[nickvec]

> we built on an Apache 2.0 open-source repository, which explicitly permits commercial use, and significantly rebuilt it for compliance use cases

This framing is misleading. Apache 2.0 permits commercial use, but it also requires you to retain copyright/attribution notices, include the license, and add prominent notices to modified files.

Also hard to square “the allegations are fabricated” with simultaneously offering free re-audits, halting audit automation, and rebuilding the entire auditor network.

[jazzpush2]

Also: you'd expect a compliance company to understand basic software licensing, especially the most popular.

[benmmurphy]

The problem with Apache 2 is it might not be completely clear how this works with a Saas product. Of course if you are distributing binaries or source to customers then you are going to run into issues with Apache Licensing. But if you are just running code on your servers then its not so straight forward. However, I guess its likely they were distributing javascript code so that could be a problem for them. Also, I guess regardless of the licensing issues not being honest with your customers when you are a compliance company is not going to be great for business.