The contract vehicle Oracle names decides how much cooperation you owe, how far its questions can reach, and where your leverage sits. This is the clause-by-clause comparison that tells you which one you are actually under and what to do about it.
The contract vehicle Oracle names decides how much cooperation you owe, how far its questions can reach, and where your leverage sits. This is the clause-by-clause comparison that tells you which one you are actually under and what to do about it.
When an Oracle audit or verification request lands, the first defensive move is not to inventory your Java estate. It is to force Oracle to identify the exact contractual clause it is invoking. In 25 years of negotiating against this vendor, the single most common tactical error I see on the buyer side is answering the question Oracle asked before establishing which agreement gives Oracle the right to ask it. Java is the clearest example of why that matters, because Oracle deploys at least three different license vehicles for the product, and each carries a materially different audit right.
For Java specifically, the two contract vehicles that generate almost all disputes are the Oracle Technology Network License Agreement (the click-through you accept when downloading Java SE) and the Oracle Master Agreement (OMA, previously OLSA), whose audit terms live in the standard schedules. These two documents are not variations on a theme. Their audit clauses differ in notice period, defined obligations, permitted scope, and remediation deadline. Confuse them, or let Oracle blur them, and you concede rights you never contractually granted. Insist that Oracle audit one agreement at a time, and only within the scope that agreement covers. It is unreasonable, and unsupported by the contracts, to be audited under multiple audit clauses simultaneously.
Answering before you know which clause applies means conceding rights you never actually granted.
The Oracle Technology Network License Agreement for Oracle Java SE contains an audit obligation that is remarkable for how little it says. Its entire audit clause reads, in substance, that "Oracle may audit an Entity's use of the Programs." That is the whole of it. There is no notice period. There is no specification of what level of assistance you must provide. There is no requirement to run Oracle measurement tools, no data-disclosure obligation, and no remediation timetable. The clause is light on clarity, which cuts both ways, but on balance it cuts in the buyer's favor.
The reason it cuts in your favor is structural. The OTN Java SE agreement functions like an ordering document that carries no licensing metric and no quantities. There is no employee count, no processor count, no NUP figure embedded in the document. Because the agreement defines no metric, Oracle has no contractual basis to interrogate metric-driven data. Oracle can only audit items of relevance to the agreement it is citing, and the OTN agreement is relevant to a narrow set of things: whether your use fell inside the four permitted use cases, and nothing broader. Those four permitted uses are Personal Use, Development Use, Oracle Approved Product Use, and Oracle Cloud Infrastructure Use. Critically, none of them is production. The OTN allowance does not permit any production usage, so the compliance question under OTN is binary: was the install inside a permitted use case or not.
Because the OTN clause specifies no process at all, the terms of any OTN audit are effectively up for negotiation at the point Oracle initiates. You are not conceding a pre-agreed 45-day cooperation regime, because none exists in the document. That is leverage. Our Oracle Java audit response playbook treats this negotiability as an asset to be preserved, not surrendered by volunteering data.
The OTN's one genuine enforcement mechanism is not the audit clause at all. It is auto-termination. The OTN agreement terminates automatically, without notice, if you fail to comply with any of its terms, and on termination you are obliged to destroy all copies. That is the pressure point Oracle actually leans on, and it is why the corporate-authority question below matters so much.
The OMA audit clause is a different instrument entirely. It is far more descriptive, and the added description works largely in Oracle's favor because it grants Oracle concrete rights the OTN never contemplates. The current Schedule P language provides that upon 45 days written notice, Oracle may audit your use of the Programs to ensure compliance with the applicable order and the Master Agreement, and that any such audit shall not unreasonably interfere with your normal business operations.
Two additions to the modern OMA changed the defense posture significantly. First, the clause now expressly authorizes Oracle to run its own measurement tools on your servers and to receive the resulting data: "Such assistance shall include, but shall not be limited to, the running of Oracle data measurement tools on Your servers and providing the resulting data to Oracle." Second, the audit performance and the non-public data obtained are folded under the Nondisclosure section, which Oracle uses to defeat delay tactics built on confidentiality objections. Neither of these tools exists under OTN.
The OMA also imposes a hard remediation deadline the OTN lacks. If the audit identifies non-compliance, you agree to remedy it (which may include, without limitation, paying fees for additional licenses) within 30 days of written notification. So the OMA sequence is a defined 45-day notice, a tooled audit, and a 30-day pay-or-cure clock. That timeline discipline is the subject of our day-by-day plan for the 45-day audit window.
| Element | OTN License (click-through) | Oracle Master Agreement (Schedule P) |
|---|---|---|
| Written notice period | None specified | 45 days written notice |
| Defined assistance obligation | None | Yes, including running Oracle measurement tools on your servers |
| Data disclosure requirement | None | Resulting tool data must be provided to Oracle |
| Confidentiality handling | Silent | Audit data folded under Nondisclosure section |
| Remediation deadline | None specified | 30 days from written notice of non-compliance |
| Embedded metric / quantity | None (no metric, no quantities) | Order-driven metrics and quantities apply |
| Scope of permissible questions | Only the four permitted uses | Full compliance against order and Master Agreement |
| Primary enforcement lever | Auto-termination without notice | Structured audit plus pay-or-cure clock |
| Terms negotiable at initiation | Largely yes, clause specifies nothing | Limited, terms are pre-agreed in the schedule |
The OTN grants Oracle a vague, narrow audit. The Master Agreement grants Oracle a tooled, time-boxed one. Do not let the wrong clause govern your response.
Knowing which clause governs starts with knowing which license vehicle attaches to the binaries you actually run. Oracle uses three distinct Java licenses across versions. The Binary Code License (BCL) covers Java 8 and earlier for general purpose computing. The OTN License covers Java 11, 17, and post-window updates. The No-Fee Terms and Conditions (NFTC) covered the launch window for Java 17 and later LTS releases. Only Java 17, 21, and later LTS releases launched under the NFTC. Java 8 and versions 11 through 16 never did, and they remain OTN-licensed.
The NFTC-to-OTN cutover is the audit trap that catches the most organizations. The NFTC permits free use of the covered Oracle JDK release for commercial, production, and internal business purposes, which lulls teams into treating Oracle JDK as free forever. It is not. Once a version moves out of its NFTC window and onto the OTN License, continuing to run the binaries you already have is fine, but every Oracle JDK update released after the cutover is OTN-licensed, and OTN does not permit production. Java 17 moved to OTN in September 2024. Oracle JDK 21 updates are planned under the NFTC only until September 2026 (one year after the JDK 25 LTS release in September 2025), after which subsequent JDK 21 updates move to OTN. So a patched-and-current production JDK 17 estate today is an OTN production breach, and that is exactly the exposure Oracle hunts. The mechanics of the version transition are covered in our overview of the 2026 Oracle Java licensing changes.
One reassurance worth stating plainly: the 2023 shift to the per-employee Java SE Universal Subscription did not retroactively rewrite your legacy terms. Existing BCL, OTN, and NFTC agreements remain valid and unaffected. Oracle cannot convert your historical BCL or OTN installs into per-employee subscription liability by fiat. The question is always which vehicle governed each install at the time of use, and whether that use complied.
The OTN is a click-through. Any developer who downloaded Java SE clicked to accept it, which raises a real and underused defensive argument: not every employee has authority to bind the company to a contract. We advise clients to put IT directives in place making clear that individual employees are not authorized to accept click-through agreements on the organization's behalf. Where such governance exists, the enforceability of an OTN acceptance that a junior developer clicked becomes a live question, and that question weakens Oracle's footing before the audit conversation even begins. This is buyer-side experience talking rather than a settled statistic, but it has moved outcomes in real negotiations.
A large share of Java approaches are not formal audits at all. A soft audit is an informal, voluntary request from Oracle's sales or Java team, and you have no obligation to respond to it. A formal audit is a contractual process invoked under your Master Agreement, with the 45-day notice and the cooperation obligations described above. Do not treat a friendly email as a legal demand, and do not treat a legal demand as negotiable friendliness. Distinguishing the two is foundational, and it maps directly onto the enforcement shift covered in how Oracle changed Java enforcement from LMS to GLAS.
Be especially alert to the branding. The Oracle Assurance or Verification Service markets itself as building confidence through transparency. In practice it is an LMS-style audit conducted without the contractual protections of the audit clause. If Oracle wants to run a measurement exercise, insist that it name the audit clause and accept the protections that clause imposes on Oracle, including the notice period and the reasonableness standard. Do not accept a data-collection exercise that carries Oracle's rights but strips your protections.
If you hold no Oracle Master Agreement, no Java subscription, and no other Oracle contract, Oracle has no contractual audit right at all. No contract means no formal audit. That is a strong defensive position, but it requires careful handling, because Oracle can still run a soft audit and escalate to its litigation office if it believes it holds evidence such as download telemetry. The formal notice mechanics you would face if a contract does exist are detailed in our guide to Oracle GLAS Java audits and formal notices.
The pattern across resolved matters is consistent. When the buyer forces clause identification, confines scope to the correct vehicle, and beats download logs with actual install evidence, claims that opened at seven figures close low or at zero. Our global retailer case study and the five million dollar World Kinect resolution both turned on refusing to accept the wrong audit posture. The clause Oracle cites is not a formality. It is the frame that decides the whole negotiation.
Ask Oracle in writing to name the exact clause and agreement. If Oracle points to a click-through you accepted at download, that is the OTN, which has no notice period and no defined obligations. If Oracle cites a 45-day notice, running measurement tools, and a 30-day remediation clock, that is the Master Agreement Schedule P. Do not proceed until Oracle commits to one.
Not formally. Without an Oracle Master Agreement, a Java subscription, or another Oracle contract, Oracle has no contractual audit right. The OTN click-through gives Oracle a vague audit right but no process and no metric, and its real lever is auto-termination. Oracle can still run a soft audit or escalate to litigation if it believes it has evidence, so handle the no-contract position carefully.
The OTN Java SE agreement carries no metric and no quantities. Because it defines no employee, processor, or user count, Oracle has no contractual basis to interrogate metric-driven data. Oracle can only audit items relevant to the agreement it cites, which under OTN means whether your use fell inside the four permitted use cases, none of which is production.
The NFTC lets you use a JDK release free for production during its window. When that window closes, the version moves to the OTN License, and every update released after the cutover is OTN-licensed, which does not permit production. A patched, current Oracle JDK 17 production estate today is an OTN breach because Java 17 moved to OTN in September 2024. Java 21 updates move to OTN after September 2026.
No. Oracle's Assurance or Verification Service is effectively an LMS-style audit run without the contractual protections of the audit clause. If Oracle wants to measure your estate, insist it invoke a named audit clause and accept the notice period and reasonableness standard that come with it. Do not grant Oracle audit-level access under a branding that strips your protections.
No. The 2023 shift to the Java SE Universal Subscription per-employee metric did not retroactively rewrite prior agreements. Existing BCL, OTN, and NFTC terms remain valid and unaffected. The compliance question is always which vehicle governed each install at the time of use and whether that use complied with that vehicle's terms.
Oracle now audits Java SE on employee count, not installs, which can multiply the bill several times over. How to defend the notice and exit to OpenJDK.
Gated with a work email on the download page. No sales follow up you did not ask for.
Get the White Paper →500+ enterprise clients. 11 vendor practices. Industry recognized. One conversation can change what you pay for the next three years.
One buyer side briefing a week. Renewal signals, audit moves, and the levers that work. No vendor spin.