11 KiB
SaaS and MSP Licensing Guidance
Document Version: 1.0.0 Last Updated: 2026-01-25
This document provides detailed guidance on Stella Ops licensing for SaaS providers,
Managed Service Providers (MSPs), and hosting scenarios. For the full legal terms,
see LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md.
Overview
The Stella Ops BUSL-1.1 license with Community Plugin Grant restricts providing Stella Ops as a commercial hosted service to third parties. This document clarifies what is and isn't permitted under different hosting scenarios.
Key Principle: The restriction targets commercial offerings that compete with Stella Ops' own hosted services, not legitimate internal use or isolated customer deployments.
1. Prohibited: Multi-Tenant SaaS Offerings
The following are NOT permitted without a commercial license:
1.1 Public SaaS Platform
Prohibited: Operating a multi-tenant SaaS platform that provides Stella Ops functionality to paying customers.
Example (prohibited):
AcmeScan.io
├── Customer A (paying subscriber)
├── Customer B (paying subscriber)
├── Customer C (paying subscriber)
└── Shared Stella Ops infrastructure
Why prohibited: This directly competes with Stella Ops' commercial SaaS offering.
1.2 White-Label Hosting
Prohibited: Rebranding Stella Ops and selling it as your own hosted product.
Example (prohibited):
"PowerScan Pro" (white-labeled Stella Ops)
├── Sold as monthly subscription
├── Marketed as proprietary technology
└── Runs on shared infrastructure
Why prohibited: This is commercial redistribution as a competing service.
1.3 Embedded SaaS Features
Prohibited: Embedding Stella Ops scanning as a feature in your commercial SaaS product.
Example (prohibited):
AcmeDevPlatform.com (commercial SaaS)
├── Code repository feature
├── CI/CD pipeline feature
├── "Security Scanning" feature <- Powered by embedded Stella Ops
└── Charged as part of subscription
Why prohibited: Stella Ops functionality is being monetized as part of a third-party service offering.
2. Permitted: Internal Use
The following ARE permitted under the Community Plugin Grant:
2.1 Internal Enterprise Deployment
Permitted: Deploying Stella Ops for your organization's internal use.
Example (permitted):
Acme Corp Internal
├── Development team scans
├── Security team analysis
├── Compliance reporting
└── Accessed only by Acme employees/contractors
Why permitted: Internal use for the licensee's own business operations.
2.2 Internal Platform Team
Permitted: A platform/DevOps team providing Stella Ops to internal development teams.
Example (permitted):
Acme Corp Platform Team
├── Hosts Stella Ops on internal infrastructure
├── Provides scanning service to:
│ ├── Team Alpha (internal)
│ ├── Team Beta (internal)
│ └── Team Gamma (internal)
└── All users are Acme employees
Why permitted: All users are within the same organization.
2.3 Subsidiary/Affiliate Use
Permitted: Parent company hosting for subsidiaries under common control.
Example (permitted):
Acme Holdings
├── Acme Corp (subsidiary) - uses hosted Stella Ops
├── Acme Europe (subsidiary) - uses hosted Stella Ops
└── Acme Asia (subsidiary) - uses hosted Stella Ops
Why permitted: Affiliates under common control are treated as one organization.
3. Permitted with Conditions: MSP Single-Tenant Hosting
Managed Service Providers may host Stella Ops for customers under specific conditions.
3.1 Single-Tenant Isolated Deployments
Permitted (with commercial license): MSP hosting separate Stella Ops instances for each customer.
Example (permitted with commercial license):
AcmeMSP Infrastructure
├── Customer A Instance (isolated)
│ ├── Dedicated Stella Ops deployment
│ ├── Customer A data only
│ └── Covered by AcmeMSP commercial license
├── Customer B Instance (isolated)
│ ├── Dedicated Stella Ops deployment
│ ├── Customer B data only
│ └── Covered by AcmeMSP commercial license
└── No shared infrastructure between customers
Requirements:
- Each instance must be fully isolated
- MSP must have commercial license covering all instances
- Or each customer must have their own commercial license
3.2 Customer-Licensed Deployments
Permitted: MSP managing infrastructure where customer holds the license.
Example (permitted):
AcmeMSP (infrastructure only)
├── Customer A Infrastructure
│ ├── Customer A's Stella Ops license
│ ├── MSP manages infrastructure
│ └── Customer controls license compliance
└── Customer B Infrastructure
├── Customer B's Stella Ops license
└── MSP manages infrastructure
Why permitted: The customer (not MSP) is the licensee; MSP provides only infrastructure management.
4. Gray Areas: Guidance for Common Scenarios
4.1 Consulting with Temporary Access
Scenario: Security consultant deploys Stella Ops at client site for an engagement.
Analysis:
- If consultant's license: Consultant needs commercial license for third-party use
- If client's license: Client uses their free tier or commercial license
Recommendation: Client should obtain their own license; consultant assists with deployment.
4.2 Training/Demo Environments
Scenario: Providing training environments with Stella Ops to external trainees.
Analysis:
- Temporary, non-production training: Generally permitted under non-production use
- Ongoing access for trainees: May require commercial license depending on duration
Recommendation: Contact legal@stella-ops.org for training program licensing.
4.3 Non-Commercial Community Hosting
Scenario: Hosting Stella Ops scanning as a free service for community benefit.
The BUSL-1.1 restriction specifically targets "public multi-tenant paid hosting." Non-commercial hosting for community benefit may be eligible for the Community Program.
Examples of potentially eligible scenarios:
- Free scanning services for open source projects
- Academic/educational institutions providing free access to students
- Non-profit organizations providing free services to other non-profits
- Community-run instances for local developer communities
Requirements for Community Program consideration:
- Service must be genuinely free (no fees, subscriptions, or required purchases)
- Service must not be a loss-leader for commercial offerings
- Service must not compete directly with Licensor's commercial offerings
- Organization must apply and be approved by Licensor
Analysis:
- Non-commercial, community benefit: Contact community@stella-ops.org for evaluation
- If charging any fees: Requires commercial license (not eligible for Community Program)
- If bundled with paid services: Requires commercial license
Recommendation: Apply for Community Program at https://stella-ops.org/community
Important: Community Program approval is not automatic. Licensor reserves the right to evaluate each application based on community benefit, competitive impact, and alignment with program goals.
4.4 Reseller/Channel Partner
Scenario: Reselling Stella Ops commercial licenses with implementation services.
Analysis:
- Reselling licenses: Requires authorized reseller agreement
- Implementation services: Permitted under customer's license
Recommendation: Contact sales@stella-ops.org for reseller program details.
5. Compliance Checklist
For Internal Deployments
- All users are employees, contractors, or affiliates of the licensee
- Deployment is within free tier limits (3 environments, 999 scans/day) OR commercial license obtained
- LICENSE and NOTICE files preserved
- No third-party access to functionality
For MSP Deployments
- Each customer instance is fully isolated
- Either MSP or customer holds valid license for each instance
- No shared multi-tenant infrastructure
- Clear documentation of license responsibility
- Annual compliance attestation completed
For Any Hosted Scenario
- Not marketed as competing SaaS product
- Not white-labeled or rebranded
- Not embedded in commercial SaaS offering
- Attribution requirements met
6. Decision Tree
Is Stella Ops functionality being provided to third parties?
│
├─ NO → Internal use permitted (within free tier or with commercial license)
│
└─ YES → Is it a commercial offering (paid or part of paid service)?
│
├─ NO (genuinely free, community benefit)
│ │
│ ├─ Apply for Community Program (community@stella-ops.org)
│ │
│ └─ If approved → Permitted under Community Program terms
│ If not approved → Commercial license required
│
└─ YES (paid, or free-as-loss-leader for paid services)
│
└─ Is each customer fully isolated (single-tenant)?
│
├─ NO → Commercial SaaS license required
│ (contact sales@stella-ops.org)
│
└─ YES → MSP single-tenant model
│
├─ MSP holds commercial license covering all instances
│ → Permitted
│
└─ Each customer holds their own license
→ Permitted (MSP provides infrastructure only)
Key distinction: The restriction targets "public multi-tenant paid hosting." Non-commercial hosting for genuine community benefit may qualify for the Community Program, but requires explicit approval from Licensor.
7. Examples of Compliance Violations
The following are examples of arrangements that would violate the license:
-
"Vulnerability Scanning as a Service" - Public signup for scanning services powered by Stella Ops without commercial license
-
DevSecOps Platform Bundle - Including Stella Ops scanning in a paid platform subscription without commercial license
-
Shared MSP Instance - Multiple MSP customers sharing a single Stella Ops deployment
-
"Free Tier Arbitrage" - Running multiple free-tier installations to serve third-party customers
-
Competitive Forking - Forking Stella Ops and offering it as a competing hosted service
8. Getting Commercial License
If your use case requires a commercial license:
Contact:
- Email: sales@stella-ops.org
- Website: https://stella-ops.org/pricing
License options include:
- Per-environment licensing
- Unlimited scan licensing
- MSP/reseller programs
- OEM/embedded licensing
Volume discounts available for MSPs and enterprise deployments.
See Also
LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md- Full legal termsdocs/legal/LEGAL_FAQ_QUOTA.md- Quota and free tier FAQdocs/legal/PLUGIN_DEVELOPER_FAQ.md- Plugin developer questionsdocs/legal/ENFORCEMENT_TELEMETRY_POLICY.md- Audit and compliance verification
Document maintained by: Legal + Sales Operations Last review: 2026-01-25