Now openThe whole vendor lifecycle in one workspace. Benchmarking, negotiations, contracts, invoices, renewals. Free 30 day trial, no card.Start the trial →
Now openThe whole vendor lifecycle in one workspace. Benchmarking, negotiations, contracts, invoices, renewals. Free 30 day trial, no card.Start the trial →
Editorial photograph of an enterprise boardroom interior
Oracle · Java Audit Rights · Comparison

Which Audit Clause Is Oracle Citing? OTN License vs Master Agreement

The contract vehicle Oracle names decides how much cooperation you owe, how far its questions can reach, and where your leverage sits. This is the clause-by-clause comparison that tells you which one you are actually under and what to do about it.

Contact Us Oracle Hub
500+Enterprise clients
$2B+Under advisory
Industry Recognized
500+ Enterprise Clients
$2B+ Under Advisory
11 Vendor Practices
100% Buyer Side Independent

The contract vehicle Oracle names decides how much cooperation you owe, how far its questions can reach, and where your leverage sits. This is the clause-by-clause comparison that tells you which one you are actually under and what to do about it.

Start by making Oracle name the clause

When an Oracle audit or verification request lands, the first defensive move is not to inventory your Java estate. It is to force Oracle to identify the exact contractual clause it is invoking. In 25 years of negotiating against this vendor, the single most common tactical error I see on the buyer side is answering the question Oracle asked before establishing which agreement gives Oracle the right to ask it. Java is the clearest example of why that matters, because Oracle deploys at least three different license vehicles for the product, and each carries a materially different audit right.

For Java specifically, the two contract vehicles that generate almost all disputes are the Oracle Technology Network License Agreement (the click-through you accept when downloading Java SE) and the Oracle Master Agreement (OMA, previously OLSA), whose audit terms live in the standard schedules. These two documents are not variations on a theme. Their audit clauses differ in notice period, defined obligations, permitted scope, and remediation deadline. Confuse them, or let Oracle blur them, and you concede rights you never contractually granted. Insist that Oracle audit one agreement at a time, and only within the scope that agreement covers. It is unreasonable, and unsupported by the contracts, to be audited under multiple audit clauses simultaneously.

Answering before you know which clause applies means conceding rights you never actually granted.

The OTN audit clause: vague, narrow, and largely negotiable

The Oracle Technology Network License Agreement for Oracle Java SE contains an audit obligation that is remarkable for how little it says. Its entire audit clause reads, in substance, that "Oracle may audit an Entity's use of the Programs." That is the whole of it. There is no notice period. There is no specification of what level of assistance you must provide. There is no requirement to run Oracle measurement tools, no data-disclosure obligation, and no remediation timetable. The clause is light on clarity, which cuts both ways, but on balance it cuts in the buyer's favor.

The reason it cuts in your favor is structural. The OTN Java SE agreement functions like an ordering document that carries no licensing metric and no quantities. There is no employee count, no processor count, no NUP figure embedded in the document. Because the agreement defines no metric, Oracle has no contractual basis to interrogate metric-driven data. Oracle can only audit items of relevance to the agreement it is citing, and the OTN agreement is relevant to a narrow set of things: whether your use fell inside the four permitted use cases, and nothing broader. Those four permitted uses are Personal Use, Development Use, Oracle Approved Product Use, and Oracle Cloud Infrastructure Use. Critically, none of them is production. The OTN allowance does not permit any production usage, so the compliance question under OTN is binary: was the install inside a permitted use case or not.

Because the OTN clause specifies no process at all, the terms of any OTN audit are effectively up for negotiation at the point Oracle initiates. You are not conceding a pre-agreed 45-day cooperation regime, because none exists in the document. That is leverage. Our Oracle Java audit response playbook treats this negotiability as an asset to be preserved, not surrendered by volunteering data.

The OTN's one genuine enforcement mechanism is not the audit clause at all. It is auto-termination. The OTN agreement terminates automatically, without notice, if you fail to comply with any of its terms, and on termination you are obliged to destroy all copies. That is the pressure point Oracle actually leans on, and it is why the corporate-authority question below matters so much.

The Master Agreement audit clause: structured, tooled, and time-boxed

The OMA audit clause is a different instrument entirely. It is far more descriptive, and the added description works largely in Oracle's favor because it grants Oracle concrete rights the OTN never contemplates. The current Schedule P language provides that upon 45 days written notice, Oracle may audit your use of the Programs to ensure compliance with the applicable order and the Master Agreement, and that any such audit shall not unreasonably interfere with your normal business operations.

Two additions to the modern OMA changed the defense posture significantly. First, the clause now expressly authorizes Oracle to run its own measurement tools on your servers and to receive the resulting data: "Such assistance shall include, but shall not be limited to, the running of Oracle data measurement tools on Your servers and providing the resulting data to Oracle." Second, the audit performance and the non-public data obtained are folded under the Nondisclosure section, which Oracle uses to defeat delay tactics built on confidentiality objections. Neither of these tools exists under OTN.

The OMA also imposes a hard remediation deadline the OTN lacks. If the audit identifies non-compliance, you agree to remedy it (which may include, without limitation, paying fees for additional licenses) within 30 days of written notification. So the OMA sequence is a defined 45-day notice, a tooled audit, and a 30-day pay-or-cure clock. That timeline discipline is the subject of our day-by-day plan for the 45-day audit window.

Side-by-side: what each clause actually obligates

Element OTN License (click-through) Oracle Master Agreement (Schedule P)
Written notice periodNone specified45 days written notice
Defined assistance obligationNoneYes, including running Oracle measurement tools on your servers
Data disclosure requirementNoneResulting tool data must be provided to Oracle
Confidentiality handlingSilentAudit data folded under Nondisclosure section
Remediation deadlineNone specified30 days from written notice of non-compliance
Embedded metric / quantityNone (no metric, no quantities)Order-driven metrics and quantities apply
Scope of permissible questionsOnly the four permitted usesFull compliance against order and Master Agreement
Primary enforcement leverAuto-termination without noticeStructured audit plus pay-or-cure clock
Terms negotiable at initiationLargely yes, clause specifies nothingLimited, terms are pre-agreed in the schedule
The OTN grants Oracle a vague, narrow audit. The Master Agreement grants Oracle a tooled, time-boxed one. Do not let the wrong clause govern your response.

Which vehicle applies to which Java version

Knowing which clause governs starts with knowing which license vehicle attaches to the binaries you actually run. Oracle uses three distinct Java licenses across versions. The Binary Code License (BCL) covers Java 8 and earlier for general purpose computing. The OTN License covers Java 11, 17, and post-window updates. The No-Fee Terms and Conditions (NFTC) covered the launch window for Java 17 and later LTS releases. Only Java 17, 21, and later LTS releases launched under the NFTC. Java 8 and versions 11 through 16 never did, and they remain OTN-licensed.

The NFTC-to-OTN cutover is the audit trap that catches the most organizations. The NFTC permits free use of the covered Oracle JDK release for commercial, production, and internal business purposes, which lulls teams into treating Oracle JDK as free forever. It is not. Once a version moves out of its NFTC window and onto the OTN License, continuing to run the binaries you already have is fine, but every Oracle JDK update released after the cutover is OTN-licensed, and OTN does not permit production. Java 17 moved to OTN in September 2024. Oracle JDK 21 updates are planned under the NFTC only until September 2026 (one year after the JDK 25 LTS release in September 2025), after which subsequent JDK 21 updates move to OTN. So a patched-and-current production JDK 17 estate today is an OTN production breach, and that is exactly the exposure Oracle hunts. The mechanics of the version transition are covered in our overview of the 2026 Oracle Java licensing changes.

One reassurance worth stating plainly: the 2023 shift to the per-employee Java SE Universal Subscription did not retroactively rewrite your legacy terms. Existing BCL, OTN, and NFTC agreements remain valid and unaffected. Oracle cannot convert your historical BCL or OTN installs into per-employee subscription liability by fiat. The question is always which vehicle governed each install at the time of use, and whether that use complied.

The corporate authority question under OTN

The OTN is a click-through. Any developer who downloaded Java SE clicked to accept it, which raises a real and underused defensive argument: not every employee has authority to bind the company to a contract. We advise clients to put IT directives in place making clear that individual employees are not authorized to accept click-through agreements on the organization's behalf. Where such governance exists, the enforceability of an OTN acceptance that a junior developer clicked becomes a live question, and that question weakens Oracle's footing before the audit conversation even begins. This is buyer-side experience talking rather than a settled statistic, but it has moved outcomes in real negotiations.

Soft audits, verification services, and the no-contract position

A large share of Java approaches are not formal audits at all. A soft audit is an informal, voluntary request from Oracle's sales or Java team, and you have no obligation to respond to it. A formal audit is a contractual process invoked under your Master Agreement, with the 45-day notice and the cooperation obligations described above. Do not treat a friendly email as a legal demand, and do not treat a legal demand as negotiable friendliness. Distinguishing the two is foundational, and it maps directly onto the enforcement shift covered in how Oracle changed Java enforcement from LMS to GLAS.

Be especially alert to the branding. The Oracle Assurance or Verification Service markets itself as building confidence through transparency. In practice it is an LMS-style audit conducted without the contractual protections of the audit clause. If Oracle wants to run a measurement exercise, insist that it name the audit clause and accept the protections that clause imposes on Oracle, including the notice period and the reasonableness standard. Do not accept a data-collection exercise that carries Oracle's rights but strips your protections.

If you hold no Oracle Master Agreement, no Java subscription, and no other Oracle contract, Oracle has no contractual audit right at all. No contract means no formal audit. That is a strong defensive position, but it requires careful handling, because Oracle can still run a soft audit and escalate to its litigation office if it believes it holds evidence such as download telemetry. The formal notice mechanics you would face if a contract does exist are detailed in our guide to Oracle GLAS Java audits and formal notices.

What the buyer should do

  • Before responding to anything, demand in writing that Oracle name the specific audit clause and the specific agreement it is invoking. If Oracle cannot, you likely face a soft audit with no cooperation obligation.
  • Refuse to be audited under multiple clauses at once. Force one agreement, one audit, scoped only to installs that agreement actually covers.
  • Map every Java install to its correct vehicle (BCL, OTN, or NFTC) and its version. Pay particular attention to production estates running post-cutover OTN updates, which is where liability concentrates.
  • If Oracle cites OTN, remember the clause specifies no process. Negotiate the terms of the audit at initiation rather than adopting the OMA cooperation regime by default.
  • If Oracle cites the OMA, hold Oracle to the 45-day notice and the reasonableness standard, and control what its measurement tools touch. See our internal Oracle audit method to find the gaps first.
  • Preserve the corporate-authority argument by documenting that employees lack authority to accept click-through agreements.
  • Model your OpenJDK exit in parallel. Removing Oracle binaries neutralizes the underlying claim, as shown across our zero-cost Java case studies.

The pattern across resolved matters is consistent. When the buyer forces clause identification, confines scope to the correct vehicle, and beats download logs with actual install evidence, claims that opened at seven figures close low or at zero. Our global retailer case study and the five million dollar World Kinect resolution both turned on refusing to accept the wrong audit posture. The clause Oracle cites is not a formality. It is the frame that decides the whole negotiation.

Frequently asked questions

How do I tell whether Oracle is auditing me under the OTN or the Master Agreement?

Ask Oracle in writing to name the exact clause and agreement. If Oracle points to a click-through you accepted at download, that is the OTN, which has no notice period and no defined obligations. If Oracle cites a 45-day notice, running measurement tools, and a 30-day remediation clock, that is the Master Agreement Schedule P. Do not proceed until Oracle commits to one.

Can Oracle audit my Java use if I never signed a Master Agreement?

Not formally. Without an Oracle Master Agreement, a Java subscription, or another Oracle contract, Oracle has no contractual audit right. The OTN click-through gives Oracle a vague audit right but no process and no metric, and its real lever is auto-termination. Oracle can still run a soft audit or escalate to litigation if it believes it has evidence, so handle the no-contract position carefully.

Why does the OTN clause limit what Oracle can ask about?

The OTN Java SE agreement carries no metric and no quantities. Because it defines no employee, processor, or user count, Oracle has no contractual basis to interrogate metric-driven data. Oracle can only audit items relevant to the agreement it cites, which under OTN means whether your use fell inside the four permitted use cases, none of which is production.

What is the audit trap in the NFTC-to-OTN transition?

The NFTC lets you use a JDK release free for production during its window. When that window closes, the version moves to the OTN License, and every update released after the cutover is OTN-licensed, which does not permit production. A patched, current Oracle JDK 17 production estate today is an OTN breach because Java 17 moved to OTN in September 2024. Java 21 updates move to OTN after September 2026.

Does the Assurance or Verification Service carry the same protections as an audit?

No. Oracle's Assurance or Verification Service is effectively an LMS-style audit run without the contractual protections of the audit clause. If Oracle wants to measure your estate, insist it invoke a named audit clause and accept the notice period and reasonableness standard that come with it. Do not grant Oracle audit-level access under a branding that strips your protections.

Can Oracle convert my old BCL or OTN installs into per-employee subscription liability?

No. The 2023 shift to the Java SE Universal Subscription per-employee metric did not retroactively rewrite prior agreements. Existing BCL, OTN, and NFTC terms remain valid and unaffected. The compliance question is always which vehicle governed each install at the time of use and whether that use complied with that vehicle's terms.

Free White Paper

Defend an Oracle Java audit without overpaying

Oracle now audits Java SE on employee count, not installs, which can multiply the bill several times over. How to defend the notice and exit to OpenJDK.

Gated with a work email on the download page. No sales follow up you did not ask for.

Get the White Paper →
Independent, buyer side. We never share your details with vendors.
Run a software spend health check against your Oracle estate in under five minutes.
Open the Tool →
Deep Library

More on this topic.

Oracle Hub →
Oracle GLAS Java Audits in 2026: How Formal Notices Work and How to Respond
Oracle · Guide
Oracle GLAS Java Audits in 2026: How Formal Notices Work and How to Respond
The full guide this article belongs to.
Guide
GLAS vs LMS: What Changed in How Oracle Enforces Java
Oracle · Deep dive
GLAS vs LMS: What Changed in How Oracle Enforces Java
Another angle on the same decision.
Guide
Oracle Java SE Procurement. 20 critical insights: the per employee metric, the audit posture, and the OpenJDK escape route.
Oracle
Oracle Java SE Procurement. 20 critical insights: the per employee metric, the audit posture, and the OpenJDK escape route.
Oracle Java SE Universal Subscription procurement guide 2026. Independent buyer side advis
Guide
Global Manufacturer. Four million dollar Oracle Java audit claim resolved at zero cost.
Oracle
Global Manufacturer. Four million dollar Oracle Java audit claim resolved at zero cost.
Global manufacturer case study. Oracle Java audit defense resolves a four million dollar O
Guide
World Kinect. Five million dollar Oracle Java audit claim resolved at zero cost.
Oracle
World Kinect. Five million dollar Oracle Java audit claim resolved at zero cost.
World Kinect Oracle Java case study. Oracle Java audit defense framework resolves a five m
Guide
Editorial boardroom interior

The advisor your vendors do not want.

500+ enterprise clients. 11 vendor practices. Industry recognized. One conversation can change what you pay for the next three years.

Stay ahead of Oracle licensing changes.

One buyer side briefing a week. Renewal signals, audit moves, and the levers that work. No vendor spin.