The case to vote WITHHOLD on the election of Directors Michelle Zatlyn and Scott Sandell at Cloudflare’s 2026 annual meeting of stockholders

PROXY MEMORANDUM

To:	Shareholders of Cloudflare, Inc. (the “Company” or “Cloudflare”)
From:	JLens (“we” or “our”)
Date:	June 10, 2026
Re:	The case to vote WITHHOLD on the election of Directors Michelle Zatlyn and Scott Sandell at Cloudflare’s 2026 annual meeting of stockholders

Cloudflare provides internet infrastructure and cybersecurity services that help websites, applications and corporate networks operate securely and reliably. According to the Company’s website and public disclosures, Cloudflare operates in more than 190 countries, serves millions of internet properties globally [1], and is reportedly used by more than 22% of all websites worldwide. [2]  

That scale gives Cloudflare’s policies and enforcement practices real-world significance. Yet, according to a report published by the Anti-Defamation League (“ADL”), Keeping the Lights On: How Cloudflare Sustains Violent Extremism, Graphic Violence and Terrorism Online, Cloudflare continues to provide core web infrastructure, including content delivery, domain name system (DNS), domain registration and cybersecurity services, to websites dedicated to graphic violence, violent extremism and material produced by a U.S.-designated Foreign Terrorist Organization. [3]

The Company’s board of directors (the “Board”) and its committees are responsible for oversight of Cloudflare’s risk management processes, including legal and compliance, cybersecurity, operational and reputational risks. Cloudflare’s 2026 definitive proxy statement states that the Board, as a whole and through its committees, has responsibility for risk oversight and must “satisfy itself that the risk management processes designed and implemented by management are appropriate and functioning as designed.” [4] In our view, the Board has failed to provide sufficient oversight of critical risks arising from Cloudflare’s facilitation of websites with content associated with violent extremism, terrorism and real-world harm.

Accordingly, we recommend that shareholders vote WITHHOLD on the election of Directors Michelle Zatlyn, Co-Founder, President and Co-Chair of the Board, and Scott Sandell, the Company’s Lead Independent Director

Documented Threats Facilitated Under Board Watch

Under the Board’s oversight, Cloudflare provides services to websites with content that fit into three distinct threat categories, each of which ADL has specifically flagged to the Company between August 2025 and April 2026:

• The Gore-Extremism Nexus and Youth Radicalization: Cloudflare supports websites at the gore-extremism nexus repeatedly tied to violent, targeted attacks. [5] ADL research suggests connections between WatchPeopleDie, a Cloudflare-facilitated gore forum, [6] and at least six deadly attacks over two years that resulted in 12 deaths and 134 injuries. [7] [8] [9] [10] [11] [12] Cloudflare also provides infrastructure [3] to the internet’s largest incel forum, where mass killers are venerated as “saints.” [13] These spaces expose users, often young people, [14] to graphic violence and extremist ideology, creating a fertile environment for radicalization.

• Violent Extremism and Accelerationism: Cloudflare provides services to FashFront, [3] a successor to a platform central to the global neo-Nazi accelerationist movement, [15] where members share propaganda by the Terrorgram Collective, a Specially Designated Global Terrorist group. According to ADL technical analysis, FashFront relies on Cloudflare’s content delivery network (CDN) and analytics to stay online. [3] [16]

• Foreign Terrorist Organizations (FTOs): ADL research identified at least two ISIS propaganda outlets using Cloudflare services. [3] These sites publish execution videos, calls for attacks, ISIS newsletters and communiques, and have routed visitors through Cloudflare’s infrastructure since November 2025. [3][17]

Cloudflare characterizes these services as a neutral “pass-through” utility and has declined to adopt the content-related service restrictions used by certain infrastructure peers. [18] [19] But the Company is not subject to a universal-service obligation; it selects customers through commercial relationships and has terminated service in prior cases when management determined that continued service presented unacceptable risk. [20] [21] [22] In our view, the content-moderation concerns identified by ADL are not isolated operational disputes. Rather, we believe they are symptoms of a broader governance failure: the Board has not ensured that management has adopted clear, consistent and risk-based standards for high-threat customers, supported by adequate compliance controls, escalation procedures and transparency.

Three Governance Gaps That Expose Shareholders

It is clear to us that the risks identified above are not simply content-moderation concerns, but reflect a broader failure of Board oversight. Although the Board is not responsible for making individual decisions regarding how the Company’s terms of use are enforced or what prohibitions they contain, the Board is responsible for overseeing whether management has adopted policies, compliance controls, and reporting systems sufficient to manage known legal, regulatory and reputational risks. ADL’s findings point to three specific governance gaps that we believe expose shareholders to escalating risk as set forth below. 

1. Inadequate Acceptable-Use Policies Create Competitive and Reputational Risk

Cloudflare’s pass-through service policies do not expressly prohibit or block content dedicated to graphic violence or violent extremism, [19] [20] [21] [22] [23] while only a limited subset of its services (those that “definitively store” content) prohibit content that incites or exploits violence. [17] By contrast, Amazon Web Services, a direct infrastructure peer, broadly prohibits customers from using any of its services to “to threaten, incite, promote, or actively encourage violence, terrorism, or other serious harm.” [24] 

As set forth in the paragraph below, Cloudflare’s record demonstrates that the Company can and does block content when management determines that such content presents unacceptable risk. However, it appears that these situations have generally occurred only after public crisis points, rather than pursuant to a clear, consistently applied risk framework. 

For example, Cloudflare terminated services to (i) The Daily Stormer (August 2017), but only after the site publicly claimed Cloudflare “secretly supported” its ideology; [21] (ii) 8chan (August 2019), but only after the site was linked to three mass shootings in five months, including El Paso (August 2019); [20] and (iii) Kiwi Farms (September 2022), but only after what the Company’s Chief Executive Officer, Matthew Prince, called an “unprecedented emergency and immediate threat to human life.” [22] In each case, the Company framed its decision as an exceptional act rather than the application of a consistent policy. 

In our view, that posture—default-on service until an emergency forces an exception—creates both shareholder and societal risk. Cloudflare’s continued association with FTO-affiliated websites and documented services to gore and accelerationist forums creates identifiable customer-retention risk, particularly among financial institutions, government contractors, and regulated enterprises, which are themselves subject to escalating third-party risk requirements.

This risk is especially significant because large enterprise customers accounted for 73% of Cloudflare’s revenue as of its fourth quarter in 2025. [25] As enterprise procurement processes place greater emphasis on sanctions compliance, entity verification and ownership diligence, Cloudflare’s continued service to high-risk websites may become increasingly difficult to defend in customer and regulator-facing contexts. [26]

2. Sanctions Compliance Deficiencies Create Regulatory and Litigation Risk

Cloudflare’s subscription terms prohibit use by sanctioned entities, including FTOs. [23] However, ADL and other independent researchers have repeatedly identified active Cloudflare services to FTO-affiliated websites. [27] [18] In May 2019, Cloudflare self-reported potential sanctions violations to the U.S. Department of the Treasury. [28] The Company’s most recent Annual Report on Form 10-K acknowledges implementing “additional controls” but expressly states it offers “no guarantee” against future violations, [1] suggesting, in our view, that sanctions-screening risk remains unresolved.  

Sanctions violations could materially affect financial results through regulatory penalties, as could costly remediation obligations and restrictions regulators could place on the Company’s ability to do business following potential negative findings. 

Cloudflare is also facing pending litigation alleging that it knowingly provided cybersecurity services to a U.S.-designated FTO. In November 2024, Cloudflare was sued under the Antiterrorism Act by victims of the 2014 Jerusalem synagogue attack, who allege the Company knowingly provided cybersecurity services to the Popular Front for the Liberation of Palestine, a U.S.-designated FTO (Levine v. Cloudflare, N.D. Fla., No. 4:24-cv-00461). [29] 

3. Transparency and Reporting Failures Create Regulatory Risk

ADL’s abuse-reporting experience further suggests that Cloudflare lacks a clear and durable escalation framework for high-threat content. When ADL submitted formal abuse reports through Cloudflare’s official reporting mechanism, it documented four breakdowns. [30] First, the form lacked an abuse category for graphic violence, violent extremism, or terrorism. Second, Cloudflare failed to substantively respond to three of ADL’s reports, and in one instance deferred responsibility to the origin hosting provider, citing its “pass-through” status. Third, for two reported ISIS sites whose homepages prominently displayed ISIS logos, iconography, and video propaganda, Cloudflare requested additional evidence of abuse. Fourth, Cloudflare initially flagged and deplatformed The American Futurist, a neo-Nazi accelerationist site, then reversed course and replatformed it, indicating the absence of a durable enforcement standard.

Cloudflare’s public transparency reporting also does not appear to address the category of services most relevant to the risks identified by ADL. While the Company acknowledges that “pass-through” services represent the majority of the abuse reports submitted, it excludes these abuse reports from its public transparency reports unless they are government requests or fall under the technical abuse subcategory. [31] As a result, shareholders lack meaningful visibility into the scale, nature and resolution of abuse reports involving the services most frequently implicated in high-risk activity. 

At a time when governments worldwide are intensifying scrutiny of technology companies’ facilitation of extremism, Cloudflare may be exposed under multiple overlapping frameworks:

• EU Digital Services Act [32] [33]
• UK Online Safety Act [34]
• U.S. Antiterrorism Act (as amended by the Justice Against Sponsors of Terrorism Act) [35]

Against that backdrop, we believe Cloudflare’s limited abuse-reporting categories, inconsistent escalation practices, and exclusion of most pass-through service abuse reports from transparency reporting create unnecessary regulatory and reputational risk. 

These concerns may end up being compounded by a recent structural change. On May 7, 2026, Cloudflare announced a plan to reduce its workforce by approximately 1,100 employees, or roughly 20% of its current headcount, as part of a shift to what the Company describes as an “agentic AI-first operating model.” [36] The Company has not disclosed how trust-and-safety, abuse-response, sanctions-compliance, or other risk-management functions will be staffed and resourced under the new model, nor whether Board-level oversight of these functions will be adjusted to reflect the restructuring. 

Cloudflare’s Governance Structure Insulates the Board from Accountability to Shareholders

The oversight and transparency concerns described above are reinforced by Cloudflare’s broader shareholder-unfriendly governance structure, which limits shareholders’ ability to hold the Board accountable when serious risks go unaddressed. Cloudflare’s own Corporate Governance Guidelines describe the Board’s “principal duty” as exercising its powers “in a manner it reasonably believes to be in the best interests of the Company and its stockholders,” and provide that “it is… the Board’s duty to oversee senior management in the competent and ethical operation of the Company.” [37] Yet, Cloudflare maintains a series of structural governance provisions that, taken together, narrow the channels through which shareholders can hold directors accountable:

• A dual-class capital structure in which Class B shares carry ten votes per share versus one vote per share for Class A shares, giving co-founders Matthew Prince and Michelle Zatlyn approximately 50% of the combined voting power of all of the Company’s outstanding shares as of June 5, 2026; [4]
• Classified board structure, with directors elected to staggered three-year terms [4]
• Plurality voting standard in uncontested director elections, under which directors may be elected even if only one vote is cast in favor of their election;
• No shareholder right to call a special meeting; 
• No shareholder right to act by written consent
• Supermajority vote requirement to amend certain provisions of the charter or bylaws; 
• Board vacancies are filled exclusively by the remaining directors;
• Directors may only be removed for cause

Moreover, the Company’s proposed capital restructuring (as set forth in more detail in Proposal Four of the Company’s 2026 definitive proxy statement) would maintain this concentration of control rather than relax it, replacing the Class B super-voting shares with a new Series FF preferred stock carrying nine votes per share and creating a new non-voting Class C common stock, all of which preserves co-founder voting control rather than moving toward one share, one vote. [4]

These provisions matter because they reduce the practical consequences of shareholder dissatisfaction. The plurality voting standard, for instance, significantly reduces the practical impact of a WITHHOLD vote, since directors may be elected even if only one vote is cast in their favor in uncontested elections. When shareholders cannot readily replace directors, call meetings, or amend governance documents, the Board bears a heightened responsibility to oversee risks that may affect long-term shareholder value. In our view, the limited disclosure and inconsistent response to high-risk-customers, sanctions-compliance, and abuse-reporting concerns described in the preceding sections calls into question whether this governance structure is producing adequate Board-level oversight and accountability to shareholders, and underscores why a meaningful WITHHOLD vote is one of the few direct mechanisms available to shareholders to register that concern.

Conclusion: Hold the Board Accountable

The risks set forth in this memorandum are not speculative. Cloudflare faces a pending federal Antiterrorism Act lawsuit (Levine v. Cloudflare) [29] and regulatory fine exposure across multiple jurisdictions. The Company’s own Form 10-K states that current sanctions controls offer “no guarantee” against future violations. [1] And ADL has documented the Company’s continued provision of services to websites tied to violent extremism, terrorist propaganda, and real-world attacks [3]. 

We strongly believe these risks reflect identifiable failures in Board oversight and recommend that shareholders vote WITHHOLD on the election of Directors Michelle Zatlyn and Scott Sandell. The Company’s co-founders control a majority of the voting power and can elect these directors regardless of shareholder opposition, but we believe a substantial WITHHOLD vote would send a strong message to the Board that independent stockholders find the status quo unacceptable. We further call on the Board to adopt the following five reforms, which are already common among infrastructure peers and increasingly expected by regulators in the United States, the European Union, and the United Kingdom:

1. Adopt and enforce an acceptable-use policy prohibiting use of service for websites and/or to content dedicated to graphic violence, violent extremism, and terrorism, consistent with Amazon Web Services and other peers;
2. Commission and disclose an independent review of sanctions-screening controls;
3. Expand transparency reporting to include abuse data for all “pass-through” services;
4. Establish a standing Board-level review of high-threat-customer exposure; and
5. Disclose how trust-and-safety, sanctions-compliance, and abuse-response functions will be resourced after the May 2026 workforce reduction, with continued Board-level oversight under the Company’s stated shift to an “agentic AI-first operating model.” [36]

We believe the cost of inaction, measured in litigation exposure, regulatory penalties, customer attrition, and reputational harm, is significantly greater than the cost of implementing these reforms.

Stand Against Extremism and Terrorism. 

Demand Board Accountability. 

Protect Shareholder Value.

Vote WITHHOLD on the election of Directors Michelle Zatlyn and Scott Sandell.

For more information, please contact Dani Nurick, JLens Director of Advocacy, at dani@jlensnetwork.org.

 

About the Anti-Defamation League

ADL is the leading anti-hate organization in the world. Founded in 1913 to protect the Jewish people, ADL works to stop the defamation of the Jewish people and secure justice and fair treatment to all. In the face of rising antisemitism and extremism, we protect, advocate and educate, through a mix of programs and services using the latest innovations and technology, and seek to create a world without hate. More at www.adl.org.

About JLens

Founded in 2012, JLens is a 501(c)(3) nonprofit and Registered Investment Advisor that empowers investors to align their capital with Jewish values and advocates for Jewish communal priorities in the corporate arena. JLens’ Jewish Investor Network is composed of 40 Jewish institutions, representing $15 billion in communal capital. In 2022, JLens established an affiliation with ADL (the Anti-Defamation League), the leading anti-hate organization in the world. More at www.jlensnetwork.org.

THIS IS NOT A PROXY SOLICITATION AND NO PROXY CARDS WILL BE ACCEPTED

This communication constitutes an exempt solicitation under Rule 14a-2(b)(1) of the Securities Exchange Act of 1934, as amended. Neither ADL nor JLens nor their affiliates are seeking proxy authority. No proxy cards will be accepted. Please execute and return your proxy card according to Cloudflare’s instructions. The views expressed herein are based on publicly available information and third-party research as cited.

 

Endnotes

[1] Cloudflare, Inc., Annual Report (Form 10-K), U.S. Securities and Exchange Commission (February 26, 2026), https://www.sec.gov/ix?doc=/Archives/edgar/data/0001477333/000147733326000016/cloud-20251231.htm.

[2] Usage Statistics and Market Share of Cloudflare, W3Techs (last updated April 2026), https://w3techs.com/technologies/details/cn-cloudflare.

[3] Anti-Defamation League Ctr. on Extremism, Keeping the Lights On: How Cloudflare Sustains Violent Extremism, Graphic Violence and Terrorism Online (May 20, 2026), [https://www.adl.org/resources/report/keeping-lights-how-cloudflare-sustains-violent-extremism-graphic-violence-and]

[4] Cloudflare, Inc., 2026 Definitive Proxy Statement (Schedule 14A), U.S. Securities and Exchange Commission (June 9, 2026), https://www.sec.gov/Archives/edgar/data/0001477333/000119312526263809/d160227ddef14a.htm

[5] Anti-Defamation League, Striking Similarities and Overlap in Online Footprints and Extremist Content of Teen School Shooters, ADL Research Shows (August 21, 2025), https://www.adl.org/resources/press-release/striking-similarities-and-overlap-online-footprints-and-extremist-content.

[6] Anti-Defamation League, From Gore to Hate: How ‘WatchPeopleDie’ Serves as a Gateway to Extremism (August 21, 2025), https://www.adl.org/resources/article/gore-hate-how-watchpeopledie-serves-gateway-extremis.

[7] Amy Judd, Tumbler Ridge B.C. school shooting: 8 dead, 27 injured, Global News (February 10, 2026), https://globalnews.ca/news/11662006/tumbler-ridge-school-shooting/.

[8] Student and teacher killed by 15-year-old in shooting at private school, Wisconsin police say, KPLC TV (December 16, 2024), https://www.kplctv.com/2024/12/16/multiple-injuries-reported-shooting-christian-school-wisconsin-police-say/.

[9] Alex Sundby, Teen shooter kills student, then himself at Antioch High School in Nashville, police say, CBS News (last updated January 23, 2025), https://www.cbsnews.com/news/antioch-high-school-shooting-tennessee/.

[10] Christa Swanson & Jesse Sarles, 2 students wounded in shooting at Evergreen High School in Colorado; suspect dead, officials say, CBS News Colorado (last updated September 11, 2025), https://www.cbsnews.com/colorado/news/shooting-evergreen-high-school-denver-metro-area/.

[11] Paul Kirby, Finland shooting: Child held after pupil aged 12 shot dead at school in Vantaa, BBC News (April 2, 2024), https://www.bbc.com/news/world-europe-68712104.

[12] 2025 Jakarta School Bombing: 96 Injured, Kompas (November 8, 2025), https://megapolitan.kompas.com/read/2025/11/08/22271011/korban-ledakan-sman-72-jakarta-bertambah-jadi-96-orang.

[13] Anti-Defamation League, Incels (Involuntary celibates) (last updated October 1, 2025), https://www.adl.org/resources/backgrounder/incels-involuntary-celibates.

[14] Anti-Defamation League, Accelerationism (February 4, 2025), https://www.adl.org/resources/backgrounder/accelerationism.

[15] Anti-Defamation League, extremely Newsletter (last updated April 24, 2026), https://www.adl.org/resources/article/extremely-newsletter.

[16] U.S. Dep’t of State, Office of the Spokesperson, Terrorist Designations of the Terrorgram Collective and Three Leaders (January 13, 2025), https://2021-2025.state.gov/office-of-the-spokesperson/releases/2025/01/terrorist-designations-of-the-terrorgram-collective-and-three-leaders/.

[17] Counter Extremism Project, Extremist Content Online: Cloudflare Provides Services to Pro-ISIS Propaganda Website (August 13, 2019), https://www.counterextremism.com/press/extremist-content-online-cloudflare-provides-services-pro-isis-propaganda-website.

[18] Laura Hautala, Cloudflare customers reportedly include foreign terrorist groups under US sanctions, CNET (December 14, 2018), https://www.cnet.com/news/privacy/cloudflare-customers-reportedly-include-foreign-terrorist-groups/.

[19] Cloudflare, Inc., Cloudflare Self-Serve Subscription Agreement (September 12, 2025), https://www.cloudflare.com/terms/.

[20] Matthew Prince, Terminating Service for 8Chan, The Cloudflare Blog (August 5, 2019), https://blog.cloudflare.com/terminating-service-for-8chan/.

[21] Matthew Prince, Why We Terminated Daily Stormer, The Cloudflare Blog (August 16, 2017), https://blog.cloudflare.com/why-we-terminated-daily-stormer/.

[22] Matthew Prince, Blocking Kiwifarms, The Cloudflare Blog (September 3, 2022), https://blog.cloudflare.com/kiwifarms-blocked/.

[23] Cloudflare, Inc., Enterprise Subscription Terms of Service (September 12, 2025), https://www.cloudflare.com/enterpriseterms/.

[24] Amazon Web Services, Inc., AWS Acceptable Use Policy (July 1, 2021), https://aws.amazon.com/aup/.

[25] Cloudflare, Inc., Q4 2025 Investor Presentation, Cloudflare at a Glance slide (February 2026), https://cloudflare.net/events-and-presentations/default.aspx.

[26] Moody’s Analytics, The BIG compliance and third-party risk management blog of the year  (December 18, 2024), https://www.moodys.com/web/en/us/kyc/resources/insights/the-big-compliance-and-third-party-risk-management-trends-topics-conversations-2024-and-whats-next.html.

[27] Jesselyn Cook, U.S. Tech Giant Cloudflare Provides Cybersecurity For At Least 7 Terror Groups, HuffPost (December 14, 2018), https://www.huffpost.com/entry/cloudflare-cybersecurity-terrorist-groups_n_5c127778e4b0835fe3277f2f.

[28] Cloudflare, Inc., Amendment No. 2 to Form S-1 Registration Statement, U.S. Securities and Exchange Commission (September 11, 2019), https://www.sec.gov/Archives/edgar/data/0001477333/000119312519242455/d735023ds1a.ht

[29] Second Amended Complaint, Levine v. Cloudflare, Inc., No. 4:24-cv-00461-AW-MJF (N.D. Fla.).

[30] Cloudflare confirmed receipt of ADL reports regarding: Documenting Reality, FashFront, and the Involuntary Celibate Forum. Cloudflare deferred to the origin hosting provider for WatchPeopleDie. Cloudflare requested more information for both ISIS propaganda websites. Cloudflare initially actioned but reversed course on American Futurist.

[31] Cloudflare, Transparency Report: Abuse Processes (H2 2025), 2026,
https://cf-assets.www.cloudflare.com/slt3lc6tev37/7IBPOyNLRJfQ7joWrmsVh0/d3947a86eb4d76801076094a85cf7ff7/2H_2025_Cloudflare_s_Transparency_Report_Abuse-v2.pdf

[32] Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act), arts. 34–35, 2022 O.J. (L 277) 1, https://eur-lex.europa.eu/eli/reg/2022/2065/oj.

[33] Id. art. 52(3) (providing for fines of up to 6% of annual worldwide turnover), https://eur-lex.europa.eu/eli/reg/2022/2065/oj.

[34] Online Safety Act 2023, c. 50, §§ 9–11 (U.K.), (2023), https://www.legislation.gov.uk/ukpga/2023/50/contents/enacted.

[35] Justice Against Sponsors of Terrorism Act, Pub. L. No. 114-222, 130 Stat. 852 (2016), https://www.congress.gov/114/plaws/publ222/PLAW-114publ222.pdf.

[36] Cloudflare, Inc., “Cloudflare Announces First Quarter 2026 Financial Results,” press release, May 7, 2026, https://cloudflare.net/news/news-details/2026/Cloudflare-Announces-First-Quarter-2026-Financial-Results/default.aspx

[37] Cloudflare, Inc., Corporate Governance Guidelines (as amended March 6, 2025), Section A.1 (Role), available at https://cloudflare.net/files/doc_downloads/governance/2025/Cloudflare-Corporate-Governance-Guidelines-March-2025-1.pdf.