Back to GetFilings.com

Table of Contents

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

FORM 10-K

For the Fiscal Year Ended December 31, 2003

Commission File Number: 000-26223

TUMBLEWEED COMMUNICATIONS CORP.

(Exact name of registrant as specified in its charter)

700 Saginaw Drive

Redwood City, CA 94063

(Address of principal executive offices, including zip code)

Registrant’s telephone number, including area code

(650) 216-2000

Securities registered pursuant to Section 12(b) of the Act:

None

Securities registered pursuant to Section 12(g) of the Act:

Common Stock, $0.001 par value per share

Indicate by check mark whether the Registrant (1) has filed all reports required by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the Registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.    Yes  x    No  ¨

Indicate by check mark if disclosure of delinquent filers pursuant to Item 405 of Regulation S-K is not contained herein, and will not be contained, to the best of Registrant’s knowledge, in definitive proxy or information statements incorporated by reference in Part III of this Form 10-K or any amendment to this Form 10-K.  ¨

Indicate by check mark whether the registrant is an accelerated filer (as defined in Rule 12b-2 of the Act).    Yes  x    No  ¨

The approximate aggregate market value of the Common Stock held by non-affiliates of the Registrant, based upon the last sale price of the Common Stock reported on the Nasdaq National Market on June 30, 2003, was approximately $66,751,479. Shares held by each officer, director, and holder of 5% or more of the outstanding Common Stock have been excluded in that such persons may be deemed affiliates. This determination of affiliate status is not necessarily a conclusive determination for other purposes.

The number of shares of common stock outstanding as of February 13, 2004 was 42,498,577.

Table of Contents

SPECIAL NOTE ON FORWARD-LOOKING STATEMENTS

This Annual Report on Form 10-K contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934, which are subject to the “safe harbor” created by those sections. The forward-looking statements are based on our current expectations and projections about future events, including, but not limited to:

Discussions containing such forward-looking statements may be found in “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” In some cases, you can identify forward-looking statements by terminology such as “may,” “will,” “should,” “could,” “predicts,” “projects,” “potential,” “continue,” “expects,” “anticipates,” “future,” “intends,” “plans,” “believes,” “estimates,” or the negative of these terms and other comparable terminology. These forward-looking statements are only predictions, not historical facts. These forward-looking statements involve certain risks and uncertainties, as well as assumptions, that could cause actual results, levels of activity, performance, achievements and events to differ materially from those stated, anticipated or implied by such forward-looking statements. Factors that could cause or contribute to such differences include those discussed under the caption “Risks and Uncertainties” contained herein, as well as those discussed elsewhere herein. These forward-looking statements are made as of the date of this Annual Report on Form 10-K. Tumbleweed disclaims any obligation to update or alter these forward-looking statements, whether as a result of new information, future events or otherwise.

2

Table of Contents

TUMBLEWEED COMMUNICATIONS CORP.

2003 FORM 10-K ANNUAL REPORT

TABLE OF CONTENTS

TRADEMARKS

Our registered trademarks include Tumbleweed^®, Tumbleweed Communications^®, Secure Envelope^®, Secure Inbox^®, Tumbleweed IME Integrated Messaging Exchange^®, WorldSecure^® and Worldtalk^®. Additional trademarks belonging to us include Tumbleweed Secure Guardian^™, Tumbleweed Secure Policy Gateway^™, Tumbleweed Secure Staging Server^™, Tumbleweed Staging Server^™, Tumbleweed Secure Mail^™, Tumbleweed Secure Redirect^™, Tumbleweed Secure Public Network^™, Tumbleweed SPN^™, Tumbleweed Secure Archive^™, Tumbleweed Secure Web^™, Tumbleweed Secure CRM^™, Tumbleweed Secure Messenger^™, Tumbleweed Secure Statements^™, Tumbleweed My Copy^™, Tumbleweed L2i^™, Tumbleweed IME Developer^™, Tumbleweed IME Personalize^™, WorldSecure/Mail^™ and Tumbleweed IME Alert^™.

3

Table of Contents

PART I

Item 1—Business.

Overview

Tumbleweed Communications Corp. (“Tumbleweed” or “we”) is a leading provider of secure Internet messaging software products for enterprises and government. Our solutions are used by companies when email, file transfer or Web communications are mission-critical. By making Internet communications secure, reliable and automated, our products help customers significantly reduce their cost of doing business.

We have more than 700 enterprise customers who use our products to connect with over ten thousand corporations and millions of end-users. Tumbleweed’s market focus is in the financial services, healthcare and insurance, government and enterprise markets. Our customers include ABN Amro Bank, Catholic Healthcare West, Bank of America Securities, JP Morgan Chase & Co., The Regence Group (Blue Cross/Blue Shield), Society for Worldwide Interbank Financial Telecommunication (SWIFT), St. Luke’s Episcopal Healthcare System, the US Food and Drug Administration, and the US Navy and Marine Corps.

Our software solutions are:

Industry Background

The use of corporate email systems, customer service applications and web services has grown as enterprises increasingly rely on these applications to communicate with their customers, business partners and suppliers. Enterprises seek communications applications that integrate business processes and associated data with email and web applications and transform how they communicate and conduct business with their customers and partners. The volume of corporate Internet communications has grown significantly over the past several years in both the business and consumer markets. However, these systems are increasingly challenged by the threats of hackers, viruses, spam overload, email spoofing and phishing attacks.

To fully leverage the power of communicating using the Internet and email, businesses must first address the issues of security, centralized management, automation, legacy integration and end-user behavior, as well as potential adoption issues. The policies and management protocols traditionally applied to paper or voice-based processes within a company in many cases are now being applied, appropriately, to email communications. The adoption of these policies and protocols is critical to establish compliance with regulatory requirements and to provide enterprises the same audit trail and confidentiality protections that paper processes supply. End-users are also interested in easily accessible online services and communications from the companies with which they do business.

With comprehensive communication security solutions, businesses can deploy policies enterprise-wide, provide critical management of communications, and leverage the investment they have made in their existing systems in order to maximize business conducted on the Internet.

Tumbleweed’s Secure Internet Messaging Applications and Services

We offer a comprehensive family of secure messaging software applications that enable enterprises to leverage the cost-efficiencies and productivity of Internet communications. In addition, all of our solutions are designed to integrate with existing business and email systems, requiring no significant change in existing firewall or system infrastructures. Our applications can be purchased independently or together to create a secure Internet communications solution for businesses. All of our solutions offer multi-level security using industry standards, universal access, and proven scalability for high volume message traffic.

4

Table of Contents

Tumbleweed Email Firewall and Dynamic Anti-Spam Service

The Tumbleweed Email Firewall (formerly called Tumbleweed MMS) allows enterprises to apply anti-spam filtering, anti-virus scanning, encryption and content policy to inbound and outbound email communications, at the email gateway. The Tumbleweed Email Firewall enables companies to centrally control, manage and monitor their Internet email communications stream. This allows our customers to improve their capability to comply with their internal corporate policies as well as government regulations.

Tumbleweed’s Dynamic Anti-Spam Service (DAS) provides daily updates of anti-spam filtering rules including URL block lists, heuristic filter data and blacklisted domain listings. The DAS service ensures that the Email Firewall adapts to the changing nature of unwanted spam messages, thereby providing effective blocking of spam email at the email gateway without requiring tuning by the customer.

The Email Firewall features a Secure Policy Gateway for centralized policy enforcement, and a suite of software process managers and optional applications that can be quickly configured to define and enforce the policies appropriate to a particular business. The Email Firewall Content Manager scans messages and attachments for specific words or strings of words. When a policy violation is detected, Tumbleweed Email Firewall can take a number of actions, such as block, quarantine, archive, or defer delivery. With the Email Firewall Access Manager, companies can set policies that restrict access of email communications from certain senders or those sent to certain recipients. For example, policies can block inbound messages from known problem or spam domains, or prevent confidential information from being sent to an unwanted domain.

The Email Firewall Virus Manager uses integrated server-based anti-virus software from Network Associates to detect and optionally clean or strip infected attachments in both incoming and outgoing messages. This provides a first-layer of anti-virus defense, by filtering viruses out before they enter a corporation’s network and email servers.

The Email Firewall can encrypt and digitally sign email messages as they are sent from the server, allowing companies to secure their email communications with other companies who are using S/MIME-compliant email products (S/MIME is an industry standard for encrypted email). The Email Firewall also decrypts incoming emails and verifies digital signatures on incoming emails. Content policies can be configured by companies so that signed emails from customers or partners bypass the anti-spam filters, thereby giving a higher level of assurance that emails will be delivered securely and reliably between trusted business partners. For communicating with end-users who do not have S/MIME compliant email software, the Email Firewall can integrate with the Tumbleweed Secure Redirect product for secure Web-based email delivery.

Tumbleweed Secure File Transfer

The Tumbleweed SecureTransport product family is file transfer software for sending and receiving business files over the Internet securely and reliably. SecureTransport is used by companies to communicate with their customers, partners and suppliers. SecureTransport can be used to send small business-critical messages, as well as to reliably deliver very large files that can exceed one gigabyte in size.

The Tumbleweed SecureTransport product family includes server software, client software, and toolkits for customization and integration into business systems. SecureTransport allows file transfers to be initiated interactively by users who access the server with a standard Web browser or an interactive client software. SecureTransport also allows transfers to be initiated automatically, according to schedules or driven by back-office enterprise systems. Incoming and outgoing files can be connected to existing back-office systems through a Java-based Transaction Manager.

SecureTransport is used by enterprises to send EDI files to suppliers in their supply chain. It is also used extensively in the financial services markets to send and receive corporate payment messages, check images, reports, and other kinds of financial messages. Because SecureTransport is compliant with the Internet security requirements of the U.S. Healthcare Information Portability and Accountability Act (“HIPAA”), it is used extensively in the insurance and healthcare markets to move patient records, billing information and EDI files.

Tumbleweed Secure Email and Document Delivery

Tumbleweed Secure Redirect is server-based software that enables any Internet email server to send and receive email and documents securely. Companies use Secure Redirect to securely communicate over the Internet with individuals or companies, without requiring those end-users to have any kind of secure email software. Recipients of messages only need an e-mail program and a web browser to receive encrypted messages.

5

Table of Contents

Tumbleweed Secure Redirect can scan the content of outgoing messages originating from groupware applications or web-based email applications and then encrypt those communications for delivery depending upon a company’s policies. Recipients can be authenticated by a variety of methods, using known information about the recipient or by tying into an internal authentication database or system existing within the company (lightweight directory access protocol, directory, single sign-on directory, etc.). Tumbleweed Secure Redirect also allows enterprises to apply security to emails originating from an internal customer relationship management system.

The advantages of Tumbleweed Secure Redirect include:

Tumbleweed Secure Redirect is used in the insurance and healthcare markets to communicate between patients, doctors, hospitals and pharmacies. It is used in financial services to send bank and brokerage statements to customers securely. The manufacturing and logistics industries use Secure Redirect to encrypt email communications across their supply chains.

Tumbleweed Identity Validation

Tumbleweed Valicert Validation Authority is a family of client and server software for validating the identity of users on the Internet in real-time. The Validation Authority allows digital certificate credentials to be used to authenticate users to computers and software applications, sign documents and encrypt email.

The process of digital certificate validation is similar to the process used to authorize credit card transactions. To begin with, a relying party, which is client or server software that checks signed data using another private key, verifies that the certificate has not been revoked, as part of the run-time use of digital certificates. Then a certificate chain should be constructed, up to a trusted root. Each certificate can then be verified to determine that it has not been revoked.

The Validation Authority can validate a certificate issued by any Certificate Authority (CA). The Enterprise Validation Authority is a robust, fourth generation server that provides online validation support using industry standards. It integrates with major Certificate Authority (CA) products and services including those from Baltimore Unicert, Entrust PKI, Microsoft CA, AOL/Netscape CMS and SunValidation Authority (VA) and delivers a comprehensive, scalable, and reliable framework for validating digital certificates in real time.

The Tumbleweed Valicert Validation Authority product family is comprised of the Enterprise Validation Authority server, Server Validator, Validator Toolkit, and Desktop Validator. The product family is used by financial institutions to authenticate the identity of banks, payment networks and business customers for high-value communications and transactions. In the government sector, the Tumbleweed Valicert Validation Authority product family is used in the Department of Defense for authentication to computers and applications, and for verifying the identity of email senders.

6

Table of Contents

Tumbleweed Professional Services

The following are examples of the professional services we offer:

Our products are generally deployed in business-critical environments, where highly responsive customer support is critical to the continuing success of the deployed solution. We maintain a centralized technical support group that is responsible for first-line and second-line customer support as well as distribution of products and documentation updates. This group works closely with our professional services and product development organizations in order to ensure continuity in the areas of problem resolution and priority response.

We also offer extended customer assistance 24 hours a day, 7 days a week, for those customers requiring around the clock support. Pricing for such support is negotiated separately and is in addition to our standard fees.

Professional services are performed for an additional fee and are offered in conjunction with the licensing or deployment of our products.

Strategy

Our objective is to be the leading provider of secure Internet messaging software products for enterprises and government. Key elements of our strategy are:

7

Table of Contents

Customers

The following is a list of each of our business customers that in 2003 entered into a contract to pay us $50,000 or more.

Advanced Micro Devices, Inc.

Aetna Inc.

Affiliated Computer Services, Inc.

AIM Management Group Inc.

Air Academy Federal Credit Union

Alere Medical, Inc.

ALLTEL Corporation

American Fidelity Assurance Company

American Healthways, Inc.

Ameritrade, Inc.

AmSouth Bank

Aon Corporation

Arkansas Blue Cross and Blue Shield

Automatic Data Processing, Inc.

Availity, LLC

AXA Financial, Inc.

Bank of America Corporation

BJC HealthCare

Blue Cross and Blue Shield of Kansas City

Blue Cross and Blue Shield of Nebraska

BlueCross BlueShield of North Dakota

Boehringer Ingelheim GmbH

Cadwalader, Wickersham & Taft LLP

Canada Post Corporation

Capital BlueCross

CapitalOne Financial Corporation

Catholic Healthcare West

Certegy Inc.

ChevronTexaco Corporation

Children’s Hospital Boston

Childrens Hospital Los Angeles

CIGNA Corporation

Clarica Life Insurance Company

Cleary, Gottlieb, Steen, and Hamilton

Community Foundation of Northwest Indiana, Inc.

Conexant Systems, Inc.

Conseco Services, LLC

Countrywide Home Loans, Inc.

Credit Suisse First Boston LLC

Data Connection Ltd

Deere & Company

Dell Computer Corporation

DHL International, Ltd.

Diners Club International Ltd.

e-Japan, Ltd.

Empire HealthChoice Assurance, Inc.

EMSource, LLC

Federal Reserve Bank

First Tennessee National Corporation

Freddie Mac

General Motors Corporation

Gilead Sciences, Inc.

GlaxoSmithKline plc

Great Lakes Education Loan Services, Inc.

Group Health Cooperative

Harrah’s Entertainment, Inc.

Health Net, Inc.

Healthcare Services Group, Inc.

Hewitt Associates LLC

Hibernia Corporation

Horizon Blue Cross Blue Shield of New Jersey

Huntington Bancshares Incorporated

Independence Blue Cross

IndyMac Bancorp, Inc.

Insurance Services Office, Inc.

J.P. Morgan Chase & Co.

j2 Global Communications, Inc.

Janus International Holding LLC

John Hancock Financial Services Inc.

Keystone Mercy Health Plan

LabOne, Inc.

Lam Research Corporation

Lehman Brothers

Long & Foster Companies

Manufacturers and Traders Trust Company

Massachusetts Financial Services Company

Massachusetts Mutual Life Insurance Company

McKesson Corporation

Medco Health Solutions, Inc.

Medimpact Healthcare Systems, Inc.

Memorial Sloan-Kettering Cancer Center

Merck & Co., Inc.

Metropolitan Life Insurance Company

Mi8 Corporation Inc.

Mount Sinai NYU Health

MultiCare Health System

National City Corporation

National Semiconductor Corporation

New Century Mortgage Corporation

Nexen Inc.

Novo Nordisk A/S

ntl Group Limited

OMD The Worldwide Media Network

OmniStep Inc.

Operational Research Consultants, Inc.

Oregon Health & Sciences University

Oxford Health Plans, Inc.

Pacific Life Insurance Company

Palmetto Health

Perot Systems Corporation

Pitt County Memorial Hospital

Premera Blue Cross

Primerica

ProBusiness Services, Inc.

Prudential Financial, Inc.

Raytheon Company

Republic Mortgage Insurance Company

Robert Half International Company

Royal Bank of Canada

Safeway Inc.

Shaw’s Supermarkets, Inc.

St. Joseph Health System

Stanford Hospital & Clinics

State Street Corporation

Takeda Chemical Industries, Ltd.

TD Waterhouse Group, Inc.

Tenet Healthcare Corporation

The Cleveland Clinic

The Regence Group

Time Warner Inc.

Travelers Property Casualty Corp.

Trinity Health Corporation

U.S. Bancorp

UBS Warburg

University of North Carolina Health Care System

Verizon Communications Inc.

Vision Service Plan

Wal-Mart Stores, Inc.

Washington Mutual, Inc.

Wells Fargo Bank

WesCorp Federal Credit Union

Winchester Hospital

Xcel Energy Inc.

8

Table of Contents

For 2003, 2002 and 2001, five customers comprised approximately 16%, 23%, and 17%, respectively, of our revenue. The loss of one or more of our major customers, the failure to attract new customers on a timely basis or a reduction in usage and revenue associated with the existing or proposed customers would harm our business and prospects. For the years ended December 31, 2003, 2002 and 2001, respectively, no single customer comprised 10% or more of our revenue.

Backlog

Our backlog consists of deferred revenue as well as contractual agreements with customers for which future installments to be billed and received from the customer that are not yet currently due and payable or for which the software has not yet been shipped to the customer. Our backlog excludes all items relating to consulting services. Backlog was $15.3 million and $8.0 million at December 31, 2003, and 2002, respectively. We believe that $12.3 million of the backlog at December 31, 2003 will be recognized as revenue in 2004. In addition, we will also recognize $672,000 of consulting revenue in 2004 as a result of a prepaid consulting contract that has an expiration clause that will require full revenue recognition in 2004 for the portion of that contract that is in deferred revenue at December 31, 2003.

Sales

We maintain a direct sales force that focuses on signing key enterprise customers as well as further penetrating existing accounts by selling them new or expanded applications. Our sales force consists of a total of 49 employees as of December 31, 2003. Sales offices in the U.S. currently include Redwood City, California; Herndon, Virginia; New York, New York; and Oakbrook Terrace, Illinois. Our sales force includes field sales engineers and inside sales personnel who support the account executives. Field sales engineers assist our account executives with technical presentations, customer requirements analysis and initial solution designs. Our inside sales personnel assist the account executives in managing their customer relationships and qualifying new accounts. Our sales effort is augmented by the sales forces of our channel partners. The typical sales cycle can range from one to nine months, but may be longer for large contracts.

Marketing

Our marketing efforts are organized around three primary areas: product marketing, product management and corporate marketing. Product marketing identifies target markets and customer opportunities, then develops the positioning, programs and materials to reach customers and support sales activities. Product management translates customer and market requirements into product plans and works with engineering to ensure completion. Product management also trains salespeople on product information. Corporate marketing drives overall market awareness of Tumbleweed as a company and our products through analyst and investor relations, media, events, and speaking engagements. Corporate marketing is also responsible for branding, corporate identity, and the Tumbleweed website. Both product marketing and corporate marketing work closely with direct sales and channel sales partners to focus programs more effectively and guide product research and development.

Governmental Regulation

All of our products are subject to U.S. export control laws and applicable foreign government import, export and/or use requirements. Minimal U.S. export restrictions apply to all products, whether or not they perform encryption functions.

The Export Administration Regulations of the U.S. Department of Commerce regulate the export of most commercial products with encryption features. Under regulations issued by the Department of Commerce in January 2000, encryption products of any key length, may be exported, after a one-time technical review, to non-governmental end-users around the world, except for embargoed countries and specific prohibited end-users. Encryption products may be exported to governmental end-users under special Encryption Licensing Arrangements or individual export licenses that may be issued at the discretion of the Department of Commerce. In October 2000, the Department of Commerce further revised the Export Administration Regulations to relax some reporting requirements and to remove the export licensing requirement for shipments to governmental end-users in 23 countries, including most of the United States’ major trading partners. In June 2002, the Department of Commerce amended the encryption regulations again to conform them to the control lists implemented by other countries that are also members of the Wassenaar Arrangement. We believe that we have completed the necessary technical reviews of the products and services we currently export, but new products that we acquire or develop may require technical review before we can export them. For the export of some of our products, we are subject to various post-shipment reporting requirements.

9

Table of Contents

The changes to the export regulations allow our products to be exported more quickly and at stronger strength and, therefore, be more competitive with products from foreign producers. However, the export regulations may be modified at any time. In light of the ongoing discussions regarding anti-terrorism legislation in the U.S. Congress, there may be an increased risk that export regulations may be modified in the future. Modifications to the export regulations could reduce or eliminate our ability to export some or all of our products from the U.S. without a license in the future, which could put us at a disadvantage in competing for international sales compared to companies located outside of the U.S. that would not be subject to these restrictions.

Intellectual Property

We own 18 U.S. patents issued by the U.S. Patent and Trademark Office — 17 utility patents and one design patent. We have filed an additional 23 utility patent applications that are now pending in the U.S. Patent and Trademark Office, and also have 19 patent applications now pending in foreign jurisdictions. In addition, we currently have 22 registered trademarks worldwide, including the mark Tumbleweed, and are pursuing other key trademarks and service marks in the U.S. and internationally.

Competition

The markets in which we compete are intensely competitive and rapidly changing. We believe there is no single competitor that offers the complete package of secure messaging applications that we sell. We are aware of competitors that exist for each of our product lines and for combined components of our solution sets.

Our principal competition for email firewall solutions are companies that offer various e-mail content filtering and anti-spam products. Companies that sell products that compete with some of the features within our products include Clearswift Technologies, CipherTrust, Brightmail, Postini and Trend Micro.

Our principal competition in the secure file transfer market comes from software and service providers that include Sterling Commerce (a division of SBC Communications), Cyclone Commerce, Btrade and Standard Networks.

Our principal competition in the identity validation market comes primarily from software providers including Core Street, Sytrust and Alacris.

Our principal competition in the secure email messaging market area comes from providers with offerings that are intended to compete directly with our products or that could be used as alternatives to our products. Examples of some of these providers are PostX, Sigaba, and Zix.

In addition to the competitors listed above, companies with which we do not presently directly compete may become competitors in the future, either through the expansion of our products or through their product development in the area of secure online communication services. These companies could include International Business Machines/Lotus Development, and Microsoft.

Employees

As of December 31, 2003, we employed 250 people worldwide, including 138 in engineering, 49 in sales, 27 in professional services, 11 in marketing, and 25 combined in corporate management, finance, human resources, information technology, legal, and other administration. Our employees are not represented by any collective bargaining organization. We have never experienced a work stoppage and consider our relations with our employees to be good.

Our Executive Officers

Listed below are our executive officers as of March 15, 2004. There are no family relationships between any of the executive officers and there is no arrangement or understanding between any executive officer and any other person pursuant to which the executive officer was selected. At the annual meeting of our board of directors, which follows the annual meeting of stockholders, executive officers are appointed by the board to hold office until their earlier resignation or removal.

10

Table of Contents

Jeffrey C. Smith, Chairman of the Board of Directors and Chief Executive Officer, is responsible for strategic planning and business development. Before founding Tumbleweed in June 1993, Mr. Smith held various senior positions in research and development with the following firms: Frame Technology from January 1991 to June 1993; Aion Corp. from January 1990 to January 1991; Hewlett-Packard from June 1988 to June 1989; and IBM Scientific Research Center in Palo Alto from June 1987 to June 1988. Mr. Smith served as a lecturer in Software Engineering at Stanford University in 1988 and 1989. Mr. Smith holds a B.S. in Computer Science from Stanford University.

John Vigouroux, President and Chief Operating Officer, is responsible for worldwide operations, including marketing, professional services, research and development, and sales. Prior to joining Tumbleweed in June 2003, Mr. Vigouroux was the President and Chief Executive Officer of Valicert, Inc. from October 2002 to June 2003. Mr. Vigouroux also was Valicert’s President of Field Operations from July 2002 to October 2002. Prior to joining Valicert, Mr. Vigouroux co-founded TaraSoft, which specializes in solutions that shorten the software development cycle, and served as their Chief Executive Officer from November 2001 until July 2002. Prior to co-founding TaraSoft, Mr. Vigouroux served as President of AuctionWatch, a company providing sales management software and services for on-line business auctions, from July 2000 to October 2001. Prior to joining AuctionWatch, Mr. Vigouroux served as the Senior Vice President of Sales, Marketing and International Operations and the Vice President of Corporate Development at Beyond.com, which provided products and services for corporations and government agencies to conduct electronic commerce, from October 1998 to July 2000. Prior to joining Beyond.com, Mr. Vigouroux served as Vice President of Business Development at NetObjects, a software company providing tools for website developers and designers, from May 1997 to October 1998. In addition, Mr. Vigouroux has previously held senior level positions with Cisco Systems and Adobe Systems. Mr. Vigouroux holds a B.A. degree in Organizational Behavior and Development from Averett University.

Timothy G. Conley, Vice President of Finance and Chief Financial Officer, is responsible for finance and administration. Prior to joining Tumbleweed in July 2003, Mr. Conley served as Vice President, Finance and Chief Financial Officer for Valicert, Inc. from January 2000 through June 2003. Prior to joining Valicert, Mr. Conley was Vice President of Finance and Chief Financial Officer of Longboard, Inc., a provider of telecommunications systems, from September 1998 to January 2000. Prior to joining Longboard, Mr. Conley served as Vice President of Finance and Chief Financial Officer of Logicvision, a provider of intellectual property for use in the design and testing of semiconductor devices, from June 1997 to August 1998. Previously, Mr. Conley was Vice President of Finance and Chief Financial Officer of Verilink Corporation, a manufacturer of network access equipment, from November 1989 to May 1997. Mr. Conley holds a B.S. degree in Business Administration from Wisconsin State University.

Available Information

Our Internet address is www.tumbleweed.com. Information contained on our website is not part of this annual report on Form 10-K. We make available free of charge on www.tumbleweed.com our annual report on Form 10-K, quarterly reports on Form 10-Q and current reports on Form 8-K, and amendments to those reports filed or furnished pursuant to Section 13(a) or 15(d) of the Exchange Act, as soon as reasonably practicable after we electronically file such material with, or furnish it to, the SEC. Statements of changes in beneficial ownership of our securities on Form 4 by our executive officers and directors are made available on our web site by the end of the business day following the submission of such filings to the SEC.

The public may read and copy any materials we file with the SEC at the SEC’s Public Reference Room at 450 Fifth Street, NW, Washington DC 20549. The public may obtain information on the operation of the Public Reference Room by calling the SEC at 1-800-732-0330. The SEC maintains an Internet site (http://www.sec.gov) that contains reports, proxy and information statements, and other information regarding us.

In addition, a copy of these filings, excluding exhibits, may be requested at no cost by writing or telephoning the following address or telephone number:

MKR Group

88 North Fair Oaks Avenue

Suite 202

Pasadena, CA 91103

Telephone: (626) 395-9500

Item 2—Properties.

In June 1999, we entered into an operating lease covering approximately 40,000 square feet of office space in Redwood City, California that was scheduled to expire in November 2004. During the three months ended September 30, 2003, we renewed this lease in advance of the scheduled termination date at a lower monthly rent cost in exchange for an extension of the lease term. The renewed lease expires in July 2008 with current monthly rent payments of approximately $73,000. In September 2000, we

11

Table of Contents

leased an additional 42,000 square feet in an adjacent building with a term of five years and subleased this space. We terminated this second lease as of December 31, 2001 and made a lease settlement payment of $2.3 million, using lease deposits, in the first quarter of 2002 as a part of the lease termination agreement.

We also maintain domestic sales offices in Herndon, Virginia with a lease term expiring in 2004; New York, New York with a lease term expiring in 2005; and Oakbrook Terrace, Illinois with a lease term expiring in 2005. In February 2004, we entered into an agreement to sublease a portion of the space in New York beginning in March 2004 for the remainder of the lease term. Other offices we maintain include Ann Arbor, Michigan, Bulgaria, India, Switzerland, and the United Kingdom. The Ann Arbor, Michigan lease has a term expiring in 2004 and this office was subleased to a third party beginning in March 2003 for the remainder of the lease term. The Bulgaria, India, and Switzerland leases all have terms expiring in 2004. As a result of the Interface acquisition, we assumed an operating lease in Slough, United Kingdom. The lease is for a term ending in 2020 with current quarterly rent payments of approximately $65,000. We subleased this office space to a tenant who was providing us with quarterly rent payments of approximately $65,000 until the sublease was terminated effective July 2003. Anticipated future sublease rental income is not expected to cover the rent expense due to a weak office rental market in and around Slough. In 2003 we recognized a charge of $996,000 related to potential losses on this lease that was included in our consolidated statement of operations as Merger-related and other costs. We are currently attempting to find a new sublessee.

Other than our office space in Redwood City, California, none of our offices individually exceed 13,000 square feet in size. Other than the facility space that we have subleased or are attempting to sublease as described above, we are currently utilizing all of our leased facility space.

Item 3—Legal Proceedings.

On July 7, 2000, three complaints were filed by David H. Zimmer, Congressional Securities, Inc. and others against Interface Systems, Inc. (a company we acquired in 2000) and various additional defendants, including Interface’s prior president and chief executive officer, Robert A. Nero. Plaintiff’s most recent complaint sought compensatory damages for losses resulting from not selling their Interface stock from March 14, 2000 to the end of March 2000 and for losses from purchases of Interface stock from March 14, 2000 through April 12, 2000. In March 2003, the court dismissed all claims against Interface and dismissed all claims against Mr. Nero, except a breach of fiduciary duty claim to the extent that claim arises from Michigan common law. In April 2003, Mr. Nero filed an answer and a counterclaim against Mr. Zimmer and Congressional Securities, Inc. seeking contribution and indemnity. The parties remaining in this case agreed to settle the matter, and the Court dismissed the case with prejudice in February 2004.

In December 2001, certain plaintiffs filed a class action lawsuit in the United States District Court for the Southern District of New York on behalf of purchasers of the common stock of Valicert, Inc. (a company we acquired in June 2003), alleging violations of federal securities laws. In re Valicert, Inc. Initial Public Offering Securities Litigation, No. 01-CV-10889 (SAS) (S.D.N.Y.), related to In re Initial Public Offering Securities Litigation, No. 21 MC 92 (SAS). The operative amended complaint is brought on purported behalf of all persons who purchased Valicert common stock from the date of its July 27, 2000 initial public offering through December 6, 2000. It names as defendants Valicert, its former chief executive officer, its chief financial officer (the “Valicert Defendants”), as well as an investment banking firm that served as an underwriter for the IPO. The complaint alleges liability under Sections 11 and 15 of the Securities Act of 1933 and Sections 10(b) and 20(a) of the Securities Exchange Act of 1934, on the grounds that the registration statement for the IPO did not disclose that: (1) the underwriter agreed to allow certain customers to purchase shares in the IPO in exchange for excess commissions to the paid to the underwriter; and (2) the underwriter arranged for certain customers to purchase additional shares in the aftermarket at predetermined prices. The complaint also appears to allege that false or misleading analyst reports were issued. The complaint does not claim any specific amount of damages. Similar allegations have been made in lawsuits relating to more than 300 other initial public offerings conducted in 1999 and 2000, all of which have been consolidated for pretrial purposes. In February 2003, the Court issued a ruling on all defendants’ motions to dismiss, denying Valicert’s motion to dismiss the claims under the Securities Act of 1933, but granting Valicert’s motion to dismiss the claims under the Securities Exchange Act of 1934.

In June 2003, Valicert accepted a settlement proposal presented to all issuer defendants in this case. Under the proposed settlement, the plaintiffs will dismiss and release all claims against the Valicert Defendants in exchange for a contingent payment guaranty by the insurance companies collectively responsible for insuring the issuers in all the consolidated cases, and the assignment or surrender of control to the plaintiffs of certain claims the issuer defendants may have against the underwriters. Under the guaranty, the insurers will be required to pay the amount, if any, by which $1 billion exceeds the aggregate amount ultimately collected by the plaintiffs from the underwriter defendants in all of the cases. If the plaintiffs fail to recover $1 billion and payment is required under the guaranty, Valicert would be responsible to pay its pro rata portion of the shortfall, up to the amount of the deductible retention under its insurance policy, which is $500,000. The timing and amount of payments that Valicert could be required to make under the proposed settlement will depend on several factors, principally the timing and amount of any payment required by the insurers pursuant to the $1 billion guaranty. The proposed settlement is subject to approval of the Court, which cannot be assured. The accompanying consolidated financial statements do not include a reserve for any potential loss, as we do not consider a loss to be probable at this time.

12

Table of Contents

In May 2002, Tumbleweed sued PayPal, Inc. alleging infringement of our U.S. Patent No. 5,790,790 and our U.S. Patent No. 6,192,407. In May 2002 PayPal filed an answer and counterclaims denying our allegations and seeking declarations from the court that our patents are not infringed and are invalid. In September 2002, we filed a First Amended Complaint that added eBay, Inc. as a defendant. Both PayPal and eBay filed an answer and counterclaims to the First Amended Complaint denying our allegations and seeking declarations from the court that our patents are not infringed and are invalid. In January 2003, we filed a Second Amended Complaint that added a cause of action against each of PayPal and eBay for infringement of our U.S. Patent No. 6,487,599, which the U.S. Patent and Trademark Office granted to us after we had filed the First Amended Complaint. Both PayPal and eBay filed an answer and counterclaims to the Second Amended Complaint denying our allegations and seeking declarations from the court that our patents are not infringed and are invalid. In December 2003, the parties executed a settlement agreement and dismissed this lawsuit.

In September 2002, we received a letter from Entrust, Inc. indicating that we may be interested in licensing the technology covered by U.S. Patent No. 6,393,568, Encryption and Decryption System and Method with Content Analysis Provision, issued to Entrust. In October 2002, we sent a letter to Entrust indicating that Entrust may be interested in licensing the technology covered by four patents issued to us. In February 2003, we received a letter from Entrust indicating that we may have an interest in three additional patents issued to Entrust. In April 2003, Tumbleweed filed with the U.S. Patent and Trademark Office a request for interference with Entrust’s Patent No. 6,393,568. In January 2004, we entered into a cross license agreement with Entrust covering the aforementioned patents and selected others, as well as patents issuing from certain patent applications that have been filed or that may be filed by either company over the next three years. As part of the agreement, the companies resolved the patent interference proceeding, and Entrust assigned to us U.S. Patent No. 6,393,568 in return for a financial consideration.

In February 2003, we sued Ticketmaster alleging infringement of three of our U.S. Patents, Nos. 5,790,790, 6,192,407, and 6,487,599. In March 2003, Ticketmaster filed an answer to our complaint denying our allegations and seeking declarations from the court that our patents are not infringed and are invalid. In March 2004, the parties executed a settlement agreement and agreed to dismiss this lawsuit.

In June 2003, we were served with a summons and first amended complaint, captioned Liu v.Credit Suisse First Boston, et alia, , alleging the violation of federal and state securities laws, purportedly on behalf of persons who acquired our common stock (other than purchasers of our initial public offering) from August 6, 1999 to October 18, 2000. The case is now pending in the United States District Court for the Southern District of New York, where the Court held a status conference in September 2003. At the status conference we pointed out, and plaintiffs’ counsel conceded, that the named plaintiffs lacked standing to pursue the action because they had not purchased any shares of any of the issuer defendants then in the case. In October 2003, plaintiffs filed a motion for leave to file a second amended complaint, which we have opposed. An adverse outcome could harm our business and operating results. Moreover, the costs in defending this lawsuit could harm future operating results. The accompanying consolidated financial statements do not include a reserve for any potential loss, as we do not consider a loss to be probable at this time.

Item 4—Submission of Matters to a Vote of Security Holders.

No matters were submitted to a vote of our shareholders during the fourth quarter of 2003.

PART II

Item 5—Market for Registrant’s Common Equity and Related Stockholder Matters.

Our common stock is listed and quoted on The Nasdaq National Market under the symbol “TMWD.” The following table sets forth, for the calendar quarters indicated, the high and low trading prices per share for our common stock, as reported on the Nasdaq National Market.