Celonis v. SAP Update: What Celonis's Proposed Second Amended Complaint Adds to the Lawsuit5/11/2026 By Pam Fulmer
On May 2, 2026, Celonis filed a motion in Celonis SE v. SAP SE, Case No. 3:25-cv-02519-VC (N.D. Cal.), for leave to file a Second Amended Complaint. The proposed pleading — running 117 pages — has not yet been approved by Judge Vince Chhabria, but it is publicly filed and worth reading. Stripped of the antitrust framing, the proposed complaint is a detailed account of an enterprise software vendor squeezing its installed base. Here is what is alleged, organized by what is happening to the customer rather than by claim. The Customer Owns the Data, But Cannot Get to It Celonis alleges that SAP's own General Terms and Conditions for Cloud Services confirm that customers own their enterprise data. The data resides in the customer's instance of the SAP ERP system, often on the customer's own servers. Celonis's process-mining tool reads that data from the customer's environment. SAP is not in the path. Notwithstanding that ownership structure, the proposed complaint walks through a sequence of SAP technical notes — each of which incrementally narrowed how a customer could extract its own data for use with a non-SAP tool. Celonis alleges that after the sequence of changes, only two extraction pathways remain technically permitted: OData, which SAP has withdrawn support for, and Datasphere, an SAP product that the complaint alleges carries fees so high that using it as an extraction conduit to a non-SAP tool is commercially infeasible — sometimes exceeding the cost of the third-party tool itself. The customer-side picture this paints is a familiar one. A customer that purchased SAP ERP under a set of expectations about its ability to work with the third-party tools of its choice has watched those expectations narrow through a succession of vendor-published technical notes the customer never specifically agreed to. The customer's contract did not change. The technical implementation of the customer's contract did. SAP Allegedly Lied to its Customers to Get Them to Stop Using a Vendor They Liked The most operationally consequential allegations in the proposed amended complaint are the false-statement allegations. Celonis identifies — by individual SAP employee, by date, by customer, and by substance — specific communications in which SAP told joint customers that using Celonis would violate license terms, require purchase of additional database or HANA full-use licenses, render the customer non-compliant with SAP policy, or imperil S/4HANA migration. The proposed pleading references internal SAP materials that, according to Celonis, instructed SAP account teams to make these statements on a "case-by-case basis" and to avoid any "general compliance campaign" or "public communications" — a directive Celonis cites as evidence that SAP itself recognized the statements were problematic. For the customers on the receiving end of those conversations, the experience was not abstract. The proposed complaint reflects customer inquiries to Celonis in which the customer reported being told its current extraction processes were "no longer permitted," asked Celonis whether it was "in compliance with SAP requirements," reported having been "warned" about future problems with Celonis after migrating to S/4HANA, and asked whether SAP would "want to charge us" for the data connection. One customer told Celonis that as a result of what SAP had communicated, the customer "may be unable to implement Celonis" on its S/4HANA instance. Another reduced its Celonis contract because of its understanding that the Celonis approach "is not allowed." These are not antitrust harms in the abstract. They are operational decisions enterprise customers made based on information the proposed complaint alleges was false. Customers Were Pushed Into a Bundle Whether They Wanted It Or Not Celonis alleges that SAP has been giving Signavio — its own process-mining product — away free or near-free inside the RISE bundle, with an internal directive to "include Signavio in every software sale." The customer effect is that customers renewing or expanding their SAP relationship receive Signavio at no additional incremental cost, and Celonis alleges that this has caused customers to drop or scale back their Celonis usage in favor of a product the proposed complaint characterizes as inferior. Celonis identifies multiple lost expansion and renewal contracts — customer names redacted — where Celonis was told the reason for the loss was Signavio's inclusion in a RISE bundle. For customers, the dynamic is one we see repeatedly in enterprise software. A bundled component is presented as free, which makes it operationally rational to consume it. The free component then displaces a third-party tool the customer had been paying for. The customer "saves money" in the short run and loses optionality in the long run, as the third-party market shrinks and the vendor's bundled offering becomes the default. Customers Are Migration Hostages Threaded through the proposed pleading is an allegation that resonates with our practice and bears separate attention: customers' relationships with third-party tools are being disrupted at the exact moment customers are migrating to S/4HANA, and SAP is using the migration as leverage. The proposed amended complaint alleges that SAP communicated to customers that continued use of Celonis could jeopardize their S/4HANA migration — a migration most enterprise SAP customers cannot realistically defer. The proposed pleading frames this as part of a coercive scheme. The customer-side characterization is simpler: the customer cannot exit, cannot defer the migration, and is making procurement decisions about third-party tools under conditions in which the dominant vendor is communicating that the customer's strategic IT future depends on cooperating. That is the textbook fact pattern of economic duress under Rich & Whillock, Inc. v. Ashton Development, Inc., 157 Cal. App. 3d 1154 (1984), and an important reason customers facing this type of vendor pressure should preserve communications carefully and consider counsel involvement early. Customer Choice — Once Promised, Now Allegedly Removed The proposed complaint quotes SAP's own historical promises of an "open ecosystem" and "free customer choice," made publicly between 2012 and 2018, on which Celonis and other third-party developers built their businesses. The same proposed complaint alleges that SAP continues to advertise its platform as an "open ecosystem" on customer-facing materials, while internally directing the conduct described above. The complaint also notes that SAP gave explicit assurances to antitrust regulators reviewing the Signavio acquisition that process-management software like Signavio would require only "scanner access" with no fees for indirect use applicable — assurances Celonis says SAP has not honored. For customers, the gap between vendor public messaging and vendor account-team conduct is a recurring theme. The proposed complaint illustrates how that gap can be documented and ultimately litigated. What This Means for SAP Customers Right Now A few practical observations follow from reading the proposed Second Amended Complaint as a customer-side document. First, document everything. The proposed pleading is built on emails, sales-team communications, internal SAP slides, and customer-to-vendor inquiries. The customer that preserves these communications — whether or not it ever intends to litigate — is the customer with the strongest hand at the next renewal. Second, treat compliance assertions skeptically. The proposed complaint alleges that the central pattern of SAP's customer-facing campaign was false statements that the customer's use of Celonis was non-compliant, would trigger additional license requirements, or would create technical or migration risk. Customers who hear similar assertions from any enterprise vendor should obtain those assertions in writing and route them through counsel before acting on them. Vendor compliance claims are not self-validating. Third, recognize what California law provides. We have written before about the California-law tools available to customers facing aggressive vendor conduct: the implied covenant of good faith and fair dealing under Carma Developers (Cal.), Inc. v. Marathon Development California, Inc., 2 Cal. 4th 342 (1992); California's Unfair Competition Law under Business and Professions Code section 17200; economic duress under Rich & Whillock; and tortious interference theories where the vendor's conduct disrupts the customer's relationships with third parties. The Celonis litigation is a live test of how these tools apply to enterprise software conduct. The legal infrastructure California customers can use is more developed than is often appreciated. Fourth, the third-party tools customers depend on may have claims of their own. Celonis is litigating in its own name, but the conduct it describes is conduct directed at SAP customers. Customers whose preferred third-party tools have been the target of similar vendor pressure should be aware that the third party may have independent claims, and that the customer's documentation may be relevant evidence in those proceedings. Caveats Two important ones. First, this is a proposed pleading. The Court has not yet granted leave to amend; until it does, the First Amended Complaint remains the operative pleading. Second, these are allegations only. SAP has denied the allegations in its responsive pleadings and will be entitled to test them through discovery, dispositive motions, and ultimately at the December 7, 2026 trial. Nothing in this post should be read as a finding or conclusion about the merits. Closing Thought The most important sentence in the proposed amended complaint, from the customer's perspective, may be the one in which Celonis frames its own theory: customers buy SAP's ERP software to collect and run their own data, and SAP is allegedly using its control over that ecosystem to deny customers the freedom to work with the providers of their choice. Whether or not Celonis ultimately proves its case, the underlying dynamic — a dominant enterprise vendor narrowing customer choice through technical, contractual, and informational levers — is one California licensees will continue to encounter. The proposed pleading is a useful map of what that dynamic looks like in practice and where the legal pressure points are. We will continue to monitor the case as the Court rules on the motion to amend. Tactical Law Group LLP represents enterprise software licensees in licensing disputes, audit defense, and commercial negotiations involving Oracle, SAP, Broadcom, and other enterprise software vendors. Nothing in this post is legal advice or a comment on any pending litigation. The allegations described are taken from a publicly filed proposed pleading and have not been adjudicated. If your organization is facing aggressive vendor conduct directed at your relationships with third-party providers, please contact us directly.
0 Comments
By Pam Fulmer
Software audit disputes used to be uncomfortable but survivable. A publisher would audit usage, claim over-deployment, and demand a true-up. The customer could dispute the findings, involve counsel, and negotiate while the business kept running. That leverage has changed. In a SaaS, cloud-hosted, subscription, or remotely administered environment, the vendor may control the customer’s practical ability to operate. If the vendor can suspend access, disable authentication, block a hosted environment, or lock down critical data, the dispute is no longer just about who is right under the contract. It is about whether the customer can keep running long enough to find out. California law has not yet developed a mature body of published SaaS “kill switch” cases. But California does provide a set of doctrines that can matter when a vendor threatens to disable mission-critical software to collect a disputed demand: the implied covenant of good faith and fair dealing, economic duress, unconscionability, conversion and trespass to chattels in appropriate cases, the Unfair Competition Law, and emergency injunctive relief. The key is precision. The customer’s argument should not be that a vendor can never suspend service. If the contract clearly allows suspension after defined conditions are met, California courts will generally take that language seriously. The stronger argument is that a vendor may not use a suspension right beyond its contractual scope, in bad faith, without satisfying conditions precedent, to enforce a knowingly inflated demand, or in a way that interferes with customer-owned property or data beyond what the agreement permits. And as a lawyer defending software audit disputes for years, I can tell you that many demands are knowingly and intentionally inflated to use as leverage to extract a large software purchase from the customer. Now imagine how empowered these same predatory publishers will be with the kill switch in their hands. Enterprise software customers would do well to start planning their strategies now. Start with the Contract The first question is what the agreement actually says. Many enterprise software agreements contain suspension provisions for nonpayment, uncured breach, security risk, license overuse, audit noncompliance, or violation of acceptable-use restrictions. Some clauses are narrow and procedural. Others are broad and vendor-friendly. California law gives real force to express contract language. In Carma Developers (Cal.), Inc. v. Marathon Development California, Inc., 2 Cal. 4th 342 (1992), the California Supreme Court held that the implied covenant of good faith and fair dealing may not be used to prohibit conduct the agreement expressly permits. The covenant protects the bargain; it does not rewrite it. In Bevis v. Terrace View Partners, LP, 33 Cal. App. 5th 230 (2019), the Court of Appeal likewise rejected an implied-covenant theory that would have required a party to choose one contractually permitted course over another. Those cases are important vendor-side authority. But Carma also identifies the customer’s opening: the implied covenant has particular force where one party holds discretionary power affecting the rights of the other. The strongest customer argument is not “the vendor can never suspend.” It is that the vendor cannot use a discretionary suspension mechanism as a pretextual coercion device to obtain benefits outside the bargain or to enforce a claim it knows is false or materially overstated. Think of Oracle's VMware virtualization policy arguments. Relevant questions include whether the contract allowed suspension for this type of alleged breach; whether the vendor satisfied notice, cure, audit, escalation, and dispute-resolution requirements; whether the customer is current on undisputed amounts; and whether the vendor is threatening to suspend services, data, affiliates, or environments beyond the clause’s scope. Economic Duress California’s economic-duress doctrine can be powerful in a kill-switch dispute, but only if the customer can show more than ordinary commercial pressure. The leading case is Rich & Whillock, Inc. v. Ashton Development, Inc., 157 Cal. App. 3d 1154 (1984), where a release was unenforceable because it was obtained after a contractor refused to pay an undisputed amount, knowing the other party faced financial ruin. The doctrine turns on a wrongful act, coercive pressure leaving no reasonable alternative, and submission to the pressure. The wrongful act need not be a crime or independent tort; asserting a claim known to be false, making a bad-faith threat to breach, or wrongfully withholding payment may qualify. That framework can fit software suspension threats where a vendor uses a knowingly inflated audit claim, refuses to follow agreed procedures, threatens suspension for amounts not yet due, or demands unrelated purchases or broad releases as the price of continued access. But a vendor’s threat to exercise a clear contractual suspension right after a material uncured breach is not automatically wrongful merely because it creates pressure. If payment is necessary to keep operating, the customer should pay expressly under protest, reserve all rights, identify the disputed grounds in writing, and document why no reasonable alternative existed. Unconscionability Unconscionability is possible, but often difficult in enterprise software disputes. In Sanchez v. Valencia Holding Co., 61 Cal. 4th 899 (2015), the California Supreme Court explained that unconscionability requires both procedural and substantive elements. Sonic-Calabasas A, Inc. v. Moreno, 57 Cal. 4th 1109 (2013) describes the same basic framework. In B2B software contracts, the customer may be sophisticated, represented, and able to evaluate alternatives. The better argument targets the combined remedial architecture: unilateral vendor breach determinations, short cure periods, suspension before neutral review, a bar on consequential damages, a low liability cap, and no meaningful data-export right. The goal may be limited but important: preserve access during a good-faith dispute or prevent the vendor from invoking a liability cap for a wrongful shutdown. Conversion, Trespass, and Data Lockout Tort theories are strongest when the vendor interferes with property interests beyond a mere contractual right to use the vendor’s hosted service. The customer should identify exactly what property is being impaired: customer data, electronic records, backups, local installations, servers, devices, credentials, or domain assets. In Intel Corp. v. Hamidi, 30 Cal. 4th 1342 (2003), the California Supreme Court held that unwanted emails did not establish trespass to chattels because they did not damage Intel’s computer system or impair its functioning. For kill-switch purposes, Intel underscores the need for concrete impairment: blocked access, disabled functionality, interruption of system use, or loss of access to records. Conversion may also apply to certain digital property. In Kremen v. Cohen, 337 F.3d 1024 (9th Cir. 2007), the Ninth Circuit, applying California law, held that a domain name could support a conversion claim. The out-of-state case Clayton X-Ray Co. v. Professional Systems Corp., 812 S.W.2d 565 (Mo. Ct. App. 1991) remains useful by analogy, but California briefing should lead with California authority. UCL and Emergency Relief California’s Unfair Competition Law can support restitution and injunctive relief, but not ordinary damages. Korea Supply Co. v. Lockheed Martin Corp., 29 Cal. 4th 1134 (2003) makes that remedial limit clear. The “unlawful” prong is often the cleanest route, using breach of the implied covenant, duress, unconscionability, statutory violations, or wrongful property interference as predicates. The “unfair” prong requires caution in B2B disputes; under Cel-Tech Communications, Inc. v. Los Angeles Cellular Telephone Co., 20 Cal. 4th 163 (1999), unfairness in competitor cases must be tethered to a legislatively declared policy or threaten competition. The most important remedy may be a temporary restraining order or preliminary injunction. California courts consider likelihood of success and the interim harm to each side. Butt v. State of California, 4 Cal. 4th 668 (1992). The customer should build a record showing both irreparable harm and merits: disputed demand, payment of undisputed amounts, failure to follow contract procedures, operational dependency, lack of alternatives, and threatened loss of customer-owned data. California law gives customers a toolkit, not a silver bullet. The winning case usually turns on contract language, procedural defects, a timely good-faith dispute, wrongful pressure, and whether suspension would interfere with customer data or operations in a way damages cannot repair. That is enough to change the negotiation. A vendor facing a prepared TRO application, a duress record, possible UCL restitution, and property-based claims for overreach must evaluate the cost of flipping the switch more carefully. This article is for general informational purposes only and does not constitute legal advice. Readers should consult counsel about the specific facts of their own situation By Pam Fulmer
A finance manager at a California company opens Microsoft 365 Copilot and asks, “Summarize our open purchase orders over $50,000 and flag anything unusual.” Copilot reaches SAP through a connector or other integration layer, builds the answer, and drops it into a dashboard she shares with four hundred colleagues. She is a licensed SAP user. The four hundred colleagues are not. Is that indirect access? Does each of those four hundred colleagues now need an SAP Named User license? Does it matter if Copilot creates a purchase order on her behalf rather than just summarizing one? What if the whole workflow runs autonomously, with no human prompting the agent at all? There is no clear AI-specific published guidance that answers those questions — and that is precisely the problem. SAP and Oracle are actively marketing AI-enabled products and integrations, customers are deploying them at speed, and the contract language that will ultimately be used to assess licensing exposure was drafted decades before anyone imagined an AI agent as a user. This Is Not a New Problem — It Is the Diageo Problem in New Clothes In 2017, the UK High Court ruled in SAP UK Ltd v. Diageo Great Britain Ltd that thousands of Diageo customers and sales representatives using Salesforce-based apps — apps that in turn exchanged data with SAP — constituted indirect users of SAP ERP. SAP claimed more than £54.5 million in additional license fees. The case settled before the damages phase, but the liability ruling became a touchstone for later indirect-access disputes and helped catalyze SAP’s move toward its current Digital Access model, while reinforcing the broader vendor view reflected in Oracle’s aggressive enforcement of its multiplexing rule. Diageo was ultimately a case about middleware. The court concluded that even though Salesforce users never logged into SAP directly, the fact that their actions flowed through middleware into SAP meant they were using the SAP software. That reasoning — that “use” and “access” can reach through whatever sits in the middle — is exactly what makes AI agents a likely next battleground. What’s Different Now: The AI Agent Fact Patterns AI agents raise the indirect access problem in four distinct ways, and each one introduces contractual ambiguity the vendors have not resolved. First, conversational assistants with ERP connectors. Microsoft 365 Copilot, ChatGPT with custom connectors, and similar tools allow a licensed user to query SAP or Oracle data and then redistribute the result to an unlimited audience. The licensed user pays for the license, but the practical beneficiaries may be hundreds of colleagues who never had a seat. Second, agentic workflows that create transactions autonomously. Procurement-to-pay pipelines can match invoices to purchase orders and post documents into S/4HANA without a human in the loop. Under SAP’s Digital Access model, every posted document — sales order, invoice, purchase order, journal entry, and others — may be a countable event. An agentic pipeline can multiply a customer’s historical document volume many times over, and SAP’s published materials do not clearly exclude AI-generated documents from the count. Drafts, retries, and reversal entries only compound the issue. Third, service-account connections in Oracle environments. A customer-service AI agent might use a single Oracle service account to answer billing or shipment questions on behalf of thousands of end customers. Oracle’s multiplexing rule, essentially unchanged for years, states that multiplexing does not reduce Oracle license requirements and that users at the multiplexing front end must still be licensed. On its face, that rule could be read to reach every one of those end customers — a potentially devastating position in an audit. Fourth, retrieval-augmented generation pipelines. A common enterprise pattern now is to extract master data from SAP or Oracle nightly, embed it into a vector database, and answer employee questions from the vector store. Is the nightly extract the relevant “access” event — a single licensed pathway? Or does every downstream question count because the data originated in SAP or Oracle? The contract language usually does not resolve that issue, and a motivated vendor auditor can argue it either way. The Vendor Silence Is Deliberate SAP now offers Joule base capabilities at no additional cost, while pricing certain premium AI capabilities separately, including in some cases through consumption-based AI Units. Oracle has embedded hundreds of AI agents across its Fusion Cloud applications. Both vendors are actively marketing these capabilities. Neither vendor, however, has published clear guidance answering the licensing questions above. That silence is a feature, not a bug. Ambiguous contract language is one of the most powerful tools a licensing team has in an audit. When the rules are unclear, the vendor gets to assert the most expensive reading first and negotiate downward from there. Customers that did not think to negotiate AI-specific language in their 2019 or 2022 renewals are the ones most exposed. Why California Customers Have Leverage California is home to a disproportionate share of enterprise SAP and Oracle customers, and California law gives customers several tools when a vendor tries to stretch pre-AI contract language to cover an AI deployment the parties never discussed. Every California contract carries an implied covenant of good faith and fair dealing. Where one party holds discretionary power — as vendors often do when interpreting their own license terms — that discretion must be exercised reasonably and with proper motives. A vendor that assesses a multi-million-dollar compliance finding against a customer on a theory the parties never discussed at signing may face a substantial good-faith challenge. California Civil Code section 1654 codifies the rule that ambiguous contract language is construed against the drafter. California courts apply that principle seriously, particularly in agreements drafted by sophisticated legal teams — and SAP and Oracle agreements are drafted by some of the most sophisticated licensing teams in the industry. Ambiguous words like “user,” “access,” or “multiplexing front end” belong to the vendor. If the vendor intended those terms to cover AI agents, copilots, downstream recipients, or vector-database architectures, it should have said so in the contract rather than for the first time in an audit demand. California’s Unfair Competition Law, Business and Professions Code section 17200, reaches unlawful, unfair, and fraudulent business practices. It can be especially useful when a vendor changes its interpretation of the same contract language between customers or over time, or when audit conduct crosses the line into misrepresentation or concealment. Finally, course of performance matters. If a vendor audited a customer in 2022 and did not flag an AI-enabled integration that was already in place, that audit history may support the customer’s interpretation of the contract and may strengthen waiver, estoppel, or course-of-performance arguments when the same vendor audits the same integration in 2026 and suddenly claims a compliance failure. Customers should be preserving audit history, support tickets, and account-team correspondence now, while memories are fresh, rather than scrambling later. Getting Ahead of the Problem There are a handful of practical steps every SAP or Oracle customer deploying AI agents should take before the first audit letter arrives. Revisit your most recent vendor contract and study the definitions of “user,” “access,” “indirect use,” and — for Oracle — “multiplexing.” Where the language is silent on AI agents, that silence is both an argument for you in the short term and a redline target in the next renewal. If the vendor is offering a new AI product as an add-on, insist on written confirmation of how that product interacts with your existing license metrics before you buy. Document your AI deployment architecture now. How does the agent connect? Who are the prompting users? What does the agent read, and what does it write? Which outputs create countable documents under Digital Access, and which are merely transient summaries? The time to build that file is before a vendor audit team builds it for you. Treat vendor-native AI differently from third-party AI. SAP’s Joule and Oracle’s Fusion AI agents are the vendor’s own products. There is a strong argument that licensing a vendor’s AI features should come with bundled indirect-access rights for the downstream outputs those agents produce. That argument should be made in writing, and it should appear in the contract itself. How Tactical Law Can Help The intersection of AI deployment and ERP licensing is where two fast-moving areas collide, and the customers who will pay the least are the ones who start the conversation before the vendor does. Tactical Law advises enterprise customers on licensing strategy, audit defense, and contract negotiation across exactly these issues. If your organization is deploying AI agents, copilots, or agentic workflows against an SAP or Oracle estate — and you have not yet had a conversation with outside counsel about what that means for your license position — now is the time. Oracle’s Newest Java Audit Demand: Your VMware Topology — and What California Law Says About It4/19/2026 By Pam Fulmer
A pattern is appearing in Oracle’s Java licensing enforcement that every in-house counsel with an Oracle footprint needs to understand. On the sales side, at least in some instances, Oracle is offering customers what is, in substance, a two-track choice. Customers willing to subscribe on the new per-employee Java SE Universal Subscription metric can do so without producing information about their virtualization environment. Customers who want to remain on — or return to — Oracle’s legacy Named User Plus or Processor-based Java metrics may be required by Oracle to first disclose extensive data covering the entire VMware farm, not only the servers where Oracle software is installed or actually running. A Java licensing conversation is, in other words, being converted into a VMware full environment disclosure. The scope of that demand is the tell. Even under the legacy Named User Plus and Processor options, Java compliance is verified by reference to the servers where Oracle Java is actually installed and/or running. When Oracle asks for data about the full virtualized environment — including hosts that do not run Oracle software at all — the data is being collected for a different purpose. This post explains that purpose, why it is dangerous, and the California legal arguments customers can use to push back. What Oracle Is Asking For The audit-side of this pattern is now documented in the trade press. Redress Compliance has reported that Java audit letters ask for “a full list of all VMware or other virtualized platform hosts, whether they have Java installed or not”. House of Brick has documented Oracle asking for vCenter exports and cluster configuration data during Java audits and tying those requests back to Oracle’s aggressive position on VMware licensing. And The Register’s 2024 coverage of Java audit letters to Fortune 100 companies signaled the scale of the escalation. The structure of the choice Oracle is offering customers with meaningful Java dependencies deserves a closer look, because it functions as a Hobson’s choice. Accepting the per-employee metric avoids any VMware inquiry, but it has made Oracle Java dramatically more expensive for most enterprises than the legacy arrangements. Declining that metric in favor of Named User Plus or Processor-based licensing may require the customer to hand over data on the full VMware environment — including hosts that have nothing to do with Oracle software. And walking away from Oracle Java altogether is, for many customers, not a short-term option: a disciplined migration to OpenJDK or another supported distribution takes time, requires engineering and testing work, and introduces business risk that cannot be absorbed on Oracle’s negotiation timeline. Customers have understandably balked at the VMware-disclosure path. Producing whole-farm topology to Oracle at any stage of a Java engagement raises the risk that the inquiry will expand beyond Java, or that Oracle will use the data to assert compliance claims about other Oracle products running in the same environment — most obviously Oracle Database. That is the subscription-side extension of the pattern we described in “Oracle Java Licensing Enforcement: How ‘Friendly Outreach’ Is Driving Significant Compliance Risk” and in “How Oracle Uses Online Agreements for ‘Free Software’ to Trap Companies”: Oracle’s outreach is not just pre-litigation intake — in some instances it has become pre-audit intake, with the subscription transaction itself used as the lever. Why It Is Dangerous The purpose of the VMware request is Oracle’s long-running “soft partitioning” position on database licensing — the whitepaper theory, never codified in customer agreements, that any physical core in a VMware cluster where Oracle software could theoretically run must be fully licensed. Under its more aggressive expressions, according to Oracle, every host connected to the same vCenter, or reachable by vMotion, must be licensed for any Oracle software running anywhere in the environment. For a customer running a modest Oracle Database footprint on a large VMware estate, the resulting compliance gap is often very large. That position has never been tested in court with a court ruling, and independent specialists have argued forcefully that Oracle’s soft-partitioning theory is inconsistent with how VMware actually works. But the economic pressure to settle rather than litigate is enormous, and Oracle knows it. A customer who hands over complete vCenter topology during a Java audit has, in practical terms, already pre-calculated the database compliance claim Oracle will assert three months later. The Java audit is the delivery vehicle. The database claim is the payload. California Legal Arguments That Matter For Oracle customers — many of whom operate under Oracle agreements that select California law by an express choice-of-law provision — California provides a toolkit for pushing back on this conduct. As California lawyers, we are intimately familiar with this toolkit. The Unfair Competition Law, Business & Professions Code § 17200, is the most flexible and most important of those tools. Section 17200 prohibits any “unlawful, unfair, or fraudulent business act or practice.” The “unfair” prong reaches conduct that violates public policy or causes substantial injury, even where no specific statute has been violated. Conditioning the sale of a Java subscription — priced on a metric entirely unrelated to virtualization — on the customer’s disclosure of VMware topology that will predictably be used to construct a separate, much larger claim appears to fit the “unfair” framework cleanly. Post-Proposition 64, a UCL plaintiff must show actual injury; a customer who paid an inflated subscription price, or who was forced into a database compliance settlement the disclosure made possible, can satisfy that requirement. The implied covenant of good faith and fair dealing is a second, and often underused, angle. Every California contract includes an implied covenant prohibiting either party from acting to deprive the other of the benefits of the bargain. When Oracle invokes the audit clause from one agreement — an Oracle Master Agreement, a database OLSA, or an OTN license — to extract information whose only function is to build claims under a separate product line, the implied covenant may be available as a basis for a claim. Audit rights exist to verify compliance with the agreement that granted them. Using them as reconnaissance for a different product’s claims is not what the parties agreed to, and California courts take that distinction seriously. Finally, economic duress. California recognizes the doctrine where one party uses a wrongful act or threat to force another into a transaction it would otherwise refuse, and where the coerced party has no reasonable alternative. Rich & Whillock, Inc. v. Ashton Development, Inc. (1984) 157 Cal.App.3d 1154 remains the foundational authority. The choice Oracle is presenting — an expensive new metric, or a whole-VMware farm disclosure that will foreseeably build claims elsewhere, or abandoning a business-critical platform on an infeasible timeline — fits that framework. Most often the scope of Oracle’s demanded disclosure has no legitimate relationship to the Java transaction, and a customer whose Java dependencies cannot be unwound on Oracle’s timeline has no reasonable alternative. Duress is a particularly valuable defense because it attacks the enforceability of any settlement Oracle later extracts from data produced under coercion. What To Do When the Pattern Appears A few practical steps apply whether the demand arrives in a formal audit letter, a GLAS follow-up, or a sales-team email holding up a subscription quote. Stop providing VMware information in any Java communication. Demand in writing that Oracle identify the specific contract clause authorizing the request and the specific Oracle product whose compliance is being verified; if Oracle cannot answer, the request is a fishing expedition. Document any conditioning of a subscription sale on disclosure — that documentation is the foundation of any UCL, implied-covenant, or duress argument later. And involve counsel before information leaves the company. Early, counsel-led responses are the single strongest predictor of a favorable outcome in this pattern. Closing Thought The Java audit is increasingly not about Java. Oracle’s enforcement program is a data-gathering operation with a sales objective attached, and the whole-farm VMware demand is the most aggressive expression of that strategy we have yet seen. California law gives customers real tools to resist it — but those tools only work if the customer reaches for them before the data has been delivered. Tactical Law Group LLP represents enterprise software licensees in Oracle and other software publisher licensing matters, audit defense, and commercial negotiations. Nothing in this post is legal advice or a comment on the specific circumstances of any customer or transaction. If your organization is facing an Oracle Java audit — or is being told a Java subscription is conditioned on VMware or other environmental disclosure — please contact us directly. By Pam Fulmer
For three years, we have been writing about Oracle’s Java licensing enforcement as a slow-motion campaign — one that began with “friendly” compliance emails, continued through a series of escalating sales-team overtures, and rarely produced a formal audit letter. That campaign is now changing character. In 2026, the soft outreach is giving way to formal audit notices issued under Oracle’s license management function — what used to be called LMS, and is now branded Global Licensing and Advisory Services, or GLAS. The letters are arriving. They look and feel different from what Oracle Java customers have seen for the last several years. And the pattern of who is getting them is not random. Our view, which we have previewed in earlier posts, is that this moment has been structurally inevitable since early 2023 — the year Oracle replaced its prior Java SE subscription with the Java SE Universal Subscription, a per-employee model that made Java dramatically more expensive for most enterprises and fundamentally changed Oracle’s enforcement economics. This post explains why the formal audits are finally here, what they actually look like, and what Oracle Java customers should be doing before — or, if the letter has already arrived, during — the audit. How We Got Here The current story starts with Oracle’s decision, announced in January 2023, to move Java SE off a per-user and per-processor model and onto a per-employee model covering every employee, contractor, and agent of a subscribing entity — whether or not they actually use Java. We wrote about the immediate commercial effect in Oracle Changes Java SE Licensing Rules and Prices Explode, and the practical upshot has not changed: for most enterprises the cost of Oracle Java increased dramatically, in many cases by a multiple of what the prior subscription had charged. Many companies concluded, reasonably, that the new model was not for them. They began evaluating OpenJDK, Amazon Corretto, Azul Zulu, and other supported alternatives. Some migrated. Some did not. What happened next was not a quiet period. It was a campaign. As we described in Oracle Java Licensing Enforcement: How “Friendly Outreach” Is Driving Significant Compliance Risk, Oracle’s sales and compliance teams began contacting organizations with pointed but informal questions about their Java deployments. Those inquiries were frequently positioned as helpful — an offer to “clarify” licensing status, or a suggestion that the company might qualify for a “special transition” subscription. In Warning to Oracle Customers: Don’t Be Fooled By Oracle’s Java Playbook, we explained why that framing was — and is — dangerous. The calls and emails were not customer service. They were pre-litigation intake. Why the Formal Audits Are Finally Coming Three things have changed in 2025 and 2026 that are now driving formal audit letters in volume. First, Oracle has had three years to gather data. As we discussed in How Oracle Uses Online Agreements for “Free Software” to Trap Companies, Oracle tracks downloads of Java binaries in detail — IP addresses, corporate domain associations, download timestamps, and whatever account information was used at download. It also logs the automatic update check-ins made by every installed copy of Oracle Java that has not been affirmatively disconnected from Oracle’s servers. Three years of that telemetry, cross-referenced against whatever the friendly outreach emails extracted from the company directly, is now a usable audit foundation. The companies Oracle is sending formal letters to in 2026 are not being chosen at random. Second, the soft-outreach stonewall has produced a target list. Companies that responded to the friendly outreach by buying the subscription on Oracle’s terms were never going to receive a formal audit letter — they were already paying. Companies that simply did not respond, or that responded with a polite “we use non-Oracle Java,” were implicitly telling Oracle that the only way to convert them was through the audit clause in their existing Oracle agreements or through the click-wrap terms they accepted when they downloaded Oracle Java. Three years later, that target list is mature. Third, Oracle has business reasons to push harder now. As we wrote in our recent coverage of the Rimini Street settlement, Oracle’s financial story has pivoted to a cloud and AI infrastructure business whose margins are widely understood to be thinner than its legacy support business. The support and subscription revenue line — the line that includes the Java SE Universal Subscription — has become more, not less, critical to Oracle’s investor narrative. Converting long-resistant Java customers into subscription customers, via audit, is directly aligned with that strategy. There is a fourth factor worth naming separately. We have seen an emerging pattern — which we flagged earlier and which the trade press has since confirmed — of Oracle declining to sell Java subscriptions to certain customers unless those customers first disclose detailed usage and employee-count information. In some instances, companies that tried to buy their way into compliance have been told, in effect, that compliance is not available to them without first producing the data that typically comes out of an audit. That is not a sales process. It is a structure for manufacturing non-compliance, and in-house counsel should treat it as such. What a Formal Java Audit Letter Looks Like The formal audit letters arriving in 2026 look meaningfully different from the outreach emails that preceded them. They are typically addressed to a named C-suite executive — CIO, CFO, or General Counsel — and signed by an Oracle GLAS representative rather than a salesperson. They cite an audit clause either in the company’s existing Oracle Master Agreement (if the company holds other Oracle products) or in the Oracle Technology Network License Agreement that governed the original Java download. They name an audit window — commonly forty-five days — and specify whether the review will be conducted directly by GLAS or through a designated third-party auditor. And they set an expansive scope: global employee counts, deployments by version, installation inventories, virtualization and cloud environments, and anything Oracle believes relates to its employee-metric calculation. For readers who want a deeper walk through how Oracle conducts these engagements generally, our earlier post Oracle Knows More About You Than You Think: Lessons from Oracle v. Kelkar remains directly on point. What Oracle Java Customers Should Be Doing Now Whether or not a formal letter has already arrived, a few things are worth doing now. Inventory your own Java deployments before Oracle tells you what they are. The most damaging audit outcomes we see are the ones where the company learns the size of its Java footprint from Oracle — usually at a moment when the company has lost most of its negotiating leverage. Counsel-led internal discovery, done under privilege, almost always produces a more favorable result. Understand which license terms actually govern your Java usage. Not every Java installation is governed by the same agreement. Versions and licenses have changed several times since 2019, and what you downloaded in 2018 is almost certainly not what you downloaded in 2024. Older, more permissive license grants still exist in many environments. Identifying them is often the single most important step in a Java audit defense. Do not respond to “friendly outreach” without counsel. The consistent pattern we see is that informal responses to Oracle’s pre-audit inquiries become the foundation of the formal audit that follows. If an email from an Oracle Java team member has landed in your inbox and you have not yet responded, treat it the way you would treat a preservation letter. If the formal audit letter has arrived, assert the procedural protections you are entitled to. Oracle audit clauses are negotiable in practice, even if they look one-sided on the page. Scope, timeline, choice of auditor, and handling of proprietary data are all areas where experienced counsel can substantially change the trajectory of an audit. Closing Thought None of this was unpredictable. We wrote, in Java Audits Likely Will Increase as Oracle Seeks to Move Java Users onto its Total Employee Metric, that the shift to the employee metric would eventually produce a wave of formal audits, and that the quiet soft-outreach period was not a feature of Oracle’s enforcement posture but a phase of it. That phase is now closing. The companies that treated the last three years as a chance to prepare — to inventory, to analyze their contracts, and to reduce their dependence on Oracle Java where alternatives exist — are in a materially stronger position than those that assumed the outreach would simply go away. It did not. It never does. Tactical Law Group LLP represents enterprise software licensees in Oracle and SAP licensing matters, audit defense, and commercial negotiations. Nothing in this post is legal advice. If an Oracle audit letter has arrived at your organization — or if you are receiving the “friendly” pre-audit emails that tend to precede one — please contact us directly. By Pam Fulmer
When Oracle and Rimini Street announced their confidential settlement in July 2025, the headlines framed the moment as the quiet close of a decade-plus copyright saga. For the lawyers who lived through the case, that was certainly true. But for the Oracle customers who have watched this litigation from the sidelines — often while writing twenty-two-percent-of-license-cost checks to Oracle each year — the settlement is not the end of anything. It is the beginning of a new round of questions about who controls the cost of enterprise software support, and who is going to pay for it. We have written before about the litigation and the Ninth Circuit’s December 2024 opinion that forced the parties to the table. This post is about what comes next. The short version: the Ninth Circuit handed Oracle a loss on the law. The settlement handed Oracle something it arguably wanted more — a clear off-ramp for one of the largest pools of customers who had found a cheaper alternative to Oracle’s support machine. The question Oracle customers should be asking is whether that trade will show up in their renewal invoices. A Quick Refresher The settlement has three load-bearing pieces: Oracle returned approximately $37.8 million of the attorneys' fees the lower court awarded to Rimini Street; Rimini agreed to wind down its third-party support for Oracle PeopleSoft by July 31, 2028; and both sides dropped their remaining claims with neither admitting wrongdoing. The parties reached this deal after the Ninth Circuit vacated nearly every material copyright ruling against Rimini, reversed the Lanham Act judgment, and set aside the injunction. The court called the district court’s reading of “derivative work” “hopelessly overbroad,” and held that “mere interoperability isn’t enough” — a party must actually, substantially incorporate copyrighted material to infringe the right to prepare a derivative work. On the law, the third-party support industry walked out of the Ninth Circuit in a stronger position than it walked in. Which is precisely why the settlement terms — and the PeopleSoft wind-down specifically — are interesting. Oracle’s Support Business, and Why It Matters Here Anyone who has read Oracle’s recent annual reports understands a simple fact: the company’s revenue is no longer dominated by new software license sales. The overwhelming majority of what Oracle takes in every year comes from cloud services, subscriptions, and — critically for this discussion — license support. Support and subscription revenue is not a sideline for Oracle. It is the business. And it is a remarkably profitable one. Software support — the recurring fee Oracle collects in exchange for patches, bug fixes, and portal access — carries famously high margins by enterprise software standards, meaningfully above Oracle’s already-robust overall margin. When you compound those margins over decades of paid-up license bases, you see why Oracle’s investor story has for years been less about selling new software and more about keeping the existing customer base inside the paying support tent. The mechanics are worth spelling out. Oracle’s standard Premier Support fee is twenty-two percent of the net license fee, charged annually — a figure codified in Oracle’s own published support policies, which also reserve Oracle’s right to raise that fee annually based on “inflationary” adjustments Oracle itself sets. Historically modest, those annual uplifts have in recent years trended meaningfully higher than conventional inflation. Over a ten-year horizon on a large license base, the compounding effect is substantial — the difference between a support budget that stays roughly flat in real terms and one that quietly doubles. Why the Settlement Terms Favor Oracle, Even If the Law Did Not Read against that financial backdrop, the 2028 PeopleSoft sunset is not a footnote. It is the point. PeopleSoft is a mature product set Oracle acquired in 2005. Many PeopleSoft customers have paid-up perpetual licenses, no interest in migrating to an Oracle cloud suite on Oracle’s timeline, and every reason to keep their existing systems running on a leaner support contract. That profile — stable, installed, resistant to re-platforming — is exactly what third-party support is built for, and exactly what is most valuable to Oracle if it can be kept on Oracle Premier Support for as long as possible. By securing a firm date by which one of the largest third-party support providers will stop supporting PeopleSoft, Oracle has effectively put a clock on a slice of the third-party support market it cares about most. Those customers will be deciding between 2026 and 2028 whether to return to Oracle support, move to another third-party provider, accelerate a replatforming project, or run unsupported. Nothing in the Ninth Circuit opinion compelled that outcome. The court’s holding cuts the other way — it makes copyright doctrine a harder tool for Oracle to use against third-party support providers. What the settlement did is trade a legal theory that was failing in court for a commercial concession extracted at the bargaining table. A rational outcome for a sophisticated plaintiff. But worth looking at clearly from the customer’s side. A note on Rimini: we have enormous respect for the role the company has played — and continues to play — in giving Oracle and SAP customers a meaningful alternative to vendor support. Rimini did not lose this litigation in any conventional sense. The company vindicated the legality of independent third-party support at the Ninth Circuit, survived a fifteen-year campaign from one of the best-resourced plaintiffs in technology, and continues to serve thousands of customers across Oracle, SAP, and other enterprise software product families. The PeopleSoft wind-down is a defined, manageable transition. The narrower question for Oracle customers is not whether Rimini survived — it is whether Oracle’s pricing leverage on its most captive installed base just got stronger. The Pricing Question There are two plausible reads on what happens to Oracle support pricing over the next three to five years. The optimistic read: the third-party support market is bigger and more robust than ever, with more credible providers serving more customers across more product lines than when the Rimini litigation began. Competitive pressure — from Spinnaker Support, Support Revolution, Rimini itself, and others — keeps Oracle from pushing support fees arbitrarily without accelerating customer defections. The twenty-two-percent fee plus modest annual uplifts stays roughly where it is. The cautious read: the PeopleSoft sunset is a signal. For those customers specifically, Oracle now has a defined window in which a meaningful share will be forced to make a decision, with every incentive to make the return-to-Oracle option attractive up front while positioning for price increases once those customers are back inside the tent. More broadly, if Oracle concludes that commercial-term negotiations with third-party providers can substitute for a failing copyright strategy, similar dynamics may play out in other product lines. And Oracle’s public posture is not subtle: its reliance on support and subscription revenue is increasing as its growth narrative pivots to cloud and AI infrastructure whose margins are widely understood to be thinner. When margins compress in one place, there is a natural pull on management to protect margins elsewhere. We do not yet know which read is closer to right. But customers who assume the settlement is simply “news” — a 2025 storyline requiring no action — are taking a position that the next three years of renewal cycles may test. What This Means for Oracle Customers A few things flow from all of this. First, the legal ground under third-party support is firmer, not softer, after the Ninth Circuit opinion — customers still hesitant about the legal risk should understand the highest recent appellate statement runs the other way. Second, PeopleSoft customers on Rimini support should be planning now, not in 2027; a thoughtful transition takes longer than most organizations expect and benefits from being planned before leverage shifts toward the deadline. Third, every Oracle renewal conversation from here forward is a pricing conversation, and customers who want to hold the line need to build leverage well before the renewal window. Finally — and this is the piece our firm spends the most time on — the support-cost question is inseparable from the audit-risk question. Oracle’s audit practice and its support renewal practice are two sides of the same revenue engine, and serious customers have to manage both together. The Rimini Street settlement is, narrowly, a story about one provider and one product line. Broadly, it is a story about who bears the cost of Oracle’s transition to being an AI-and-cloud company financed by a support annuity business. The Ninth Circuit made clear that copyright law is not going to do that work for Oracle. The settlement shows that commercial leverage might. None of this is reason to panic. It is reason to stop treating enterprise software support as a fixed cost line that simply renews itself each year — and to start treating it as a contract that is actively managed, aggressively negotiated, and regularly benchmarked against a growing and legally-vindicated ecosystem of alternatives. The customers who engage early keep control of their own budgets. Tactical Law Group LLP advises enterprise software licensees on Oracle and SAP licensing, audit defense, and commercial negotiations. Nothing in this post is legal advice. If you have questions about your organization’s Oracle support or audit posture, please contact us directly. By Pam Fulmer
On April 9, 2026, Oracle filed a federal lawsuit in the Eastern District of North Carolina against its former employee, Pravin Kelkar, alleging trade secret misappropriation and breach of contract. The case, Oracle America, Inc. v. Kelkar(Case No. 5:26cv236), reads like a corporate thriller: a terminated employee threatening to sell Oracle's proprietary databases to the highest bidder. But buried inside the drama is a revelation that should concern every Oracle customer. Oracle's own Complaint lays out, in remarkable detail, just how much information Oracle collects about its customers and how central that data is to Oracle's sales machine. What the Complaint Alleges Pravin Kelkar worked at Oracle for over five years, most recently in a sales operation’s role supporting Oracle's Life Sciences businesses. When Mr. Kelkar got caught up in Oracle’s recent massive layoff (Oracle eliminated his position on March 31, 2026), the Complaint alleges that Kelkar responded by sending threatening messages to Oracle's HR team and senior executives. He claimed to have transferred Oracle's entire "install base" database to a personal device and threatened to sell it to Oracle's competitors unless Oracle met his demands for two years of full salary, benefits, and immediate vesting of his restricted stock units. Oracle attempted to resolve the matter without litigation, contacting Kelkar by letter and phone, requesting that he return the data and submit his personal devices for forensic inspection. Kelkar refused to fully cooperate, at one point claiming his threats were made "in jest," while simultaneously declining to return the materials or allow an inspection. Oracle filed suit nine days later, seeking emergency injunctive relief under the Defend Trade Secrets Act. The Real Story: What Oracle Considers Its "Install Base" The most revealing aspect of this Complaint is not Kelkar's conduct. It is Oracle's own detailed description of what its "install base" databases contain and why Oracle considers them to be among its most valuable trade secrets. According to Oracle's Complaint, the install base databases include granular, confidential details about Oracle's customer relationships, covering information such as which products and services each customer uses, where those products are deployed, confidential pricing and contract terms, support identifier numbers for each customer, sales history broken down by fiscal quarter and week, product-use information, contract status and renewal timing, forecast and pipeline information, account ownership and sales representative contact information, and facility or site-level deployment details. Oracle maintains separate install base databases for its North America region, its Oracle Health business (formed after Oracle's 2022 acquisition of Cerner Corporation), and its Fusion product lines. The company describes these databases as representing years of ongoing development, built and maintained at substantial time, effort, and expense by its sales and operations teams. Oracle's Complaint explains that these databases exist for a specific purpose: to provide Oracle's sales and operations teams with the information they need to facilitate the maintenance and growth of customer relationships, track sales and renewal schedules, and provide critical data on software revenue and profitability. In other words, Oracle is not simply storing this data for record-keeping. It is actively using it to drive sales strategy, identify upsell and cross-sell opportunities, and time its outreach around contract renewals. Why This Should Concern Oracle Customers Oracle's Complaint makes clear that the company views its customer data as a competitive weapon. Oracle itself alleges that a competitor could use this information to uproot its customers by reviewing what products they use, what their impending needs are, what prices they pay, and when their contracts end. Turn that sentence around: if a competitor could use this data to target Oracle's customers, Oracle itself is certainly using this same data to target its own customers for additional sales. Oracle knows what you have deployed, what you are paying, when your contracts come up for renewal, and what your usage patterns look like. That is an extraordinary informational advantage in any negotiation. For Oracle customers, the implications are significant. Every interaction with an Oracle sales representative, every support ticket, every deployment discussion is potentially feeding a database that Oracle uses to craft its sales approach. When Oracle contacts you about a renewal or a new product offering, it is not making a cold call. It is working from a detailed dossier on your entire Oracle footprint. What Companies Should Do The Oracle v. Kelkar case is a wake-up call for any organization running Oracle software. Oracle is meticulously tracking your data, and it is using that data to maximize its revenue from your account. Companies that want to level the playing field should consider the following steps. Control the flow of information to Oracle. Establish clear internal policies about what employees can and cannot share with Oracle sales representatives. Not every conversation needs to include details about your deployment plans, budget cycles, or technology roadmap. Train your teams to understand that information shared with Oracle does not disappear; it goes into a database. Centralize your Oracle relationship. Designate a small team or a single point of contact responsible for managing Oracle communications. This prevents Oracle from gathering intelligence across multiple departments and assembling a more complete picture of your organization than any one person intended to provide. Understand your contractual position before Oracle does. Oracle knows your renewal dates, your pricing history, and your deployment footprint. You should know these things at least as well as Oracle does. Conduct regular internal audits of your Oracle estate so that you are never negotiating from a position of informational disadvantage. Be strategic about support and deployment conversations. Technical support interactions and implementation discussions can reveal information about how you use Oracle products, where you are experiencing growth, and what your future needs might look like. Be thoughtful about what details are shared and through which channels. Engage experienced counsel before Oracle comes knocking. Whether you are facing an audit, negotiating a renewal, planning a migration, or simply trying to understand your rights under your existing agreements, having advisors who understand Oracle's playbook can make an enormous difference in outcomes. How Tactical Law Can Help At Tactical Law, we have deep experience advising companies on their Oracle relationships. We understand how Oracle structures its sales organization, how it uses customer data to drive its licensing and audit strategies, and how companies can protect themselves from being outmaneuvered. Whether you are preparing for an Oracle license audit, negotiating a complex renewal, evaluating a migration to Oracle Cloud or away from Oracle entirely, or simply trying to get a handle on your current Oracle exposure, our team can help you develop a strategy that protects your interests and your budget. Oracle has a database full of information about you. We help you make sure the playing field is level. Contact Tactical Law today to learn how we can help your organization take control of its Oracle relationship. Disclaimer: This article is provided for informational purposes only and does not constitute legal advice. The discussion of Oracle v. Kelkar is based on allegations contained in the publicly filed Complaint and does not represent findings of fact by any court. By Pam Fulmer
This is the first in a series of articles from Tactical Law examining the SAP licensing landscape and what it means for your organization. If your company runs SAP, there's a good chance you'll face a license audit in the next few years — and the outcome may cost you far more than you expect. SAP's license audit program has become one of the company's most effective tools for generating new revenue. Buried in most SAP contracts is a clause granting SAP the right to review your license compliance, typically on an annual basis. While not every customer is audited every year, SAP's Global License Audit & Compliance team selects targets strategically — and when they come knocking, the financial stakes can be significant. How the Audit Becomes a Sales Conversation Here's what many SAP customers don't realize until they're in the middle of it: an audit finding isn't a fine. It's the opening move in a negotiation. When SAP identifies a licensing shortfall — whether that's too many users, the wrong user classifications, or unlicensed system integrations — the compliance team works in coordination with SAP's sales organization. The shortfall creates urgency. The sales team then presents the remedy: additional licenses, a conversion to RISE with SAP, adoption of a new licensing model, or an expanded cloud subscription. Customers mid-migration to S/4HANA are particularly exposed, because they're already committed to a massive project and have limited leverage to push back. Where SAP Focuses Its Audits SAP's audit teams have become increasingly sophisticated about where they look. Four areas dominate current audit activity: Indirect access is the most consequential. Whenever a third-party system — your e-commerce platform, CRM, supplier portal, or any external application — reads from or writes to SAP, SAP takes the position that those interactions require licensing. Under their Digital Access model, this is measured by counting business documents like sales orders and invoices created by outside systems. For companies with heavily integrated environments, the exposure can be substantial. User classification is another frequent finding. SAP licenses are tiered by the transactions a user is permitted to run, and each tier carries a different price. If an employee classified at a lower tier has executed even a single transaction reserved for a higher tier, SAP will argue that person should have been licensed at the more expensive level — across your entire user base, these reclassifications add up quickly. S/4HANA migration compliance has become a major focus as SAP's 2027 end-of-support deadline for the older ECC system approaches. Companies running both systems in parallel during migration face the risk of double-counting licenses, and SAP's licensing metrics change between ECC and S/4HANA — meaning what was compliant under the old system may not be under the new one. HANA memory consumption rounds out the list. As data volumes grow, SAP checks whether your actual database memory usage exceeds what you've licensed. Why This Matters Now The 2027 ECC end-of-support deadline is accelerating everything. Every company still running the older SAP system faces a decision — migrate to S/4HANA, move to SAP's cloud offering, or find an alternative. SAP's audit activity tends to intensify during these transition windows, because customers facing a deadline are far more likely to settle compliance disputes quickly in exchange for favorable migration terms. In short, the audit isn't just about compliance. It's a strategically timed part of SAP's commercial playbook. How Tactical Law Can Help Navigating an SAP audit requires a clear understanding of your contractual rights, your actual usage patterns, and SAP's negotiating tactics. Many organizations go into these conversations underinformed and come out having agreed to terms they didn't need to accept. Tactical Law works with companies to evaluate their licensing exposure, prepare for audit engagements, and negotiate from a position of knowledge rather than surprise. Whether you're facing an active audit, planning an S/4HANA migration, or simply want to understand where you stand, we can help you see the full picture before SAP defines it for you. Have questions about your SAP licensing situation? Contact us to start a conversation.  By Pam Fulmer
If your business financed an Oracle NetSuite ERP implementation through Oracle Credit Corporation or Oracle America, Inc. and received a collection demand from Banc of America Leasing & Capital, LLC or Bank of America N.A., or another bank, you may have been told that you must keep making payments even if the software was never delivered, never worked, or was sold to you through misrepresentation. There are ways to attack the clause under California law, but Oracle and its assignees have developed a clever scheme that shifts risk to the Oracle customer and gives Oracle leverage in settlement discussions. When a NetSuite implementation fails — and industry litigation makes clear that this seems to happen with some frequency — Oracle customers quickly discover an uncomfortable reality. The company that sold them the software and promised a successful implementation has already sold off the right to collect their payments. Oracle Credit Corporation (OCC), Oracle's captive financing subsidiary or Oracle America, Inc. itself (collectively “Oracle”), assigned the payment stream to a third-party bank almost immediately after the contract was signed. That bank, often Banc of America Leasing & Capital, LLC (“BALC”) or Bank of America N.A. (“BANA”) or a Wells Fargo entity, now shows up demanding full payment and citing a clause in the financing agreement that says, in effect, you agreed to pay the Assignee no matter what. At last count since 2020, BALC had filed over 70 collections lawsuits in San Mateo Superior Court in California alone seeking to enforce these assignments against Oracle customers. This clause — sometimes called a "hell or high water" provision or a "waiver of defenses" clause — is a deliberate piece of transaction engineering. Although we do not have the actual agreement between Oracle and the Bank of America entities (yet), it appears from public filings that Oracle monetizes the payment stream almost on day one, mitigating its own financial exposure for failed implementations and leaving customers with an ongoing obligation to a bank that claims it bears no responsibility for Oracle's performance. The practical effect of this arrangement is to exert enormous pressure on the Oracle customer—it finds itself fighting a battle on the one hand to get Oracle to right the project and deliver the promised solution, and on the other it faces a possible collections action and a hit to its credit. Third party banks pressing for payment give Oracle leverage in settlement discussions with its customer. This creates cash flow pressure and a tactical advantage for Oracle. The clause shifts risk and inconvenience to the customer but doesn't eliminate their legal rights against Oracle — it just makes exercising those rights more expensive and burdensome. The question California courts must answer is whether that arrangement is actually enforceable. Legal arguments exist that it may not be. What the Clause Actually Says We are able to ascertain the language of the typical OCC Payment Plan Agreement from public court filings. Here is a screenshot of the actual clause, which was a part of an exhibit to a Complaint brought by BALC against an Oracle customer. BALC's litigation position rests entirely on that clause. Its argument is that the customer contractually waived every defense it could ever raise against Oracle — fraud, breach of contract, failure to deliver — and that BALC, as assignee, is entitled to enforce that waiver. In legal terms, BALC is claiming the functional equivalent of "holder in due course" status: the right to collect a payment obligation free from any defense related to the underlying transaction. And indeed that is the argument that some of these Oracle assignees have raised in litgation against Oracle customers. Although the Oracle customer can still assert defenses in litigation against Oracle, it shifts the burden to the customer. It makes it risky for the customer to stop paying when Oracle fails to perform and thereby puts Oracle in the driver’s seat. However, BALC’s argument may fail under California law for at least five independent reasons. Why the Clause May Not Hold Up The statute that could save BALC expressly requires good faith and lack of notice — conditions BALC cannot meet. California Commercial Code Section 9403 governs exactly this situation: waiver-of-defense clauses in assigned financing agreements. It makes such clauses enforceable by an assignee, but only if that assignee took the assignment for value, in good faith, and without notice of the defense being waived. This is not a loophole — it is the core of the statute. BALC has filed over 60 collection actions against Oracle customers arising from Oracle/OCC assignments in San Mateo County Superior Court alone. Multiple court cases, legal industry publications, and news coverage appear to document Oracle's pattern of overselling NetSuite's capabilities and failing to deliver working implementations. By no later than 2021, any institutional lender systematically acquiring OCC assignments had access to — and reason to know of — that pattern. That is because when the banks try to collect the customers explain that Oracle failed to deliver a working system, and the customers tell that directly to BALC or BANA when they try to enforce the assignment. The response—too bad. Pay anyway or face a contract where payments have been accelerated and a collections action. Under these circumstances where the banks are aware of a multitude of implementation failures with multiple Oracle clients claiming fraud, it makes any argument that these banks were innocent strangers to the transaction seem implausible. The statute that would make the clause work against customers may expressly deny the banks the benefit of it. California Civil Code Section 1668 voids any clause that purports to exempt a party from its own fraud. This statute is unambiguous: contracts that have the object, directly or indirectly, of exempting anyone from responsibility for their own fraud are against the policy of California law and are void. If Oracle's sales representatives misrepresented NetSuite's capabilities as multiple Plaintiffs in lawsuits against Oracle contend, then a clause in a subsidiary's financing agreement that requires the customer to keep paying regardless of that fraud is precisely what Section 1668 prohibits. OCC is either a subsidiary or affiliate of Oracle. BALC is OCC's assignee. Neither can stand at a greater legal distance from Oracle's fraud than Oracle itself. The clause was procured through the same fraud it purports to waive. Even setting aside public policy, a contractual waiver signed under the influence of fraudulent misrepresentation is itself voidable. No rational businessperson agrees, in the abstract, to pay in full for software that is never delivered. Court cases allege that customers signed these agreements because Oracle's representatives told them the implementation would succeed, that the SuiteSuccess methodology was proven, and that their industry's needs would be met out of the box. Oracle customers have alleged that those representations were false. If the entire contract — including the embedded waiver clause — was induced by that fraud, California law allows customers to rescind it on that basis. The clause is unconscionable. California Civil Code Section 1670.5 allows courts to refuse to enforce a contract clause that was unconscionable at the time it was made. Arguments can be made that the "hell or high water" clause satisfies both requirements. Procedurally, it appears in a pre-printed, non-negotiable financing form presented to a small or mid-sized business by one of the world's largest software companies at the tail end of a long DocuSign — there is no meaningful opportunity to negotiate. Substantively, a clause requiring unconditional payment even in the face of fraud, total non-performance, and a completely non-functional ERP system is so one-sided that it eliminates the most basic protection a contracting party has: the right to withhold payment when the other party doesn't perform. California's Supreme Court has held that the more substantively oppressive a clause, the less procedural unconscionability is needed to strike it down. This clause is arguably about as substantively oppressive as commercial contract terms get. Enforcing the clause would constitute unjust enrichment. California does not permit a party to be enriched at the expense of another under circumstances where it would be unjust to retain the benefit. Allowing BALC to collect the full contract price for software that was never implemented — while the customer simultaneously had to find and pay for an alternative ERP system — would give Oracle and BALC the economic benefit of a transaction whose only consideration was never delivered. That is textbook unjust enrichment, and California law provides equitable remedies for it. The Broader Picture These five arguments are not alternative theories of the same claim — they are independent, stacking grounds for relief, each sufficient on its own. Together, they reflect a California legal framework that has never been designed to let one contracting party use a subsidiary and an affiliated bank to insulate itself from the financial consequences of its own fraud and breach. The "hell or high water" clause is not meaningless in every context. If Oracle delivered a working implementation and the customer simply regretted the purchase, the clause would likely hold. But in the case of systematic misrepresentation, total implementation failure, and an assignee that knew exactly what it was collecting on, California law provides customers with a robust set of defenses — statutory, contractual, and equitable — to attack the provision. Businesses receiving collection demands from Banc of America Leasing & Capital or Bank of America, N.A., arising from Oracle NetSuite financing agreements should not assume that the presence of this clause in their contract means they have no options. The law in California is more protective than Oracle and BALC's litigation posture suggests. Tactical Law advises companies in disputes with Oracle assignees over failed Oracle ERP contracts. By Pam Fulmer
Your company receives a letter from Oracle’s License Management Services. It is politely worded but unmistakably serious. Oracle is exercising its contractual audit rights and would like your organization to cooperate in a review of your software deployments. For many companies, the instinct at this moment is to cooperate fully, correct any genuine issues, and resolve the matter quickly. That instinct, while understandable, is exactly what Oracle is counting on. What follows the audit letter is not a neutral compliance review. It is the opening move in a carefully engineered revenue strategy that Oracle’s own employees have described in federal court filings as “Audit, Bargain, Close” — or ABC. Understanding how this strategy works, what rights you actually have, and how experienced legal counsel can level the playing field is the difference between a six-figure settlement on your terms and an eight-figure capitulation on Oracle’s. The “Audit, Bargain, Close” Strategy: What We Know from Court Records The term “Audit, Bargain, Close” did not originate with Oracle’s critics. It originated inside Oracle itself. In a class action securities lawsuit against Oracle, a consolidated complaint alleged, based on statements from nine former Oracle employees identified with specificity, that Oracle systematically used coercive audit practices to manufacture cloud subscription revenue. “The sales team would identify large clients they thought they could get more money out of and threaten them with audits… frequently, neither sales nor LMS had real evidence that customers targeted for audits were noncompliant, but the mere threat of an audit would put customers under so much pressure that they had no choice but to agree to Oracle’s demands.” — Former Oracle Employee, Federal Court Filing This is not a fringe allegation. The complaint describes in granular detail a system in which Oracle’s License Management Services (LMS) also know as Global License Advisory Services (GLAS) — the internal audit arm — and Oracle’s sales division operated in close coordination, with sales identifying audit targets and, in some cases, drafting the threatening audit letters that LMS then sent to customers. A federal court allowed the case to proceed on a narrow securities fraud theory, finding the allegations legally sufficient to state a plausible claim. The three phases of the strategy, along with what your company should do, break down as follows: AUDIT Sales/LMS identify target accounts — often with no real evidence of non-compliance. Soft audit inquiry or formal LMS letter sent. Do not respond informally. Retain legal counsel immediately. Channel all communications through a single designated contact. BARGAIN Oracle presents inflated "shock number" compliance gap, then offers a "discount" if you purchase cloud subscriptions or a ULA. Challenge the methodology. Independently verify all findings. Do not accept Oracle's numbers without scrutiny — they are frequently overstated. CLOSE Oracle leverages quarter-end deadlines and fear of copyright litigation to pressure a fast settlement on its terms. Understand Oracle's fiscal calendar. Deadlines are artificial. A settlement built around your legal position is far stronger than one built around Oracle's timeline. The result: customers who should never have faced a compliance bill pay millions. And Oracle books it as cloud revenue growth. Five Oracle Audit Tactics Your Legal Team Needs to Know 1. The “Soft Audit” Disguised as a Friendly Review Not all Oracle audit pressure arrives with a formal LMS letter. Oracle also deploys what the industry calls “soft audits” — informal outreach from Oracle sales representatives framed as a complimentary license review, a compliance health check, or even an account management call. This is what is going on when you get a call from Oracle about your Java SE deployments. In practice, an informal review carries no contractual audit protections for the customer. There are no defined timelines, no scope limitations, and no formal dispute rights. Customers who participate under the impression that they have “nothing to hide” frequently discover that Oracle’s sales team has collected enough data to generate a large compliance claim — and a cloud subscription proposal to resolve it. Legal note: You are not obligated to cooperate with an informal Oracle review. Only a formal audit notice from Oracle’s LMS or legal counsel invokes your contractual audit obligations. Treat any Oracle compliance outreach as potentially adversarial until you have reviewed your contract and consulted counsel. 2. The “Shock Number”: How Oracle Builds Its Opening Position When Oracle’s LMS presents audit findings, the initial compliance gap figure is almost always dramatically overstated. This is not an accident. Oracle’s auditors appear to be incentivized to identify maximum potential exposure, and they routinely rely on non-contractual policies — particularly the Oracle Partitioning Policy governing VMware virtualization — as if those policies were binding contractual terms. The Oracle Partitioning Policy states that Oracle software running in a VMware environment must be licensed for every physical processor core in the entire cluster, not just the hosts where Oracle is actually deployed. This policy is not part of Oracle’s standard Master License Agreement. It is a unilaterally published document that explicitly states it “may not be incorporated into any contract” and is subject to change without notice. Yet Oracle’s auditors apply it as if customers agreed to it. The practical effect: a company running Oracle database on three hosts in a forty-host VMware cluster may receive an audit claim demanding licenses for all forty hosts. The shock number exists to make the eventual settlement — which might only cover the three actual hosts — feel like a victory for the customer, even if the customer overpays relative to its genuine contractual obligations. Legal note: Oracle’s non-contractual policies cannot expand your license obligations beyond what your actual signed agreements require. A detailed legal analysis of your specific Oracle contracts is essential before responding to any audit findings. 3. Java SE: The New Enforcement Frontier Oracle’s Java enforcement activity represents one of the most significant changes in the enterprise software audit landscape since 2023. Following Oracle’s shift to a per-employee Java SE subscription model, Oracle launched an aggressive global campaign to identify organizations using Oracle’s Java Development Kit without the required commercial subscription. Oracle tracks Java downloads by matching IP addresses to organizations. Companies are being contacted for Java compliance regardless of whether they have any other Oracle products. Gartner has projected that by 2026, at least one in five organizations using Java will face an Oracle audit. Oracle has been targeting companies with as few as fifty employees purely over Java usage, and the pricing model — applied per employee across the entire organization regardless of actual Java use — can produce cost increases exceeding 800 percent compared to prior licensing structures. Java audits follow the same ABC pattern. The soft audit begins with an inquiry from Oracle’s Java sales team, often referencing Oracle’s download records as evidence of non-compliance. Or the Oracle team says that they are there to help you ensure that your data is secure. Organizations that respond without counsel frequently provide far more information than their contracts require, which Oracle then uses to build a large non-compliance claim. Legal note: Oracle’s per-employee Java pricing model has been challenged as an overreach relative to actual usage. Companies may have grounds to contest both the scope of Oracle’s audit claims and the retroactive fee demands that frequently accompany them. 4. The Quarter-End Close Pressure Oracle’s fiscal year ends on May 31. Its quarterly deadlines follow this calendar (August 31, November 30, and then February 28). Oracle’s audit and sales teams know this calendar intimately, and they use it deliberately. As Oracle approaches a quarter-end, the pressure on audit targets intensifies. Proposals that were presented as final become “special offers” with deadline language. Sales teams become more accessible. Discounts appear. The implicit message is that the deal available today will not be available next week. These deadlines are artificial. Oracle’s contractual audit rights do not expire at quarter-end. The “deal” usually does not evaporate but comes back the next quarter and is often better. What Oracle is doing is leveraging its own internal sales cycle against you — creating urgency that has no legal foundation but enormous psychological effect on companies that are not prepared for it. Legal note: Any settlement offer involving Oracle cloud subscriptions, Unlimited License Agreements, or license true-ups should be reviewed carefully by experienced licensing counsel before signature. Settlements signed under artificial deadline pressure often contain terms that create new and expensive obligations for years afterward. 5. Default-Enabled Features: The Trap Oracle Installs for You Court filings in Oracle related litigation include an allegation: that Oracle configured its on-premises software products to automatically install additional options and management packs in an enabled state, without informing customers that these features were active or that using them required additional licenses. Once a customer was found “using” these features — even unknowingly — Oracle’s LMS had a basis for a compliance claim. This pattern is most prevalent with Oracle Database Enterprise Edition, which ships with a wide range of options — Partitioning, Advanced Security, Diagnostics Pack, Tuning Pack, and others — that require separate licenses. Database administrators frequently enable features or run queries that inadvertently activate options. Oracle’s LMS audit scripts are designed to identify these activations, which Oracle treats as evidence of unlicensed use regardless of whether the customer had any knowledge or intent. Legal note: Unintentional feature activation is a common and frequently challenged basis for Oracle audit claims. The fact that a feature was activated does not necessarily mean a license was required or that the customer is liable for retroactive fees. These findings are defensible with the right technical and legal analysis. Oracle Is Not Alone: Quest Software and the Growing Audit Threat Oracle is the most prominent practitioner of aggressive software audit tactics, but it is not the only one. Quest Software — which makes widely-used database tools including Toad, Spotlight, and a range of products that manage Oracle and SQL Server environments — has adopted audit strategies that closely mirror Oracle’s playbook. Quest’s audit activity frequently targets organizations that use Quest tools in virtualized environments or across shared infrastructure, asserting broad license obligations based on deployment configurations that customers did not understand to trigger additional license requirements. Quest, like Oracle, tends to present inflated initial findings and then offer to resolve the matter through subscription upgrades or expanded license purchases. What Oracle Doesn’t Want You to Know: Your Contractual Rights Oracle’s audit process is designed to feel inevitable and one-sided. It is neither. Your Oracle Master Agreement contains specific provisions that define and limit Oracle’s audit rights, and those provisions exist to protect you. Key rights that companies frequently overlook include:
One of the most important things you can do in an Oracle audit is to understand what you agreed to — not what Oracle says you agreed to. Those are frequently very different things. What to Do Before Oracle Comes Knocking: A Practical Framework Before the Audit Letter: Proactive Steps
When the Letter Arrives: Immediate Response
During Negotiations: Protecting Your Position
The Bottom Line: Knowledge Is the Most Powerful Audit Defense Oracle’s “Audit, Bargain, Close” strategy works because most organizations are unprepared for it. They do not know what their contracts say. They do not understand that Oracle’s non-contractual policies are not legally binding. They do not realize that the shock number is designed to be challenged. They respond to artificial urgency with real concessions. The companies that fare best in Oracle audits — and in the audits conducted by Quest, IBM, Microsoft, and other aggressive publishers — share a common characteristic: they treat the audit as a legal matter from the first contact, not from the moment they have already provided the publisher with everything it needs to build its case. Our firm has represented companies across a wide range of industries in Oracle and other audit defense, Oracle and NetSuite ERP litigation, and disputes with other enterprise software publishers. We understand these audit playbooks in depth — including the contractual arguments that work, the technical defenses that matter, and the negotiating strategies that achieve real outcomes. If your organization has received an Oracle audit letter or an informal inquiry about Java — or if you want to understand your exposure before one arrives — we invite you to contact us for a confidential consultation. |
By Tactical Law Attorneys and From Time to Time Their Guests
|
RSS Feed
tactical law group llp |
COPYRIGHT TACTICAL LAW GROUP LLP 2016-2026. ALL RIGHTS RESERVED
|
Legal Disclaimer: Contents may contain attorney advertising under the laws of some states. Prior results do not guarantee a similar outcome.