Short answer: the Affero GPL (AGPL) closes the “SaaS loophole” in the GPL. If you use AGPL’d code in a service users reach over a network, you must make the source code available, even though you never “distribute” the software.
You may have heard of this open source license, but if not, here are a few things every SaaS company needs to know about the Affero GPL or AGPL (from the perspective of an open source attorney).
1. If You Use AGPL’d Code in Your SaaS Offering, You Need to Make the Source Code Available.
This license requires that if you provide the AGPL’d code over a network, you must make the source code available. This is unlike the GPL, where if you modify the code but do not provide it externally (that is, do not distribute it) you do not trigger the source code requirement.
2. What Does the GPL Say Again?
It is generally considered that SaaS companies providing their service over the Internet (but not requiring the user to download the code) are not distributing the code. As a result, using GPL’d code in a SaaS offering does not necessarily require disclosure of the source code. This is called the ASP exception.
3. Where Does It Actually Say This in the AGPL?
There is a Section 13 of the AGPL that closes the SaaS loophole. If you offer AGPL’d software to users interacting with it over a network, you must offer them the source code.
4. Why This Scares Acquirers and Investors.
Here is where it gets real for a software vendor. The first thing a serious acquirer or investor does is run an open source scan of your codebase. If that scan turns up AGPL’d code buried in your service, with no compliance and no license, it can stall a deal or knock down your valuation, because the buyer now inherits a source-disclosure obligation on the very product they are buying. I have seen AGPL findings turn a clean diligence into a renegotiation. The license is not “bad,” but undocumented AGPL in a proprietary SaaS stack is exactly the kind of surprise that costs money.
5. What a SaaS Vendor Should Actually Do.
Treat AGPL like a tripwire in your dependency list. Two practical moves: first, scan your build so you know whether any AGPL’d component is in your service (a lot of vendors are surprised). Second, decide deliberately whether to comply with the source-availability obligation, replace the component, or negotiate a commercial license from the author. The one thing you cannot do is ignore it, because the network-use trigger means there is no “we never shipped it” defense.
If you use code under the AGPL in your SaaS offering, take the source code disclosure requirements seriously. The rules are very different from the GPL.
For the technical-legal analysis of how copyleft attaches to different linking patterns, see Linking and the GPL (Technical and Legal Analysis), and for the broader program, see 3 Things You Need in Your Open Source Policy.
Resources:
Disclaimer:
This post is for informational and educational purposes only, and is not legal advice. You should hire an attorney if you need legal advice, which should be provided only after review of all relevant facts and applicable law.
Discover more from Aber Law Firm
Subscribe to get the latest posts sent to your email.