OpenSource Risk Experts
Map your blast radius

AGPL EXPOSURE

AGPL Compliance Risk Review

An AGPL compliance risk review maps where the GNU AGPL touches your software, names the conditions that trigger its network and distribution obligations, and leaves you with a containment plan you can defend. Independent, buyer side, paid only by you.

Not ready to talk? Read the free open source license risk guides first.

Request an AGPL review

The GNU AGPL is the copyleft license most likely to surprise an enterprise. It was written to close the gap that the GPL left open for software offered over a network. Where the GPL attaches obligations when you distribute a program, the GNU AGPL can attach them when you make a modified version available to users across a network, even if you never ship a binary. For a company that runs a modified AGPL component inside a public facing service, that distinction is the whole risk.

An AGPL compliance risk review answers the question that keeps surfacing in board and counsel conversations: where does this license actually touch us, and what does it ask of us. We map the touchpoints, rank them by likelihood and impact, and hand you a plan. We do not interpret the license for you. That is your counsel's role, and we point you to it.

What the AGPL compliance risk review covers

We begin with a full dependency tree, direct and transitive, because AGPL code rarely sits where you expect it. It arrives as a buried dependency, a container base image, or a library pulled in by another library. We flag every AGPL and AGPL adjacent component, then test each against the way you actually deploy. A component you run unmodified behind your own firewall carries a different obligation than one you have patched and exposed to external users.

From there we separate the GNU AGPL from its source available cousins. The Server Side Public License, used by MongoDB since 2018 and by Redis and Elasticsearch in their relicensing moves, shares the network use concern but reaches further into the surrounding service stack and is not approved by the Open Source Initiative. The GNU AGPL is approved and narrower. Treating them as one thing leads to either false comfort or wasted remediation, so we keep them distinct.

TOUCHPOINT MAP

Every AGPL component in your stack, direct and transitive, with how it is deployed and whether you have modified it.

OBLIGATION RANKING

Each touchpoint ranked by the likelihood it triggers a network or distribution obligation and the impact if it does.

CONTAINMENT PLAN

Options weighed on engineering cost and license posture: isolate, replace, or comply, with a sequenced path for each.

Who needs this review

Any organization that ships a software product or runs a customer facing service on a stack it did not build from scratch. The risk concentrates in firms that modify open source and expose it over a network, which now describes most software businesses. It also matters acutely in a transaction. An acquirer that inherits an undocumented AGPL obligation inherits a liability, which is why our open source M and A due diligence always tests for it.

The review sits within our broader open source license risk assessment and feeds the M and A and compliance pillar, where we cover copyleft and distribution obligations in depth. If your concern is a project that has recently changed terms rather than a classic copyleft license, start instead with the open source license risk pillar.

COMMON QUESTIONS

Questions buyers ask.

What is an AGPL compliance risk review?

An AGPL compliance risk review maps every place the GNU AGPL touches your software, identifies the conditions that trigger its network and distribution obligations, and gives you a ranked containment plan. The aim is a defensible record of where the license applies and what you have done about it.

When does the GNU AGPL create an obligation?

The GNU AGPL extends copyleft to software offered over a network, not only to software you distribute. If you modify an AGPL component and make it available to users across a network, the license can require you to offer the corresponding source. The specifics depend on how the component is used and modified, which is why scope mapping matters.

Is the AGPL the same as the SSPL?

No. The GNU AGPL is an Open Source Initiative approved license. The Server Side Public License is source available and not approved by the Open Source Initiative. They share a network use concern but the SSPL reaches further into the surrounding service stack. A review treats them separately.

Is this legal advice?

No. We provide commercial and licensing risk advisory, not legal advice. We map and quantify exposure from the buyer side. For interpretation of the GNU AGPL and compliance decisions, we recommend your own counsel.

What do we receive at the end?

You receive a map of every AGPL touchpoint in your stack, a ranked list of obligations by likelihood and impact, and a containment plan with options weighed on engineering cost and license posture.

CONTAINMENT

Find your AGPL exposure before an auditor does.

A confidential AGPL compliance risk review. Independent, buyer side, paid only by you.

Independent, confidential, buyer side. See how buyers contained their exposure →

Request an AGPL review