SSPL license risk advisory for the software you already run.

The Server Side Public License changed the terms under which some of the most widely deployed data infrastructure runs. MongoDB moved to the SSPL in 2018. Elasticsearch and Kibana moved to the SSPL and the Elastic License in 2021, with the AWS led fork OpenSearch following. Redis adopted a dual model that includes the SSPL as of March 2024, with the community fork Valkey. If any of these sit in your production estate, your license posture has changed whether or not anyone updated the record.

SSPL license risk advisory exists because the exposure is easy to miss and expensive to discover late. Source available is not open source. The SSPL is not approved by the Open Source Initiative, and its service provider terms can reach beyond the component itself to the surrounding software you use to deliver a service. That is a different shape of risk from a permissive license, and it does not announce itself.

What the SSPL actually restricts

The headline concern with the Server Side Public License is its treatment of offering the software as a service. Where a traditional copyleft license reaches the software you distribute, the SSPL was written to reach further, toward the programs you would need to run the software as a managed service for others. For an enterprise that consumes the software internally, the practical exposure may be limited. For one that builds a product or a service on top of it, the obligations can be material. The line depends on your deployment, and that is exactly what the advisory maps. We tell you where you sit; your counsel tells you what the terms mean for you.

How the advisory works

We begin with the map. Every SSPL component you run, direct and transitive, is located and tagged with its license state as of the date of the review. We trace how each one is deployed, because the same database carries different exposure when it backs an internal tool than when it backs a customer facing service. We then size the exposure in terms a board understands: what is at risk, what it would cost to cure, and how urgent the clock is. Finally we lay out the routes. A move to a fork such as OpenSearch or Valkey, a migration to an alternative, or a negotiated commercial license each carry a cost and a timeline, and we weigh them side by side so the path you choose holds under scrutiny.

The work connects to the rest of the program. It draws on our open source license risk services, sits inside the broader relicensing exposure picture, and links directly to the database specific analysis in our Redis and Elastic database license guide. For the wider frame of how license risk is mapped and contained, see the open source license risk pillar.

Why independence changes the answer

We are paid only by the buyer. We do not resell licenses, we do not take vendor commissions, and we have no interest in steering you toward a paid agreement when a fork would serve you better, or away from one when it is genuinely the cleanest path. That independence is the value. The vendor's account team will give you a number. The advisory gives you the leverage and the alternatives that let you decide whether the number is fair, and a buyer side basis to negotiate it if it is not.

What you walk away with

You receive a current map of your Server Side Public License footprint, an exposure assessment written for decision makers rather than engineers, and a containment plan with the options costed and sequenced. The deliverable is built to be defensible to a vendor, an auditor, or your board. Most buyers move straight from the assessment into either a remediation plan or a buyer side negotiation, and the map carries into that work without being rebuilt.