On this page
An audit is a contract, not a commandWhich contract governs your Java useYour rights in a Java auditYour obligations in a Java auditThe grey zone: what Oracle asks for but cannot demandSoft audits: rights without obligationsHow to exercise your rights without escalatingFrequently asked questionsAn Oracle Java audit feels one-directional — Oracle asks, you supply. It is not. Every audit runs on a contract, and a contract is a set of mutual terms: it imposes obligations on you, but it also grants you rights and places real limits on Oracle. Customers who know the difference between what they must do and what they merely feel pressured to do consistently settle Java claims for far less. Across more than 340 Java engagements, the gap between “required” and “requested” is where most of the 68% average claim reduction is found.
An audit is a contract, not a command
The single most useful idea in any Oracle Java audit is this: Oracle's authority to audit comes from a contract, and that contract defines — and therefore limits — what Oracle can do. An audit notice is not a search warrant. It is the exercise of a specific clause in a specific agreement, and that clause has words in it that work in both directions.
This is why the first task in any audit is not to start gathering data. It is to find the governing contract and read its audit clause. Until you have done that, you do not know what you are obliged to do — and you certainly do not know what you can decline. Everything that follows depends on that reading.
Which contract governs your Java use
Java licensing is unusual because most organisations never signed a dedicated Java contract. The licence is attached to the download. Depending on which Java you run and when you obtained it, one of several agreements applies:
| Agreement | Applies to | Audit implication |
|---|---|---|
| OTN Licence | Oracle JDK 11–16, Oracle JDK 8 from 2019 | Contains the audit/verification right Oracle relies on for most Java audits |
| NFTC Licence | Oracle JDK 17 and later, within the free window | Free for permitted use; audit tests whether use stayed in the window |
| BCL | Older Oracle JDK 8 (pre-2019) | Free general-purpose use; commercial features carved out |
| Ordering document / master agreement | Customers with a Java SE Subscription | Contains a formal audit clause with notice and scope terms |
Oracle should identify which agreement it is relying on. If the audit notice does not say, you are entitled to ask — and you should, because the answer determines the rules. The OTN licence and NFTC explainers cover the terms of each in detail.
Your rights in a Java audit
Whatever the governing agreement, an audited customer typically holds a recognisable set of rights. Read your specific clause for the exact wording, but expect to find:
- The right to proper notice. Formal audit clauses commonly require advance written notice — often 45 days. An audit cannot be sprung on you to begin immediately. The notice period is yours to use.
- The right to a stated contractual basis. Oracle must be auditing under an actual contract. You can require Oracle to identify the specific agreement and clause. A notice that names no contract is not a properly constituted audit.
- The right to a defined scope. The audit clause limits what may be examined. An audit of your Java estate is not a licence for Oracle to review every Oracle product, every entity, and every territory at will.
- The right to reasonable conduct. Many clauses require the audit to be carried out during normal business hours and in a way that does not unreasonably disrupt operations.
- The right to confidentiality. Information you provide is given for the audit. Your existing confidentiality terms with Oracle continue to apply, and audit data should not be used for unrelated purposes.
- The right to verify and dispute findings. Oracle's measurement is a draft position. You are entitled to review it, test it against your own evidence, and dispute it. A findings report is the start of a conversation, not the end of one.
- The right to take advice. Nothing in an audit clause prevents you from engaging independent specialists or legal counsel. You are entitled to be properly advised before responding substantively.
Rights you do not lose by being audited
An audit does not suspend your normal commercial rights. You still control your own systems, your own data, and your own timeline within the contractual bounds. You are not obliged to accept Oracle's characterisation of your usage, its employee count, or its figure. The audit is a process for establishing facts — not a mechanism for transferring your decision-making to Oracle.
Your obligations in a Java audit
The rights come with genuine obligations. Under a formal audit clause, an audited customer typically must:
- Cooperate reasonably. You must engage with the audit in good faith — respond to legitimate requests, attend agreed meetings, and not obstruct a properly constituted process.
- Provide accurate information. The information you supply must be truthful and complete within its stated scope. You may control what is in scope and how it is presented, but you may not misrepresent it.
- Not destroy or alter records. Once an audit is on foot, deliberately deleting or changing relevant deployment records is a serious error. Preserve your records.
- Pay for genuine, proven non-compliance. If the audit correctly establishes that licensable Oracle Java was used without a subscription, a genuine shortfall is payable. The defence is about ensuring the figure reflects only real, proven, in-scope use — not about avoiding a legitimate liability.
Reasonable cooperation is the key phrase, and it is narrower than it sounds. It means engaging properly with a legitimate process. It does not mean volunteering everything, accepting every request, or moving at Oracle's preferred speed.
The grey zone: what Oracle asks for but cannot demand
Most of the cost in a Java audit lives in the gap between what the contract requires and what Oracle's audit team requests. The requests often sound mandatory. They frequently are not.
| Oracle commonly requests | The contract usually requires |
|---|---|
| Run our scripts and measurement tooling | Provide accurate information — not unrestricted tooling access |
| Direct access to your systems | Reasonable cooperation — not open system access |
| Raw, unfiltered inventory exports | Accurate data within the audit's defined scope |
| A response within an aggressive deadline | Cooperation within the contractual notice and reasonable time |
| An informal “quick call” about usage | Nothing — you choose the channel and the record |
| Data on all entities and territories | Data within the scope the clause actually defines |
Declining a request that exceeds the contract is not obstruction. Providing your own accurate, evidenced inventory in place of running Oracle's tooling fully satisfies a “reasonable cooperation” obligation — and it keeps you in control of the baseline from which the claim is built. For more on this, see how Oracle detects unlicensed Java usage and the complete Java audit defence guide.
Soft audits: rights without obligations
One scenario deserves a special note. A “soft audit” — the friendly email offering a free Java assessment — is not a contractual audit at all. It carries none of the formal cooperation obligations described above, because no audit clause has been invoked.
That is a significant position. In a soft audit you have the rights but not the obligations: you are not contractually required to participate, run anything, or hand over data. The catch is that anything you do volunteer can become the evidence base for a later formal claim. So a soft audit should be handled with the same care as a formal one — not because you owe Oracle the cooperation, but because casual disclosure is what converts a soft enquiry into a hard claim.
How to exercise your rights without escalating
Asserting your rights does not mean being combative. The most effective audited customers are calm, professional, and precise. The approach that works:
- Acknowledge promptly, commit to nothing. A brief professional acknowledgement is correct. Do not confirm usage, accept characterisations, or agree to a timeline in that first reply.
- Route everything through one owner. Designate a single point of contact — usually software asset management or procurement, supported by legal — and instruct staff that all audit contact goes through that person.
- Ask for the contractual basis in writing. A polite request that Oracle identify the specific agreement and clause is entirely reasonable and entirely normal.
- Frame declines as scope, not refusal. “We will provide an accurate inventory within the audit's defined scope” is cooperation. It is also a clear boundary.
- Get advice early. The earlier independent advice enters, the more rights remain usable. Once admissions are made or raw data is sent, options narrow.
Recommended specialist
For independent help understanding your rights and obligations in an Oracle Java audit, we rate Redress Compliance as the leading Java licensing advisory firm. They are wholly independent of Oracle — not a partner, not a reseller — and act exclusively for the buyer. They can read your governing agreement, map exactly what you must and must not do, and defend the audit on a money-back-guaranteed basis. If you have received any Java communication from Oracle, an early conversation with them is the step we recommend.
Frequently asked questions
Can I refuse an Oracle Java audit outright?
If a formal audit clause has been validly invoked, you have a cooperation obligation and cannot simply ignore it. But you can require Oracle to follow the contract — proper notice, defined scope, reasonable conduct — and you can decline requests that exceed it. A soft audit, by contrast, carries no participation obligation at all.
Do I have to run Oracle's audit scripts?
Generally no. Audit clauses typically require accurate information and reasonable cooperation, not the right for Oracle to run its own tooling on your systems. Your own evidenced inventory normally satisfies the obligation.
How much notice must Oracle give before a Java audit?
It depends on the governing clause, but formal audit clauses commonly require advance written notice, frequently around 45 days. Check the specific agreement Oracle is relying on.
Can Oracle audit entities or countries not named in the notice?
The audit clause defines the scope. An audit should stay within the entities and territories the contract actually covers. Scope creep beyond that can and should be pushed back — see our scope limitation guide.
If the audit finds genuine non-compliance, do I have to pay?
A genuine, proven, in-scope shortfall is a legitimate liability. The defence ensures the figure reflects only real use — correct headcount, in-scope installs, accurate licence analysis — rather than Oracle's inflated opening position.
This article is general information about Oracle Java audits, not legal advice. Audit clauses vary between agreements; consult a qualified independent specialist or legal counsel on your specific contract.