SaaS Firm Avoids a Competitive Use Breach Under SSPL

Situation

A growing SaaS firm ran a multi tenant analytics platform built on an open source database it had adopted years earlier. The database sat at the core of the product, powering both internal processing and several customer facing features. Like most teams, the firm had reviewed the database when it chose it and not since. The license under which it ran was treated as settled, and the product roadmap moved on without revisiting it.

The exposure and the trigger

The database relicensed to the Server Side Public License, following the pattern set by MongoDB in 2018, Elastic as of 2021, and Redis as of March 2024. The Server Side Public License attaches a far reaching source release condition to any party that offers the functionality of the software to third parties as a service. Source available is not open source, and the license is not approved by the Open Source Initiative. The trigger came during a routine procurement review by a prospective enterprise customer, which asked the firm to confirm the license status of its core components. That question forced the issue the firm had not examined: as a SaaS product exposing database functionality to customers, did its use sit on the wrong side of the service condition.

Approach

We were engaged from the buyer side to map the real position before the firm answered the customer or assumed the worst. The work began with an open source license risk assessment that resolved where the relicensed database ran across the platform and recorded the version and license state of each instance. We then ran a focused relicensing exposure review to test each use against the service condition rather than treating the whole platform as one undifferentiated risk.

The map separated the platform into two categories. The large majority of use was internal processing that powered the product without exposing the database itself to customers, which sat plainly outside the service condition. A narrow set of features, however, exposed the database closer to the line, letting customers run queries against it in a way that approached offering its functionality as a service. The undifferentiated fear had been that the entire platform was in breach. The evidence showed the real exposure was confined to a small, identifiable surface. Interpretation of where exactly the service condition fell was referred to the firm's own counsel, with the dependency map as the factual basis.

Outcome

With the exposure narrowed to a defined set of features, the firm contained it through targeted remediation rather than a broad commercial agreement. The internal processing, which was clearly covered, stayed as it was. The small surface near the service condition was isolated and re routed to an open licensed community fork that preserved the prior open behavior, removing the firm from the territory the Server Side Public License restricts. The competitive use breach was avoided before it became a finding, the procurement review was answered with a defensible record, and the firm kept the option to take a commercial license in reserve without needing to exercise it. The quantified result was a contained remediation touching a single digit percentage of the platform, in place of an assumed platform wide license obligation.

Lessons for buyers

A SaaS firm is the kind of buyer the Server Side Public License is most likely to reach, because offering software as a service is exactly what the license condition addresses. That does not mean the whole product is exposed. Most use, even in a SaaS product, is ordinary internal processing that sits outside the condition, and the real exposure usually lives in a small set of features that expose the database itself. Separating the two is the difference between a contained fix and a platform wide license demand. The cheapest moment to draw that line is during a routine review, not in answer to a customer's procurement question under time pressure.

For the mechanics of the license at the center of this case, see the Server Side Public License explained, and browse more open source risk case studies.