 2022, our principal source of liquidity was cash, cash equivalents, and short-term investments aggregating to $936.7 million and $934.7 million, respectively, which were held for working capital and strategic investment purposes.

As of January 31, 2024 and January 31, 2023, our principal source of liquidity was cash, cash equivalents, and short-term investments aggregating t o $1.0 billion and $936.7 million, respectively, which were held for working capital and strategic investment purposes.

See “Note 11. Joint Venture and Equity Method Investment” to our consolidated financial statements for additional details . (3) Our results of operations include our v a riable interest entity, JiHu. The ownership interest of other investors is recorded as a noncontrolling interest. See “Note 11. Joint Venture and Equity Method Investment” to our consolidated financial statements for additional details.

The ownership interest of other investors is recorded as a noncontrolling interest. See “Note 12. Joint Venture and Equity Method Investment” to our consolidated financial statements for additional details.

Our share of the undistributed earnings of foreign corporations not included in our consolidated federal income tax returns that could be subject to additional U.S. income tax if remitted is immaterial. As of January 31, 2023 , the amount of unrecognized U.S federal deferred income tax liability for undistributed earnings is immaterial.

The undistributed earnings of foreign corporations not included in our consolidated federal income tax returns that could be subject to additional U.S. income tax if remitted is immaterial.

Such costs incurred on acquisition of an initial contract are capitalized and amortized over an estimated period of benefit of three years, and any such expenses paid for the renewal of a subscription are capitalized and amortized over the contractual term of the renewal. However, costs for commissions that are incremental to obtain a self-managed license contract are expensed immediately.

The following table sets forth the components of our consolidated statements of operations as a percentage of total revenue for each of the periods presented: Fiscal Year Ended January 31, 2023 2022 2021 (as a percentage of total revenue) Revenue 100 % 100 % 100 % Cost of revenue 12 12 12 Gross profit 88 88 88 Operating expenses: Sales and marketing 73 76 101 Research and development 37 38 70 General and administrative 28 25 57 Total operating expenses 138 139 228 Loss from operations (50) (51) (141) Interest income 3 — 1 Other income (expense), net 5 (12) 15 Loss before income taxes and loss from equity method investment (41) (63) (124) Loss from equity method investment, net of tax (1) — — Provision for (benefit from) income taxes 1 (1) (2) Net loss (43) % (62) % (126) % Net loss attributable to noncontrolling interest (2) % (1) % — % Net loss attributable to GitLab (41) % (61) % (126) % Comparison of the Fiscal Year Ended January 31, 2023 and 2022 Revenue Fiscal Year Ended January 31, Change 2023 2022 $ % (in thousands, except percentages) Subscription—self-managed and SaaS $ 369,349 $ 226,163 $ 143,186 63 % License—self-managed and other 54,987 26,490 28,497 108 Total revenue $ 424,336 $ 252,653 $ 171,683 68 % 70 Table of Contents Revenue increased $171.7 million, or 68%, to $424.3 million for fiscal 2023 from $252.7 million for fiscal 2022.

The following table sets forth the components of our consolidated statements of operations as a percentage of total revenue for each of the periods presented: Fiscal Year Ended January 31, 2024 2023 2022 (as a percentage of total revenue) Revenue 100 % 100 % 100 % Cost of revenue 10 12 12 Gross profit 90 88 88 Operating expenses: Sales and marketing 61 73 76 Research and development 35 37 38 General and administrative 26 28 25 Total operating expenses 122 138 139 Loss from operations (32) (50) (51) Interest income 7 3 — Other income (expense), net (2) 5 (12) Loss before income taxes and loss from equity method investment (28) (41) (63) Loss from equity method investment, net of tax (1) (1) — Provision for (benefit from) income taxes 46 1 (1) Net loss (74) % (43) % (62) % Net loss attributable to noncontrolling interest (1) % (2) % (1) % Net loss attributable to GitLab (73) % (41) % (61) % Comparison of Fiscal Year Ended January 31, 2024 and 2023 Revenue Fiscal Year Ended January 31, Change 2024 2023 $ % (in thousands, except percentages) Subscription—self-managed and SaaS $ 506,306 $ 369,349 $ 136,957 37 % License—self-managed and other 73,600 54,987 18,613 34 Total revenue $ 579,906 $ 424,336 $ 155,570 37 % Revenue increased $155.6 million, or 37%, to $579.9 million for fiscal 2024 from $424.3 million for fiscal 2023.

Interest Income, and Other Income (Expense), Net Interest income consists primarily of interest earned on our cash equivalents and short-term inve stments. Other income (expense), net consists primarily of the gain from the deconsolidation of Meltano Inc., as well as foreign currency transaction gains and losses.

Research and Development Research and development expenses consist primarily of personnel-related expenses, including contractors, as well as third-party cloud infrastructure expenses to support our internal development efforts, allocated overhead associated with developing new features or enhancing existing features, and software and subscription services. Costs related to research and development are expensed as incurred.

Research and Development Research and development expenses consist primarily of personnel-related expenses, including contractors, as well as cloud infrastructure expenses to support our internal development efforts, and software and subscription services. Costs related to research and development are expensed as incurred.

Cost of Revenue, Gross Profit, and Gross Margin Fiscal Year Ended January 31, Change 2023 2022 $ % (in thousands, except percentages) Cost of revenue $ 51,680 $ 29,985 $ 21,695 72 % Gross profit 372,656 222,668 149,988 67 Gross margin 88 % 88 % Cost of revenue increased by $21.7 million, to $51.7 million for fiscal 2023 from $30.0 million for fiscal 2022, primarily due to an increase of $8.1 million in personnel-related expenses, driven by an increase in our average customer support and professional services headcount and an increase of $3.8 million in stock-based compensation expenses (as discussed in the section titled “ Stock-Based Compensation Expense” below).

Cost of Revenue, Gross Profit, and Gross Margin Fiscal Year Ended January 31, Change 2024 2023 $ % (in thousands, except percentages) Cost of revenue $ 59,708 $ 51,680 $ 8,028 16 % Gross profit 520,198 372,656 147,542 40 Gross margin 90 % 88 % 2 % Cost of revenue increased by $8.0 million, to $59.7 million for fiscal 2024 from $51.7 million for fiscal 2023, primarily due to an increase of $3.4 million in personnel-related expenses, driven by an increase in our average customer support and professional services headcount and an increase of $1.3 million in stock-based compensation expenses (as discussed in the section titled “Stock-Based Compensation Expense” below).

By making non-sensitive information public, we create a deeper level of trust with our customers and we make it easier to solicit contributions and collaboration from our users and customers.

We make our strategy, direction, and product roadmap available to the wider community, where we encourage and solicit their feedback. By making non-sensitive information public, we create a deeper level of trust with our customers and make it easier to solicit contributions and collaboration from our users and customers.

We maintain a full valuation allowance against our deferred tax assets in certain jurisdictions because we have concluded that it is not more likely than not that the deferred tax assets will be realized. 68 Table of Contents Results of Operations The following table sets forth our results of operations for the periods presented (in thousands): Fiscal Year Ended January 31, 2023 2022 2021 Revenue: Subscription—self-managed and SaaS $ 369,349 $ 226,163 $ 132,763 License—self-managed and other 54,987 26,490 19,413 Total revenue 424,336 252,653 152,176 Cost of revenue: (1) Subscription—self-managed and SaaS 40,841 23,668 14,453 License—self-managed and other 10,839 6,317 4,010 Total cost of revenue 51,680 29,985 18,463 Gross profit 372,656 222,668 133,713 Operating expenses: Sales and marketing (1) 309,992 190,754 154,086 Research and development (1) 156,143 97,217 106,643 General and administrative (1) 117,932 63,654 86,868 Total operating expenses 584,067 351,625 347,597 Loss from operations (211,411) (128,957) (213,884) Interest income 14,496 736 1,070 Other income (expense), net (2) 21,585 (30,850) 23,452 Loss before income taxes and loss from equity method investment (175,330) (159,071) (189,362) Loss from equity method investment, net of tax (2,468) — — Provision for (benefit from) income taxes 2,898 (1,511) 2,832 Net loss $ (180,696) $ (157,560) $ (192,194) Net loss attributable to noncontrolling interest (3) (8,385) (2,422) — Net loss attributable to GitLab $ (172,311) $ (155,138) $ (192,194) (1) Includes stock-based compensation expense as follows: Fiscal Year Ended January 31, 2023 2022 2021 (in thousands) Cost of revenue $ 5,078 $ 1,300 $ 1,185 Research and development 36,325 8,305 31,519 Sales and marketing 48,001 10,550 21,504 General and administrative 33,163 9,854 57,638 Total stock-based compensation expense $ 122,567 $ 30,009 $ 111,846 69 Table of Contents (2) Includes $17.8 million gain for the year ended January 31, 2023 from the deconsolidation of Meltano Inc. in April 2022.

We maintain a full valuation allowance against our deferred tax assets in certain jurisdictions because we have concluded that it is not more likely than not that the deferred tax assets will be realized. 70 Table of Contents Results of Operations The following table sets forth our results of operations for the periods presented (in thousands): Fiscal Year Ended January 31, 2024 2023 2022 Revenue: Subscription—self-managed and SaaS $ 506,306 $ 369,349 $ 226,163 License—self-managed and other 73,600 54,987 26,490 Total revenue 579,906 424,336 252,653 Cost of revenue: (1) Subscription—self-managed and SaaS 45,486 40,841 23,668 License—self-managed and other 14,222 10,839 6,317 Total cost of revenue 59,708 51,680 29,985 Gross profit 520,198 372,656 222,668 Operating expenses: Sales and marketing (1) 356,393 309,992 190,754 Research and development (1) 200,840 156,143 97,217 General and administrative (1) 150,405 117,932 63,654 Total operating expenses 707,638 584,067 351,625 Loss from operations (187,440) (211,411) (128,957) Interest income 39,114 14,496 736 Other income (expense), net (2) (11,826) 21,585 (30,850) Loss before income taxes and loss from equity method investment (160,152) (175,330) (159,071) Loss from equity method investment, net of tax (3,824) (2,468) — Provision for (benefit from) income taxes 264,057 2,898 (1,511) Net loss $ (428,033) $ (180,696) $ (157,560) Net loss attributable to noncontrolling interest (3) (3,859) (8,385) (2,422) Net loss attributable to GitLab $ (424,174) $ (172,311) $ (155,138) (1) Includes stock-based compensation expense as follows: Fiscal Year Ended January 31, 2024 2023 2022 (in thousands) Cost of revenue $ 6,400 $ 5,078 $ 1,300 Sales and marketing 68,766 48,001 10,550 Research and development 50,804 36,325 8,305 General and administrative 37,079 33,163 9,854 Total stock-based compensation expense $ 163,049 $ 122,567 $ 30,009 (2) Includes $8.9 million loss for the year ended January 31, 2024 from the impairment of Arch Data Inc.

The main drivers of the changes in operating assets and liabilities were the increase in deferred revenue of $79.1 million and the increase in accrued compensation and related expenses of $19.8 million, partially offset by the increase in deferred contract acquisition costs of $42.6 million and the increase in accounts receivable of $38.2 million.

The main drivers of the changes in operating assets and liabilities were the increase in accrued expenses and other liabilities of $258.3 million, the increase in deferred revenue of $79.3 million and the increase in accrued compensation and related expenses of $15.2 million, partially offset by the increase in deferred contract acquisition costs of $53.1 million, the increase in accounts receivable of $36.3 million, and the increase in prepaid expenses and other current assets of $23.9 million.

Accordingly, revenue is recognized upon satisfaction of all requirements per the applicable contract. Revenue from professional services provided on a time and material basis is recognized over the periods services are delivered. Revenue from professional services accounted for 2%, 2% and 3% of our total revenue for the years ended January 31, 2023, 2022 and 2021, respectively.

See the section entitled “Management’s Discussion and Analysis of Financial Condition and Results of Operations —Key Business Metrics—Dollar-Based Net Retention Rate and ARR” below for additional information about how we define ARR. We make our plans available through our self-managed and software-as-a-service, or SaaS offering.

See the section entitled “ Key Business Metrics—Dollar-Based Net Retention Rate and ARR” below for additional information about how we define ARR. We make our plans available through our self-managed and software-as-a-service (SaaS) offering. For our self-managed offering, the customer installs GitLab in their own on-premise or hybrid cloud environment.

Joint Venture and Equity Method Investment” to our consolidated financial statements for additional details. 71 Table of Contents Sales and Marketing Fiscal Year Ended January 31, Change 2023 2022 $ % (in thousands, except percentages) Sales and marketing expenses $ 309,992 $ 190,754 $ 119,238 63 % Sales and marketing expenses increased by $119.2 million, to $310.0 million for fiscal 2023 from $190.8 million for fiscal 2022, primarily due to an increase of $94.9 million in personnel-related expenses, driven by an increase in our average sales and marketing headcount, and an increase of $37.5 million in stock-based compensation expenses (as discussed in the section titled “Stock-Based Compensation Expense” below).

Joint Venture and Equity Method Investment” to our consolidated financial statements for additional details. 73 Table of Contents Research and Development Fiscal Year Ended January 31, Change 2024 2023 $ % (in thousands, except percentages) Research and development expenses $ 200,840 $ 156,143 $ 44,697 29 % Research and development expenses increased by $44.7 million, to $200.8 million for fiscal 2024 from $156.1 million for fiscal 2023, primarily due to an increase of $32.9 million in personnel-related expenses, driven by an increase in our average research and development headcount and an increase of $14.5 million in stock-based compensation expenses (as discussed in the section titled “Stock-Based Compensation Expense” below).

As of January 31, 2023 , the statutes for our U.S. federal 2018 through 2022 tax years were open and the results from such tax years remained subject to potential examination in one or more jurisdictions.

The unrecognized tax benefit represents our best estimate of the tax expense associated with the proposed agreements and their related effects. As of January 31, 2024 , our U.S. federal 2018 through 2022 tax years were open and the results from such tax years remained subject to potential examination in one or more jurisdictions.

Liquidity and Capital Resources Since inception, we have financed operations primarily through proceeds received from issuances of equity securities, preferred stock and payments received from our customers.

Accrued interest and penalties were $52.1 million as of January 31, 2024 and $0.2 million as of January 31, 2023. Liquidity and Capital Resources Since inception, we have financed operations primarily through proceeds received from issuances of equity securities, preferred stock and payments received from our customers.

Investing Activities Cash used in investing activities during fiscal 2023 was $605.7 million, primarily consisting of $590.0 million in purchases of short-term investments, net of proceeds from maturities, $9.6 million cash outflow 76 Table of Contents as a result of a deconsolidation of an erstwhile subsidiary, and $6.1 million in purchases of property and equipment.

Cash used in investing activities during fiscal 2023 was $605.7 million, primarily consisting of $590.0 million in purchases of short-term investments, net of proceeds from maturities, $9.6 million cash outflow as a result of a deconsolidation of an erstwhile subsidiary, and $6.1 million in purchases of property and equipment. 78 Table of Contents Financing Activities Cash provided by financing activities during fiscal 2024 was $45.2 million, attributable to $32.3 million of proceeds from the issuance of common stock upon stock options exercises, and $12.9 million of proceeds from the issuance of common stock under the employee stock purchase plan.

Our effective tax rate for fiscal 2023 was lower than the U.S. federal statutory tax rate of 21%, primarily due to an increase in valuation allowance associated with the net operating losses generated during the year.

Our effective tax rate for fiscal 2024 was higher than the U.S. federal statutory tax rate of 21%, primarily due to the additional tax liabilities relating to the anticipated BAPA, an increase in valuation allowance associated with tax attributes generated during the year, and non-deductible expenses.

Joint Venture and Equity Method Investment” to our consolidated financial statements for additional details. 72 Table of Contents General and Administrative Fiscal Year Ended January 31, Change 2023 2022 $ % (in thousands, except percentages) General and administrative expenses $ 117,932 $ 63,654 $ 54,278 85 % General and administrative expenses increased by $54.3 million, to $117.9 million for fiscal 2023 from $63.7 million for fiscal 2022, primarily due to an increase of $43.0 million in personnel-related expenses, mainly attributable to an increase in our average general and administrative headcount and an increase of $23.3 million in stock-based compensation expenses (as discussed in the section titled “Stock-Based Compensation Expense” below).

General and Administrative Fiscal Year Ended January 31, Change 2024 2023 $ % (in thousands, except percentages) General and administrative expenses $ 150,405 $ 117,932 $ 32,473 28 % General and administrative expenses increased by $32.5 million, to $150.4 million for fiscal 2024 from $117.9 million for fiscal 2023, primarily due to an increase of $17.7 million in personnel-related expenses, mainly attributable to an increase in our average general and administrative headcount and an increase of $3.9 million in stock-based compensation expenses (as discussed in the section titled “Stock-Based Compensation Expense” below).

Under the provisions of Accounting Standard Codification (“ASC”) 740, Income Taxes , the determination of our ability to recognize our deferred tax assets requires an assessment of both negative and positive evidence when determining our ability to recognize deferred tax assets. We determined that it was not more likely than not that we could recognize certain deferred tax assets.

Under the provisions of ASC 740, Income Taxes , the determination of our ability to recognize our deferred tax assets requires an assessment of both negative and positive evidence when determining our ability to recognize deferred tax assets.

General and administrative expenses also include external legal, accounting, and director and officer insurance, as well as other consulting and professional services fees, software and subscription services, other corporate expenses, and any contract termination fees. 67 Table of Contents We have incurred and expect to incur additional expenses as a result of operating as a public company, including costs to comply with the rules and regulations applicable to companies listed on a national securities exchange, costs related to compliance and reporting obligations, costs related to Sarbanes-Oxley compliance, costs related to Environmental, Social, and Governance (ESG) compliance and increased expenses for insurance, investor relations, and related professional services.

We incur expenses as a result of operating as a public company, including costs to comply with the rules and regulations applicable to companies listed on a national securities exchange, costs related to compliance and reporting obligations, costs related to Sarbanes-Oxley compliance, costs related to Environmental, Social, and Governance (ESG) compliance and expenses for insurance, investor relations, and related professional services.

The remaining change was mainly due to an increase of $2.7 million in hosting expenses. Research and development expenses attributed to our variable interest entity, JiHu, was $6.8 million and $2.3 million for fiscal 2023 and 2022, respectively. See “Note 11.

The remaining change was mainly due to an increase of $3.8 million in cloud infrastructure costs for internal usage, an increase of $2.1 million in software and consulting expenses, and $2.1 million in one-time restructuring costs. Research and development expenses attributed to our variable interest entity, JiHu, were $5.3 million and $6.8 million for fiscal 2024 and 2023, respectively.

The estimate of awards expected to vest is reassessed by management at each reporting period. 78 Table of Contents Recently Issued Accounting Pronouncements See “Note 2. Basis of Presentation and Summary of Significant Accounting Policies” to our consolidated financial statements included elsewhere in this Annual Report for more information regarding recently issued accounting pronouncements. 79 Table of Contents

Basis of Presentation and Summary of Significant Accounting Policies” to our consolidated financial statements included elsewhere in this Annual Report for more information regarding recently issued accounting pronouncements. 81 Table of Contents

Joint Venture and Equity Method Investment” to our consolidated financial statements for additional details. 73 Table of Contents Interest Income, and Other Income (Expense), Net Fiscal Year Ended January 31, Change 2023 2022 $ % (in thousands, except percentages) Interest income $ 14,496 $ 736 $ 13,760 1870 % Gain from deconsolidation of Meltano Inc. $ 17,798 $ — $ 17,798 100 % Foreign exchange gains (losses), net 4,364 (29,140) 33,504 (115) Other expense, net (577) (1,710) 1,133 (66) Total other income (expense), net $ 21,585 $ (30,850) $ 52,435 (170) % For fiscal 2023 compared to fiscal 2022, interest income increased primarily due to income earned from our cash equivalents and short-term investments as a result of investing the proceeds from our initial public offering, or IPO, into marketable securities in fiscal 2023 as well as higher interest rates during fiscal 2023 compared to fiscal 2022.

Interest Income and Other Income (Expense), Net Fiscal Year Ended January 31, Change 2024 2023 $ % (in thousands, except percentages) Interest income $ 39,114 $ 14,496 $ 24,618 170 % Gain from deconsolidation of Arch, formerly Meltano $ — $ 17,798 $ (17,798) 100 % Impairment loss of equity method investment in Arch, formerly Meltano (8,858) — (8,858) 100 Foreign exchange gains (losses), net (3,157) 4,364 (7,521) (172) Other income (expense), net 189 (577) 766 (133) Total other income (expense), net $ (11,826) $ 21,585 $ (33,411) (155) % For fiscal 2024 compared to fiscal 2023 , interest income increased primarily due to income earned from our cash equivalents and short-term investments as a result of investing the proceeds from our initial public offering, or IPO, into marketable securities as well as higher interest rates during fiscal 2024 compared to fiscal 2023 .

The evidence we evaluated included operating results during the most recent three-year period and future projections, with more weight given to historical results than expectations of future profitability, which are inherently uncertain. Certain entities’ net losses in recent periods represented sufficient negative evidence to require a valuation allowance against its net deferred tax assets.

Consistent with prior years, we maintain that it is not more likely than not that we can recognize deferred tax assets in certain jurisdictions. The evidence we evaluated included operating results during the most recent three-year period and future projections. More weight is given to historical results than to expectations of future profitability, which are inherently uncertain.

This valuation allowance will be evaluated periodically and could be reversed partially or totally if business results have sufficiently improved to support realization of deferred tax assets. We have not recorded a provision for deferred U.S. tax expense that could result from the remittance of foreign undistributed earnings since we intend to reinvest the earnings of the foreign subsidiaries indefinitely.

We have not recorded a provision for deferred U.S. tax expense that could result from the remittance of foreign undistributed earnings since we intend to reinvest the earnings of the foreign subsidiaries indefinitely.

Provision for (Benefit from) Income Taxes Fiscal Year Ended January 31, Change 2023 2022 $ % (in thousands, except percentages) Provision for (benefit from) income taxes $ 2,898 $ (1,511) $ 4,409 (292) % Effective tax rate (1.7) % 0.9 % (2.6)% Our effective tax rate decreased by approximately 2.6% in the fiscal year ended January 31, 2023 as compared to the fiscal year ended January 31, 2022.

Provision for Income Taxes Fiscal Year Ended January 31, Change 2024 2023 $ % (in thousands, except percentages) Provision for income taxes $ 264,057 $ 2,898 $ 261,159 9011.7% Effective tax rate (164.9) % (1.7) % (163.2)% Our tax expense increased by approximately $261.2 million for fiscal 2024 as compared to fiscal 2023 .

Research and Development Fiscal Year Ended January 31, Change 2023 2022 $ % (in thousands, except percentages) Research and development expenses $ 156,143 $ 97,217 $ 58,926 61 % Research and development expenses increased by $58.9 million, to $156.1 million for fiscal 2023 from $97.2 million for fiscal 2022, primarily due to an increase of $52.6 million in personnel-related expenses, driven by an increase in our average research and development headcount and an increase of $28.0 million in stock-based compensation expenses (as discussed in the section titled “Stock-Based Compensation Expense” below).

Sales and Marketing Fiscal Year Ended January 31, Change 2024 2023 $ % (in thousands, except percentages) Sales and marketing expenses $ 356,393 $ 309,992 $ 46,401 15 % Sales and marketing expenses increased by $46.4 million, to $356.4 million for fiscal 2024 from $310.0 million for fiscal 2023, primarily due to an increase of $39.7 million in personnel-related expenses, driven by an increase in our average sales and marketing headcount, and an increase of $20.8 million in stock-based compensation expenses (as discussed in the section titled “Stock-Based Compensation Expense” below).

And they are looking for a platform approach that unifies the entire development experience, so that customers can be faster than their competition in moving from idea to customer value. GitLab is designed to consolidate point solutions to cut costs and boost efficiency, and provides end-to-end visibility across the entire software development lifecycle, from planning to production to security.

And they are looking for a platform approach that unifies the entire development experience, so that customers can be faster than their competition in moving from idea to customer value. We believe GitLab is the shortest path to unlocking business and technology transformation results.

As our SaaS offering makes up an increasing percentage of our total revenue, we expect to see increased associated cloud-related costs, such as hosting and managing costs, which may adversely impact our gross margins. 68 Table of Contents License - self-managed and other Cost of self-managed license and other revenue consists primarily of contractor and personnel-related costs, including stock-based compensation expenses, associated with the professional services team and customer support team, and allocated overhead.

As of January 31, 2023, cash and cash equivalents consist of cash in banks, money markets funds, agency securities, and treasuries , while short-term investments mainly consist of treasuries, corporate debt securities, and commercial paper. 75 Table of Contents We believe that our existing cash, cash equivalents, and short-term investments will be sufficient to support working capital and capital expenditure requirements for at least the next 12 months.

We believe that our existing cash, cash equivalents, and short-term investments will be sufficient to support working capital and capital expenditure requirements for at least the next 12 months.

Cash used in operating activities during fiscal 2022 was $49.8 million, primarily consisting of our net loss of $157.6 million, adjusted for non-cash items of $85.2 million (including amortization of deferred contract acquisition costs of $33.4 million, stock-based compensation of $30.0 million, and unrealized foreign exchange loss of $20.4 million) and net cash inflows of $22.6 million provided by changes in our operating assets and liabilities.

Cash provided by operating activities during fiscal 2024 was $35.0 million, primarily consisting of our net loss of $428.0 million, adjusted for non-cash items of $222.1 million (mainly attributable to stock-based compensation expense of $163.0 million and amortization of deferred contract acquisition costs, net of $43.5 million), and net cash inflows of $241.0 million provided by changes in our operating assets and liabilities.

Loss from Equity Method Investment, Net of Tax Fiscal Year Ended January 31, Change 2023 2022 $ % (in thousands, except percentages) Loss from equity method investment, net of tax $ (2,468) $ — $ (2,468) 100 % Loss from equity method investment, net of tax consists of our share of losses from the results of operations of Meltano Inc., net of tax.

The remaining change in other income (expense), net is mainly due to currency exchange gains and losses. 75 Table of Contents Loss from Equity Method Investment, Net of Tax Fiscal Year Ended January 31, Change 2024 2023 $ % (in thousands, except percentages) Loss from equity method investment, net of tax $ (3,824) $ (2,468) $ (1,356) 55 % Loss from equity method investment, net of tax consists of our share of losses from the results of operations of Arch, formerly Meltano.

These estimates involve inherent uncertainties and the application of management’s judgment. For stock options and ESPP the expense is recognized on a straight-line basis. In fiscal 2023, the board of directors of JiHu approved an employee stock option plan (“JiHu ESOP”) for its employees.

These estimates involve inherent uncertainties and the application of management’s judgment. For stock options and ESPP the expense is recognized on a straight-line basis. Bilateral Advance Pricing Agreement See “Note 13.

It removes the need for point tools and delivers enhanced operational efficiency by eliminating manual work, increasing productivity, and creating a culture of innovation and velocity. The DevSecOps Platform also embeds security earlier into the development process, improving our customers’ software security, quality, and overall compliance.

Our DevSecOps platform accelerates our customers’ ability to create business value and innovate by reducing their software development cycle times from weeks to minutes – achieving up to 7x faster cycle time. It removes the need for point tools and delivers enhanced operational efficiency by eliminating manual work, increasing productivity, and creating a culture of innovation and velocity.

GitLab is the solution to significant business transformation needs.

With GitLab, they can build better, more secure software, faster. GitLab is the solution to significant business transformation needs.

We are currently unable to estimate the financial outcome of this examination due to its preliminary status. We regularly assess the likelihood of adverse outcomes resulting from these examinations to determine the adequacy of our provision for income taxes.

We expect negotiations to continue to the middle of fiscal 2025. We believe that we have adequately reserved for the outcome of the Netherlands examination. We regularly assess the likelihood of adverse outcomes resulting from these examinations to determine the adequacy of our provision for income taxes.

The remaining change was primarily driven by an increase of $6.1 million in consulting and software expenses to support our growth. General and administrative expenses attributed to our variable interest entity, JiHu, was $10.5 million and $3.6 million for fiscal 2023 and 2022, respectively. See “Note 11.

General and administrative expenses attributed to our variable interest entity, JiHu, were $1.9 million and $10.5 million for fiscal 2024 and 2023 , respectively . See “Note 12.

The purpose of our investment activities was to increase the effectiveness of our sales motions, increase our sales capacity, generate demand for our products and acquire more customers. Sales and marketing expenses attributed to our variable interest entity, JiHu, were $7.7 million and $3.2 million for fiscal 2023 and 2022, respectively. See “Note 11.

Sales and marketing expenses attributed to our variable interest entity, JiHu, were $7.4 million and $7.7 million for fiscal 2024 and 2023, respectively. See “Note 12.

Cash used in investing activities during fiscal 2022 was $53.9 million, primarily consisting of purchases of short-term investments, net of maturities of $50.0 million and purchases of property and equipment of $3.5 million.

Investing Activities Cash used in investing activities during fiscal 2024 was $86.2 million, primarily consisting of $81.7 million in purchases of short-term investments, net of proceeds from maturities, $2.5 million outflow as a result of an escrow payment related to a prior business combination, $1.6 million in purchases of property and equipment, and $0.5 million of other investing activities.

For our self-managed offering, the customer installs GitLab in their own on-premise or hybrid cloud environment. For our SaaS offering, the platform is managed by GitLab and hosted either in our public cloud or in our private cloud based on the customer’s preference.

For our SaaS offering, the platform is managed by GitLab and hosted either in our public cloud or in our private cloud based on the customer’s preference. Key Business Metrics We monitor the following key metrics to help us evaluate our business, identify trends affecting our business, formulate business plans, and make strategic decisions.

The change in other income (expense), net is primarily due to the recognized gain of $17.8 million on the fair valuation of our retained interest in Meltano Inc., our formerly controlled subsidiary. The remaining change in other income (expense), net is mainly due to strengthening of the U.S dollar.

The change in other income (expense), net is primarily due to the recognized gain of $17.8 million on the deconsolidation of Arch Data Inc. (“Arch”), formerly Meltano, during fiscal 2023 . During fiscal 2024, the Company recorded an impairment charge for Arch of $8.9 million in other income (expense), net.

… 44 more changes not shown on this page.

Item 7A. Quantitative and Qualitative Disclosures About Market Risk

Market Risk — interest-rate, FX, commodity exposure

6 edited+2 added−2 removed5 unchanged

2023 filing

2024 filing

Biggest changeOur cash equivalents and short-term investments of $704.3 million as of January 31, 2023, mainly consist of money market funds, treasuries, corporate debt securities and commercial paper. Our cash equivalents and short-term investments of $830.2 million as of January 31, 2022, mainly consist of money market accounts and certificates of deposit.

Biggest changeAs of January 31, 2024 and 2023, our cash equivalents and short-term investments of $955.3 million and $704.3 million mainly consist of money market funds, treasuries, corporate debt securities and commercial paper, respectively. Our cash, cash equivalents, and short-term investments are held for working capital and strategic investment purposes. We do not enter into investments for trading or speculative purposes.

Our market risk exposure is primarily the result of fluctuations in interest rates and foreign currency exchange rates. Interest Rate Risk As of January 31, 2023 and January 31, 2022 , we had $936.7 million and $934.7 million of cash, cash equivalents, and short-term investments, respectively.

Our market risk exposure is primarily the result of fluctuations in interest rates and foreign currency exchange rates. Interest Rate Risk As of January 31, 2024 and January 31, 2023, we had $1.0 billion and $936.7 million of cash, cash equivalents, and short-term investments, respectively.

The weighted-average life of our investment portfolio was approximately 7 months as of January 31, 2023. Foreign Currency Exchange Risk To date, all of our sales contracts have been denominated in U.S. dollars, except for our variable interest entity, JiHu, which sells in local currency in its designated area. Our revenue is not subject to a material foreign currency risk.

Foreign Currency Exchange Risk To date, all of our sales contracts have been denominated in U.S. dollars, except for our variable interest entity, JiHu, which sells in local currency in its designated area. Our revenue is not subject to a material foreign currency risk.

In the event our foreign currency denominated assets, liabilities, or expenses increase, our operating results may be more greatly affected by fluctuations in the exchange rates of the currencies in which we do business. Moreover, as of January 31, 2024, we have $35.2 million of cash and cash equivalents denominated in currencies other than the U.S. dollar.

Based on our investment portfolio balance as of January 31, 2023, a hypothetical increase or decrease in interest rates of 1% (100 basis points) would result in a decrease or an increase in the fair value of our portfolio of approximately $4.4 million. Such losses would only be realized if we sell the investments prior to maturity.

Our fixed-income portfolio is subject to fluctuations in interest rates, which could affect our results of operations. Based on our investment portfolio balance as of January 31, 2024, a hypothetical increase or decrease in interest rates of 1% (100 basis points) would result in a decrease or an increase in the fair value of our portfolio of approximately $4.3 million.

As of January 31, 2023, a hypothetical 10% change in foreign currency exchange rates would have a material impact on our consolidated financial statements. We have not engaged in the hedging of foreign currency transactions to date, although we may choose to do so in the future. 80 Table of Contents

We have not engaged in the hedging of foreign currency transactions to date, although we may choose to do so in the future. 82 Table of Contents

Removed

Our cash, cash equivalents, and short-term investments are held for working capital and strategic investment purposes. We do not enter into investments for trading or speculative purposes. Our fixed-income portfolio is subject to fluctuations in interest rates, which could affect our results of operations.

Added

Such losses would only be realized if we sell the investments prior to maturity. The weighted-average life of our investment portfolio was approximately 5 months as of January 31, 2024.

Removed

Moreover, as of January 31, 2023, we h ave $83.6 million of cash and cash equivalents denominated in currencies other than the U.S. dollar, predominantly Chin ese yuan for our variable interest entity, JiHu. The value of these cash balances may materially change along with the weakness or strength of the U.S. dollar.

Added

The value of these cash balances may materially c hange along with the weakness or strength of the U.S. dollar. As of January 31, 2024, a hypothetical 10% change in foreign currency exchange rates would have a material impact on our consolidated financial statements.

Top changes in Gitlab Inc.'s 2024 10-K

Item 1. Business

Item 1A. Risk Factors

Item 3. Legal Proceedings

Item 5. Market for Registrant's Common Equity

Item 7. Management's Discussion & Analysis

Item 7A. Quantitative and Qualitative Disclosures About Market Risk

Other GTLB 10-K year-over-year comparisons