Dear shareholders, investors, customers and media, welcome to our investor call SSH Communications Security Business Review Q3 2020 Results. The presentation will be available on our website after the call. My name is Lauri Koponen. I'm the Communications Manager here at SSH Communications Security. The results will be presented by our CFO, Niklas Nordström, and CEO, Teemu Tunkelo. You can ask questions at the end of the event by raising hand or asking to speak or just writing in the chat your question and I will read them out loud. We have still people joining us. Welcome, dear guests. Just as a reminder, please keep your microphones muted whenever you don't have the floor. Let's start with the financial results presented by CFO, Niklas Nordström. Niklas, the floor is yours.
Thanks, Lauri. Jumping right into the first slide. You can go ahead and click. Thanks. We are pleased to report good progress in the company in Q3, during which we grew 17% versus the comparison period. We recorded a third consecutive quarter period in a row, even though Q3 particularly didn't include new significant whale-sized customers. Q4 is typically our strongest quarter, and we'll of course focus on subscription sales, which is stable and more predictable revenue long term. During Q3, we controlled our costs in a very tough inflationary economy, and we recorded EUR 0.4 million positive EBITDA. Now that we have started the commercial phase of NQX, we are recording the hardware component as cost of goods sold upon delivery. This cost reflected to our EBITDA by approximately EUR 0.2 million.
That explains why our EBITDA was slightly below the comparison period and the previous two quarters. However, as you can see from the personnel line item on the slide, we have been able to increase our head count and still maintain a relatively good EBITDA margin while at the same time attract critical product management, sales, customer service and R&D talent in a very competitive market. One more highlight to raise, our recurring revenue ARR reached EUR 17.6 million in September, growing 21% to the comparison period, and our subscription ARR respectively was EUR 9.2 million, growing handsomely 46% versus the comparison period. This growth was driven mainly by PrivX. The large EUR 2.1 million NQX order, received in June was completed only during the last days of quarter, so its revenue recognition impact was very small.
We are pleased about this positive development in these numbers, and they're of course fully organic numbers. To highlight this, we have been successful in transitioning a number of our customers into the subscription model through the introduction of innovative additions and future-proof technologies to our portfolio. This can be seen in that our subscription revenue actually surpassed our maintenance revenue in Q3, and the reported ARR development backs that up. A word on our liquid assets. As you can see from the history, our business is cyclical in terms of how our cash generation is distributed during the accounting period.
This time around, we experienced a couple of days delay in a larger payment, which resulted in the fact that this money, which is now received, will be a part of Q4 figures, which as I said, we expect to be strong as the majority of our renewals along with the EUR 2.1 million cash from the NQX delivery will all hit Q4. I think that about covers this slide. Moving on to the next slide. If you click also. Thanks. Revenue grew across all of our regions with EMEA being in the driver's seat. EMEA growth was driven by almost 30% increase in maintenance revenues as well as subscription revenues. Both grew close to 30%.
Like in the previous quarter, we did get some support from the strong dollar, but on a group level, this is in a single digit percentage territory for year to date. The effect of the FX rates on our group figures is of course mitigated by strong performance in EMEA. The euro's increasing relative weight in our currency mix. Final word from the CFO. As some of you might have noticed, I'm moving towards new challenges in my career, around the end of the year, and this will be my final quarterly release and investor call at SSH. Therefore, I'd also like to take this opportunity to thank all of you, our investors, analysts, for the past years. I think I'm leaving the company and my areas of responsibility in a good shape, and the company is well-positioned for continued growth. Thanks.
Thank you, Niklas, very, very much. Thank you also for the numbers, and let's move on to the facts behind the numbers. Our CEO, Teemu Tunkelo. Please, Teemu, you can start.
Thank you. I first want to thank Niklas for the almost three years of cooperation. It has been great, and I wish you all the good for the future. If we go back to the things behind the numbers, we again, in Europe, have been recognized as a leader, not only by these industry analysts, but also by single customers, which are showing growth. I think we are on a good path. The challenge for us is we have increased the average size of our customers, which means that in our current size, one customer coming in will, with subscription model, what will impact the next year, not this year. If it comes in two weeks late, it impacts the last quarter now. I personally look at more six months running average than what actually happens in the last quarter.
That's just my own opinion. We are working with Gartner more on the U.S. market now. Also with the leadership position in their recommendation at the moment, we are a clear leader with our technology in the European market, and that is also reflected in our numbers that bigger commitments from our customers are coming because our technology is solid. What has happened during the summer and in the latest months is that the competition has started to follow the investment and marketing relative to quantum computing, quantum key distribution, post-quantum cryptography. It is still early stages to see the commercial results. Our strategy with the Zero Trust and now with Quantum-Safe.
I would say at the moment we are getting into the professional services with quantum computing, post-quantum computing, and it will be reflected later in our numbers. If you take the technology keys, we started with SSH keys as the first digital keys that were permanent. Like in a hotel when I was young, you actually got a physical key. Now you get a key card. Then when internet came, instead of digital keys, we started to put certificates, which have a lifetime nowadays, only 825 days, so almost three years. It's also very static. What we have done as our big investment in R&D has been PrivX. In PrivX, your keys have only five minutes. Like in a key card, you have a central place in your reception where you can switch off the key when it's not needed anymore.
The post-quantum phase is coming. We've done major investments in it. We are, I think, one of the two leaders in Europe on quantum cryptography and on things doing Quantum-Safe solutions without separate hardware elements. We are doing it completely by software, where I think we are a world leader. We are Zero Trust, which means no keys, no passwords. We have an evolution path for our customers when they want to go to Quantum-Safe. It's easy with us without any major changes.
That is highly respected by our customers because we do have a long history that we are proven in use with our software solutions, and we are also very much stronger on being future-proof with Zero Trust, Quantum-Safe, and also with all the helping factories, harbors, airports to protect themselves because critical infrastructure, especially with taking into account the geopolitical situation in Europe, OT people, so factory people, critical infrastructure people are getting more aware of the things that banks and governments have been aware for years. We have the two technologies, zero trust and quantum safe, and we have a completely new market, operational technology, which is making a good ground for what Niklas said. He is leaving the company in a good shape.
We have a very solid base to grow because of the transition to subscription model and because of the key three elements of our strategy, Zero Trust, Quantum-Safe, and operational technology. We also want to more communicate about what we are because we have a challenge that our customers are not really excited to tell what we do for them. We want to more clarify what we do, and I want to focus on the guiding principles that we are using in the company. We want to be closer to our customers. We want to understand their issues, and we want to help them to increase their safety in what we call defensive cybersecurity. Very many people associate cybersecurity with hackers, which is a kind of a negative tone. We don't do hacking. We do the opposite. We defend.
That's becoming more and more important that people say, "Hmm, there we have internal threats, we have external threats, but what is important for us that we are safe." We make digital fences, we make digital gates, we follow who goes through the gates and when they come out, and we provide that information to our customers. Of course, from a more selfish side, we want to drive our profitable growth to a new level and with the help of the subscription and recurring revenue, because we are a people business, we are really on a good track. We still have a challenge of single big orders, but at least people, because people are our biggest assets, they get paid monthly. We need to get paid monthly by our customers, so we can keep our P&L in order.
We want to be better in the market to provide what the customers need, when they need it, at an optimal cost. This is basically the driving force of how we implement defensive cybersecurity for our customers, with our customers in a changing world with future-proof solutions. Our outlook remains the same. We do believe the market is favorable. We do believe we are in a strong base. We are continuing to invest in our R&D, which is our people are the biggest asset. Still we want to maintain the EBITDA and cash flow positive in our business. I think at the moment we are very well-positioned to reach that target. Moving forward, Zero Trust is a reality. It's making business for us.
It's coming to all our product lines where the PrivX is leading the game, being more and more the platform for our own products or with older products so that we don't have to recreate new products. We use PrivX as a platform to make Tectia, NQX, UKM to be Zero Trust, so passwordless, keyless to defend our customers' environment. I already mentioned the operational technology that for us, we have always been strongest in financial market, so banking and insurance. Now the OT technology, factories and harbors are coming up, and there we have a bigger and bigger role in our professional services to help them to understand what banking and governance have understood over the last 20, 30 years. Looking forward, last but not least, is the quantum-safe solutions that we have started to develop already years ago.
We have created a strong team to understand the technology, working with key partners, universities, European to be the first one that actually we already have created two products that are Quantum-Safe, and we are helping our customers understand when and what they have to do with Quantum-Safe. Niklas was meeting one of our customers, I think probably a year ago, and they told us that "We don't know if quantum computers ever come, but we have to be prepared for it." That trend is growing. Zero Trust is here. OT is expanding, and quantum computing has created a lot of market interest from the customers, and we are helping customers to understand what does quantum computing and especially key exchange, client encryption, what does it mean for them, and what is the optimal implementation schedule for them to come to the quantum edge?
With these comments from my side and Niklas' comments on the number side, I would like to hand it back to Lauri that we can open the Q&A session.
Yes. Thank you, Teemu. As a reminder, so let's move to the Q&A section, and you can ask to speak via chat or by raising your hand. You can also write your question in chat, and I will read it out loud. Please. Here is first question. Forbes, you can start.
Hello, and good morning. I know this subscription ARR grew by about EUR 1.3 million compared to the last quarter, Q2 2022. Could you explain where you're seeing this growth? If the ARR from the EUR 2.1 million order that you received or that you delivered now at the end of Q3 is in there as well? Thank you very much.
First, they
Yeah. Niklas, if you can start.
Yeah, I'll comment that the subscription ARR growth is driven, at this moment, in majority by PrivX. The 2.1 million euro NQX order is in the figures, but with a negligible revenue recognition impact. When we deliver NQX, we can start revenue recognition only upon delivery of also the hardware component. That determines sort of. In license business, typical revenue recognition pattern is that immediately when the PO comes, we release the license, and we can record as revenue. But here, since there is a hardware component, it's dependent on the actual physical delivery. These deliveries or the majority of these deliveries happened at the end of the quarter. There is some revenue, but the majority of the impact will hit Q4.
That is a new thing, at least compared to what I learned when I did my PhD in economics, but is it nowadays with subscription business, the cash flow is separated from revenue. We might get a lot of cash from the customers, but we have to live with that money for a long time because we are people business. We pay people every month, so we also recognize the revenue over time, which means it makes our numbers smoother. We have to manage the business both by the traditional EBIT and order intake and by the cash flow. Because we get the cash at a certain time of the year, and we have to live all year with that money. The traditional way to read P&L doesn't really apply now that we have transitioned to dominantly subscription business.
Okay. Do you have more questions, Forbes?
Yeah. I have a couple.
Yeah.
I mean, you report the subscription ARR, but going into the product to understand better how much of that comes from PrivX and NQX and Deltagon and so on, is that something you can share or what can you say about this?
Well, we don't share single product line numbers. What we can say is that on a percentage growth, NQX is the winner because the base is small. I think, I like to use the term that PrivX is now moving the needle. Earlier, PrivX was like NQX, so it was growing well, but it didn't impact the numbers. Now, PrivX is our primary growth engine. NQX grows faster in percentage, but it still has time before it can catch the PrivX numbers. With the post-quantum cryptography, we can see that Tectia, which is our flagship product, is the biggest and profitable product line, is getting revival because people want to move from static keys to Zero Trust keys. They want to move from Zero Trust keys partially to quantum over time. We have a lot of growth there. Deltagon continues to grow.
It's a different business that the average deal size is much smaller. That makes it is more stable and it's our second biggest product line. UKM is still, it's the one where we do most perpetual deals, and those deals are typically EUR 200,000 up to EUR 1 million or even EUR 2 million. In our size, UKM is the one that shapes our numbers. We are reviving Tectia. We are continuing the stable positive development with Deltagon. PrivX and NQX will be driving the growth, and UKM will be the one that until we are two-three times bigger than today, UKM will shape the quarterly numbers.
Thank you, Teemu. We have a couple of questions in the chat, so I will read them out loud. Sorry, Forbes, did you have any more questions?
I have two more. I can read them out loud both.
Yeah.
The first one is, has anything changed in your favor since NQX received this TL3 level security certification? That's the first. The second is, what is your outlook for license sales? Because you received a very big license sale in Q4 of 2021, but since then it's been quite soft. Is there anything you can tell us about that? That will be all from me. Thanks.
Well, I think on the latter side, we are working very hard on closing major license deals during the end of the year or early next year. I still believe that our long-term average should be 20% license, 80% subscription. Now, we are at the moment, I think, over 90% on subscription. The big whales, we might have them hooked, but they are not in the boat. The first question maybe, Nik, you could do that.
Which one? Sorry, what was the-
The one about NQX.
Yes.
What has changed in your favor since the certification?
Of course, you know, receiving the certification was a prerequisite for getting those orders in. As soon as we received the certification, it was in the books we received. Was it three major orders? One of which exceeded the notification threshold for the EUR 2.1 million order.
We are in very early phases, so if you think that we basically had half a year ago one customer, now we have in the books, Niklas, five or six customers.
Six.
Six. That's six times more than half a year ago. I think we are on a good track, and we have a lot of discussions ongoing. Before the fat lady sings, they are not in the books.
Yeah. We have three, for example, foreign governmental customers who are sort of circling around NQX are very interested. We have demoed the product to them, so it's not just the Finnish security critical customers who are interested in or can use this product. It's in a good position.
Perfect. Next we have question, the NQX delivery is fully in ARR, but only a slight amount is Q3 top line. Is this correct?
Incorrect. The ARR is calculated by multiplying the last month of the quarter. The revenue recorded during the last month of the quarter multiplied by 12. If there is a slight amount of revenue that is fully reflected in the ARR. During Q4 when we report these figures, it will be in full, but not yet in Q3.
Thank you. Next question, what happens with CFO share options when he leaves the company?
Well, Niklas, you can correct me, but in principle, the vested options will remain, that he has the right to execute the options. The unvested options will return to the company.
That's correct.
Thank you. We have more questions, and please write your questions in the chat or raise a hand if you have something to ask. How many new customers did you got in Q2 and Q3? These numbers were released in Q4 and Q1, but seems to be missing for the last two quarters.
Yeah, it's a little bit of our technicality or reporting problem because we have reduced the number of customers we deal directly. We move them to partners. We are reducing the number of partners. When we talk, the customers where we have a bill to address, that number actually has reduced because we sell through the partners. We are still working on getting the reporting right that if we sell to a big telecom operator in Finland, they might have a lot of customers, but for us it's one customer. Many of these partners don't want to disclose to us the end customer. We have kind of through our partnering strategy, we have lost the visibility of how many real bill to customers we would have if we would sell directly.
With the number of direct customers for us, we are constantly focusing on increasing the customer size that we deal directly. We have moved and we are moving smaller customers to our partners. I haven't yet found a way to report in a way that would make sense that what does it mean, how many customers do we have? If I take it in scale, the most customers we have with Tectia and then with Deltagon, and then PrivX is the third biggest one, having customers directly or through partners, UKM less and NQX has, say, six. Giving a meaningful number is still something we are working on.
Q4 last year, we were still working very much on the direct sales model, and then it was easy to report how many bill-to customers we have, and now we have to find a meaningful way of reporting it in the future.
Thank you, Teemu. Please, we have still time for questions. I see there is. Yes. Just basic comment. Good luck, Niklas, in the next challenges. Have enjoyed these reviews. Thank you. Any more questions? We'll wait 10 seconds if somebody wants to ask some. I think at this point we don't have any more questions. Thank you once more, dear guests. Thank you, Niklas. Thank you, Teemu. Materials for this call will be available on our webpage later this day. Hope we have a lot of different content, webinars, events, and workshops now ongoing. Please visit our website, follow us, especially on LinkedIn, Twitter also, but LinkedIn is our main channel, and join our events. SSH Communications Security will release its financial reporting calendar for 2023 during the quarter four in November. Please stay tuned.
My name is Lauri Koponen. I'm Communications Manager here at SSH. I thank you, and please have a good day. Bye.