How to Use This Assessment

This tool is structured around the 20 risk vectors Redress Compliance reviews in every Oracle engagement involving a SaaS or ISV organisation. SaaS providers carry a distinct set of Oracle licensing risks that differ fundamentally from traditional on-premise enterprise customers — particularly around hosting rights, multi-tenancy, employee-based Java subscriptions, and cloud infrastructure licensing. Each item includes an expert note drawn from the Canadian SaaS engagement and comparable assessments across the technology sector.

Work through each item methodically. Any point where your answer is "unsure" or "no" represents a live financial or compliance exposure. For this engagement, the $3M recovery came from four primary areas: incorrect PAH hosting rights classification ($1.2M), Oracle Java SE Universal Subscription over-scoping ($800K), inadvertent database option and pack activation ($600K), and Oracle support cost reduction through back-to-base and product rationalisation ($400K).

"Oracle's licensing model was not designed with SaaS delivery in mind. The result is a series of embedded risks that most SaaS providers don't discover until Oracle's audit team does — at which point the leverage is entirely on Oracle's side."
— Fredrik Filipsson, Redress Compliance

Section 1: Hosting Rights & PAH Licensing

Oracle's standard Full Use (FUL) licences do not permit the licensee to use Oracle technology to deliver services to third-party customers. SaaS providers using Oracle Database, WebLogic, or other Oracle technology stacks as the backbone of their hosted product need either a Proprietary Application Hosting (PAH) agreement or an Application Service Provider (ASP) arrangement — both of which are commercially distinct from Full Use. Getting this wrong is the single most common Oracle licensing failure in the SaaS sector.

01 PAH Licence Coverage — Does Your Contract Permit Third-Party Hosting? HIGH RISK

Review your Oracle licence agreements for the specific rights granted under each product. A standard Full Use Oracle Database licence does not permit you to use that database to serve end customers — even indirectly. If your SaaS product stores, processes, or retrieves customer data through Oracle software, you require either a PAH agreement (for proprietary applications), an ASP supplement, or Named User Plus licences covering every individual end-user of your service. Verify that the scope of your PAH agreement (if you have one) matches your actual deployment topology exactly: which products, which versions, which hosting environments.

Expert NoteIn the Canadian SaaS engagement, the company had Full Use Oracle Database licences that had been inherited through an acquisition. These licences pre-dated the company's pivot to a hosted SaaS model. No PAH agreement was in place. Oracle's position, had they audited, would have been that every customer tenant accessing data through the Oracle DB was an unlicensed user — creating a potential NUP exposure running to eight figures. Redress Compliance resolved this by negotiating a retrospective PAH agreement with a favourable royalty structure, reducing annual Oracle spend by $1.2M compared to Oracle's initial commercial proposal.
02 PAH Agreement Scope — Product List & Version Alignment HIGH RISK

If a PAH agreement is in place, verify that every Oracle product your SaaS platform uses is explicitly listed in that agreement. Oracle does not apply PAH rights by default to all products in your estate — each product must be negotiated and listed individually. Common gaps include Oracle WebLogic Server, Oracle APEX, Oracle REST Data Services, Oracle GoldenGate, and any Oracle product introduced after the original PAH agreement was signed. Version coverage also requires scrutiny: some PAH agreements are version-locked and do not extend to major release upgrades.

Expert NotePAH agreements are rarely updated to reflect technology stack changes. SaaS providers add Oracle products to their stack over time — sometimes through acquisitions, sometimes through engineering decisions — without triggering a formal contract review. In the Canadian engagement, the company had introduced Oracle REST Data Services and Oracle APEX into their platform two product cycles prior, neither of which was covered under their existing PAH arrangement.
03 End-Customer NUP Calculation — If No PAH Is In Place HIGH RISK

If you are operating without a PAH agreement and believe you are covered by Named User Plus licences, verify that your NUP count covers every individual who can access Oracle software through your SaaS platform — including every end-customer user, every administrator, and any employee of your customers who interacts with Oracle-powered functionality. Oracle's NUP metric requires a minimum of 25 per processor licence, and the total must cover all named users including external users with access rights. For a SaaS provider with thousands of customer users, NUP licensing is almost always commercially unviable relative to a properly negotiated PAH arrangement.

Expert NoteOracle's audit methodology for SaaS providers typically starts with a question about customer user counts — because Oracle knows that most SaaS companies have not thought through the NUP implications of hosting on Full Use licences. If you cannot immediately produce a PAH agreement that covers your platform, the audit is already going in Oracle's favour.
04 Multi-Tenant Architecture — Pluggable Database Licensing MEDIUM RISK

If your SaaS platform uses Oracle Database's multi-tenant architecture (Container Database with Pluggable Databases), verify your Oracle Multitenant licence entitlement. Oracle Database 21c and later require a paid Multitenant licence for any Container Database hosting four or more Pluggable Databases — the previous two-PDB allowance under Standard Edition has been removed. A SaaS provider with one PDB per customer tenant can hit this threshold quickly. Count your current PDB totals across all CDBs and map them to your licences.

Expert NoteThe Multitenant licence change caught many SaaS providers off-guard in 2022–2023 because the old two-PDB rule was embedded in engineering assumptions made years earlier. Providers who built their multi-tenant isolation architecture on the assumption that CDB/PDB was a free feature found themselves in an unlicensed state simply by adding customers.

Unsure whether your SaaS platform needs a PAH agreement?

Redress Compliance has resolved Oracle hosting rights disputes for ISVs and SaaS companies globally.
Get a Free Audit Defence Kit →

Section 2: Java SE — The SaaS Cost Multiplier

Oracle's January 2023 shift to an employee-based Java SE Universal Subscription model is uniquely punishing for SaaS providers. Under the new model, the subscription cost is calculated on the total number of employees in the organisation — not on the number of Java installations or users. For a SaaS company with a large customer-facing workforce and substantial use of open-source JDK alternatives, this model creates a structural mismatch between actual Java use and Oracle's billing basis.

05 Oracle JDK vs OpenJDK — Full Discovery of All Environments HIGH RISK

Conduct a complete inventory of all Java runtime environments across your production, staging, development, build, and CI/CD pipeline environments. Identify which deployments use Oracle-branded JDK (versions receiving Oracle security patches post-September 2024 require a paid subscription) versus which use freely available OpenJDK distributions — Adoptium Eclipse Temurin, Amazon Corretto, Microsoft Build of OpenJDK, or Azul Zulu. Any Oracle JDK instance in any environment creates a subscription obligation that Oracle calculates against your total employee headcount, regardless of how many employees actually use Java.

Expert NoteIn the Canadian SaaS engagement, Oracle JDK had been inadvertently pulled into nine containerised microservices via a base image that a developer had selected three years earlier. None of the product or engineering leadership were aware the company had any Oracle JDK dependency. Those nine containers created a Universal Subscription obligation for the entire 620-person company at approximately $12 per employee per month — roughly $89K per year for a dependency nobody knew existed. OpenJDK migration took four weeks and eliminated the obligation entirely.
06 Java SE Subscription Pricing — Employee Count vs Actual Footprint HIGH RISK

If you have a legitimate Oracle Java SE Universal Subscription in place, validate that Oracle's invoiced employee count matches your actual headcount precisely. Oracle's employee definition includes all permanent employees, fixed-term contractors, and any third-party staff with access to Oracle Java. Verify that the tier pricing (rates scale from approximately $15 per employee per month for sub-1,000-employee organisations down to $5.25 for organisations with 40,000+ employees) matches your current bracket. Review your contract for the "employee" definition against your HR data.

Expert NoteOracle's employee count tends to be calculated at the highest point of the subscription year, not at an average — meaning that short-term project hiring or seasonal staffing surges can inflate the subscription cost for the full following year. SaaS companies that grew rapidly through Series B or Series C rounds frequently find their Oracle Java subscription billing has not been renegotiated to reflect the new employee tiers.
07 Java in Docker & Kubernetes — Container Registry Audit MEDIUM RISK

Scan your container registry — Docker Hub private repositories, AWS ECR, Azure Container Registry, Google Artifact Registry — for base images that embed Oracle JDK. The most common sources are older openjdk images that were actually Oracle-branded before the OpenJDK project rebranding, and any image derived from Oracle's official Docker images. Run a recursive scan of all Dockerfiles and base image references in your CI/CD pipelines. A single Oracle JDK image in any pipeline stage counts as Oracle JDK usage under Oracle's current audit methodology.

Expert NoteThe openjdk:8, openjdk:11, and openjdk:17 Docker Hub images were historically Oracle JDK-based and are still common in SaaS engineering stacks where they were pulled years ago and never updated. Oracle's LMS team is increasingly aware of container-based Java usage and includes container registry review as part of standard audit scoping. Migration to Adoptium or Corretto base images is both technically straightforward and commercially essential.
08 OpenJDK Migration Readiness — Application Compatibility LOW RISK

Assess migration readiness for any Oracle JDK deployments identified. For standard applications using Java SE APIs, migration to a supported OpenJDK distribution is typically a drop-in replacement. Higher-risk migration scenarios involve applications bundled with Oracle Fusion Middleware (which requires Oracle JDK under Oracle support terms), applications using Oracle-specific JVM flags or garbage collection settings, and applications integrating with Oracle Forms or Oracle Reports. Create a migration priority list based on complexity and annual subscription cost contribution.

Expert NoteIn the Canadian SaaS engagement, all nine Oracle JDK container dependencies were standalone microservices with no Oracle Fusion Middleware dependency. Migration to Adoptium Temurin was completed in a single sprint with no application failures. The common objection — "we can't be sure OpenJDK is enterprise-grade" — is no longer credible: Adoptium, Amazon Corretto, and Microsoft's OpenJDK build all carry enterprise support SLAs and are deployed by the world's largest technology organisations.

Section 3: Database Licensing in the SaaS Stack

Oracle Database Enterprise Edition licensing carries significant risk in SaaS environments because the product is powerful enough that developers and DBAs frequently enable features — deliberately or accidentally — that trigger additional licence requirements. In a SaaS context, where the database runs continuously and serves multiple customer tenants, even a single unlicensed feature activation can cascade into a seven-figure audit finding.

09 Database Options & Packs — Feature Usage Statistics Audit HIGH RISK

Run Oracle's DBA_FEATURE_USAGE_STATISTICS script across every Oracle Database instance in your estate — production, staging, and development. Any feature with CURRENTLY_USED = TRUE or DETECTED_USAGES > 0 and a LAST_USAGE_DATE within the audit lookback period requires a licence entitlement. The highest-risk features in SaaS environments include Diagnostic Pack (required to use AWR, ADDM, and Enterprise Manager Performance screens), Tuning Pack (SQL Tuning Advisor, Automatic SQL Tuning), Advanced Compression, Oracle Partitioning, and Advanced Analytics.

Expert NoteIn the Canadian engagement, DBAs had been routinely using Oracle Enterprise Manager's Performance Hub screens for performance diagnostics across three production database instances. Performance Hub requires the Diagnostic Pack licence. Neither the engineering leadership nor the procurement team knew the Diagnostic Pack was a separately licensed option — it appears as a standard tab in the Enterprise Manager interface. This single finding accounted for $600K of the engagement's Oracle spend reduction, through a combination of licence release and support cost removal.
10 Development & Test Environment Licensing MEDIUM RISK

Oracle's Technology Network (OTN) developer licence permits single-user, non-production use of Oracle Database only. Any shared development, integration, or staging environment running Oracle Database — even if accessible only by internal engineers — requires full licences. Multi-developer CI/CD environments, shared QA databases, and pre-production staging clusters used for performance testing all fall outside the OTN licence scope. Verify that every non-production Oracle Database instance is either covered by paid licences or properly restricted to single-developer OTN use.

Expert NoteSaaS companies at the Series A to Series C stage frequently have informal development environments that grew organically from a single developer's OTN-licensed instance into a multi-developer shared environment. The licensing status was never reviewed as the team grew. By the time of the Canadian engagement, the company had 14 engineers sharing access to two Oracle Database development instances — none of which were covered by licences. This was remediated through infrastructure restructuring that isolated individual developer environments until OpenJDK migration removed the Oracle Database dependency from non-production entirely.
11 Processor Licence Count — Core Factor Verification MEDIUM RISK

Verify that your Oracle Database processor licence count matches your current deployed hardware precisely. Calculate: total physical cores per server, multiplied by the applicable core factor from Oracle's Processor Core Factor Table (typically 0.5 for Intel Xeon and AMD EPYC, 1.0 for IBM POWER), rounded up per server. Compare this to your current licence entitlement count. If you have run any hardware refreshes, added hosts, or migrated to new instances without a formal licence review, assume there is a discrepancy until verified.

Expert NoteCloud migration often introduces processor count discrepancies. When a SaaS company migrates from on-premise to a cloud provider and uses BYOL, the vCPU-to-processor licence ratio changes depending on the cloud platform: AWS and Azure require two vCPUs per processor licence, while OCI requires only one OCPU per processor licence. Companies that move without recalculating frequently find they are either under-licensed on AWS/Azure or have surplus licences that could have been terminated to reduce support costs.
12 Oracle WebLogic — Dev and CI/CD Pipeline Exposure MEDIUM RISK

If your SaaS platform uses Oracle WebLogic Server as an application container, audit all instances across every environment. WebLogic licensing in SaaS contexts creates compound risk: the server itself requires licences, deployment within CI/CD pipelines counts as production use if the pipeline deploys to production environments, and WebLogic Standard Edition does not include many features (clustering, JMS persistence, JDBC connection pooling) that are commonly assumed to be included. Verify whether your stack could migrate to Payara, WildFly, or another Jakarta EE-compatible container.

Expert NoteWebLogic frequently appears in SaaS stacks acquired through product acquisitions — specifically in legacy Java EE components that were never modernised. The Canadian SaaS provider had one module built on WebLogic Standard Edition that was being used in ways that required WebLogic Enterprise Edition features. This had been the case since the module was acquired two years prior. The remediation was to migrate to Payara Server, which eliminated a $180K annual WebLogic support cost.

Want the Oracle Licensing Audit Defence Kit for SaaS companies?

Includes PAH agreement checklist, DBA_FEATURE_USAGE_STATISTICS decoder, and Java migration tracker.
Download Free →

Section 4: Cloud Infrastructure & BYOL

Cloud infrastructure has introduced a new layer of Oracle licensing complexity for SaaS providers. Oracle's Authorised Cloud Environment (ACE) policy defines how on-premise Oracle licences can be used in AWS, Azure, GCP, and OCI — and the rules differ materially between Oracle's own cloud and the hyperscalers. Getting BYOL wrong on cloud infrastructure is one of the fastest ways to create a large, unplanned Oracle liability.

13 BYOL on AWS & Azure — vCPU to Processor Licence Ratio HIGH RISK

On AWS and Azure, Oracle requires two vCPUs per processor licence for most Oracle products (including Database Enterprise Edition and WebLogic). This means an 8-vCPU EC2 or Azure VM instance requires four Oracle processor licences — the same as a physical 8-core server with an Intel Xeon processor factor of 0.5. Many SaaS companies running Oracle workloads on cloud VMs calculate their licence requirement based on physical core logic and end up under-licensed. Review every cloud-hosted Oracle workload against the 2-vCPU-per-processor-licence rule.

Expert NoteThe most common BYOL error Redress Compliance encounters is the "core factor on a cloud VM" mistake — applying the 0.5 Intel core factor to cloud vCPUs and arriving at half the required licence count. Oracle is explicit: the core factor table applies to physical processors only. In the cloud, Oracle's authorised cloud environment policy overrides the core factor calculation entirely and uses the 2:1 vCPU rule for AWS and Azure.
14 OCI vs Hyperscaler Licensing Advantage — Strategic Opportunity LOW RISK

If your SaaS platform runs Oracle workloads on AWS or Azure under BYOL, evaluate whether migrating those specific workloads to Oracle Cloud Infrastructure (OCI) would reduce your licence obligation. On OCI, one OCPU equals one Oracle processor licence — versus two vCPUs per licence on AWS and Azure. For a SaaS company running Oracle Database on a 16-vCPU AWS instance (requiring eight processor licences), the equivalent OCI OCPU configuration (eight OCPUs) requires only eight processor licences — the same number but with OCI's Oracle Support Rewards allowing up to 33% of OCI spend to offset on-premise support fees.

Expert NoteOCI migration is not appropriate for all Oracle workloads, but for SaaS companies that are Oracle-committed and have ongoing Oracle Database dependencies, the OCI 1:1 licensing ratio plus Support Rewards can deliver a meaningful total cost reduction. The Canadian SaaS engagement included a workload migration analysis that identified two Oracle Database instances — accounting for 30% of Oracle support costs — where OCI migration would reduce licence requirements and generate Support Rewards offsetting 25% of annual Oracle spend.
15 Kubernetes & Container Orchestration — Oracle DB in Containers MEDIUM RISK

If Oracle Database is deployed in Docker containers or managed via Kubernetes, verify that your processor licence count covers the underlying node infrastructure, not just the container. Oracle's licence obligation attaches to the host hardware (or the full vCPU count of the cloud node), not to the container's resource limits. A containerised Oracle DB on a 32-vCPU Kubernetes node requires 16 Oracle processor licences (at the 2:1 vCPU ratio on AWS/Azure) — regardless of how many vCPUs the container has been allocated. Kubernetes auto-scaling that moves Oracle containers across nodes can also expand the licensing footprint unexpectedly.

Expert NoteKubernetes-native Oracle Database deployments (using Oracle DB Operator for Kubernetes) are increasingly common in SaaS environments but the licensing model has not evolved to reflect container semantics. Oracle's published position is that licence obligations attach to the physical or virtual host — which in Kubernetes terms means the worker node, not the pod. Any Kubernetes setup where Oracle DB pods can be scheduled to any node in the cluster creates a cluster-wide licensing obligation across all schedulable nodes.
16 Audit Trigger Events — M&A, Cloud Migration, and Sales Rep Changes HIGH RISK

Oracle initiates the majority of audits following specific trigger events. For SaaS companies, the highest-risk triggers are: fundraising rounds (Oracle monitors public funding announcements and targets recently-funded companies); acquisitions or mergers (Oracle asserts the right to audit the combined entity); cloud migrations (Oracle monitors cloud provider usage data through its authorised cloud environment relationships); and Oracle account team changes (new account executives frequently inherit accounts and initiate audits as a sales development tactic). Assess your current exposure on each of these dimensions.

Expert NoteThe Canadian SaaS provider engaged Redress Compliance proactively following a Series C fundraising round of $45M CAD — precisely the trigger profile that tends to attract Oracle audit interest. Rather than waiting for Oracle to reach out, the company ran this assessment and resolved the compliance issues. When Oracle's account team did subsequently request a licence review (which they did, eight months after the funding announcement), the company was in a clean position with a defensible PAH agreement and zero unlicensed features.

Section 5: Agreement Management & Cost Optimisation

The final section addresses the commercial and contractual levers that allow SaaS companies to reduce Oracle spend without compromising their platform capabilities. Many of the cost reduction opportunities available to Oracle customers are never exercised because they require active negotiation or contractual knowledge that Oracle's account team has no incentive to share.

17 Support Cost Reduction — Back to Base & Product Rationalisation MEDIUM RISK

Oracle's annual support cost is calculated as a percentage of the net licence fee (typically 22% per year). Licences that you no longer need — due to product retirements, migrations, or overbuying — continue to accrue support charges unless explicitly terminated. Conduct a product-by-product review of your Oracle support invoice: which licences are still in active use, which have been superseded, and which can be terminated. "Back to base" negotiations, where you reduce your licence count to your actual deployment footprint, can reduce annual support costs by 15 to 40 percent.

Expert NoteOracle account teams rarely proactively suggest support reductions because a smaller support footprint reduces Oracle's annual contracted revenue. In the Canadian engagement, $400K of the $3M saving came from terminating support on five Oracle Database processor licences for decommissioned servers (which had been replaced by cloud infrastructure) and one WebLogic Standard Edition deployment that was migrated to open source. Oracle initially resisted the termination request, claiming the licences were part of a bundled deal. Redress Compliance successfully demonstrated that no bundle restriction was present in the contract language.
18 Third-Party Maintenance — Oracle Support Alternatives LOW RISK

If your SaaS platform runs Oracle Database or Oracle Fusion Middleware on versions that Oracle has moved to Extended Support or Error Correction Support (effectively paid-extra or frozen patches), evaluate whether third-party maintenance providers — Rimini Street, Spinnaker Support — offer equivalent or superior support at a lower cost. Third-party maintenance typically provides a 50% cost reduction versus Oracle's support fees and includes a broader scope of services including Oracle Database 11g and 12c long beyond Oracle's official end of support. Assess your version roadmap against Oracle's support lifecycle before committing to the next renewal.

Expert NoteThird-party Oracle Database maintenance is viable for SaaS companies that are not actively pursuing Oracle cloud migration and do not need Oracle's newest patch releases. The constraint is that Oracle withholds access to new patches, security updates, and cloud tooling for software on third-party support. For Oracle Database 12c and 19c deployments where the SaaS company has no planned major version upgrade, third-party maintenance is a cost-effective option that can reduce annual Oracle costs by 40 to 50%.
19 SAM Tool Integration — Oracle Licence Position Accuracy MEDIUM RISK

Verify that your Software Asset Management tooling accurately tracks Oracle Database deployments, version numbers, processor counts, feature usage, and Java SE installs. Most SAM tools — including ServiceNow ITAM, Flexera One, Snow Software, and Ivanti — have Oracle connectors that require specific configuration to capture Oracle-specific licence data points: Processor Core Factor table values, Oracle-specific feature usage from DBA_FEATURE_USAGE_STATISTICS, Java SE version identification beyond JDK version strings, and WebLogic domain counts. Unverified Oracle discovery data in your SAM tool is a liability, not a safety net, in an audit.

Expert NoteSAM tools are routinely used by SaaS companies as a first line of defence in Oracle audits — but Oracle's LMS team is experienced at demonstrating gaps in SAM data. In the Canadian engagement, the company's Flexera One configuration had not been updated to scan containerised environments and therefore missed all Oracle JDK instances embedded in Docker images. A clean SAM integration requires Oracle-specific configuration, not just a generic software discovery setup.
20 Exit & Reduction Strategy — Oracle Dependency Roadmap LOW RISK

Develop a formal Oracle dependency roadmap that maps each Oracle product in your SaaS stack to a cost trajectory over three to five years. For each dependency, assess: can this be replaced with PostgreSQL, open-source Java EE, or cloud-native equivalents? What is the migration cost versus the Oracle licence and support cost? What is the audit risk exposure if Oracle initiates a review while this dependency exists? SaaS companies that proactively reduce Oracle dependencies — even partially — gain negotiating leverage at every renewal and significantly reduce their exposure to Oracle's increasingly aggressive audit programme.

Expert NoteThe Canadian SaaS provider's post-engagement roadmap targeted Oracle Database elimination from their platform within 24 months, migrating to PostgreSQL on AWS RDS. This decision — driven by the assessment findings — was estimated to reduce Oracle costs by $920K annually once complete. The roadmap was also used as negotiating leverage in the PAH agreement negotiation: Oracle's willingness to accept a favourable royalty structure was partially a response to the company's credible threat to begin a migration programme.
"SaaS companies that run Oracle assessments proactively come out with lower costs, a defensible licence position, and genuine leverage in every subsequent Oracle negotiation. The ones that wait for Oracle to ask are starting from zero."
— Fredrik Filipsson, Redress Compliance

Ready to run this assessment on your Oracle estate?

Redress Compliance provides independent Oracle licensing assessments for SaaS companies, ISVs, and technology providers across North America and Europe.
Book a Consultation →