Re: Conformance: What does "organization" mean?

Gary O'Neall

Thanks Miriam and Daniel for summarizing the discussions so far.


After working with a small number of larger companies on openchain compliance, requiring the entire “company” to comply with the training has turned out to be a big challenge.  From what I’ve learned over the past 2 years, I believe allowing subgroups (programs) to achieve compliance would speed up openchain adoption.  I believe it is a topic worth revisiting based on this learning.


I wanted to introduce one more concept to the discussion.  It may be worthwhile defining multiple levels, perhaps even a hierarchy for compliance.  We could still have an entire legal entity be compliant.  This would be useful for small companies and larger companies with a more mature compliance environment.  I can think of 3 levels that may be useful:

  • Organization (the legal entity)
  • Program (the subgroup of an organization under a single open source program)
  • Product (distributed software under a program)


When certifying, one could specify whether then entire organization is certified, a program is certified or just a product.


From what I have experienced, Organization and Program would both be used.  I’m less certain if Product would be used for certification, but it has come up in previous conversations.


The downside to this proposal is it would add complexity, but I feel the additional flexibility would enable higher adoption of the specification.


Best regards,



From: openchain-bounces@... <openchain-bounces@...> On Behalf Of Miriam Ballhausen
Sent: Tuesday, June 12, 2018 1:17 AM
To: openchain@...
Subject: [OpenChain] Conformance: What does "organization" mean?


Hi All,


according to the Spec OpenChain conformance is declared for compliance programs of an organization. In our last call, we agreed that the term “organization” needs further clarification, as it is the reference point not only for the program, but also for the 85% of software staff that need to undergo training. We further agreed to use the July to clarify the term. The term “organization” was agreed after long discussions in the very beginning of the project, where it was also agreed that organization meant legal entity. As we are now considering to change this understanding, we wanted to make sure everyone was aware of the discussions we have had about this topic to date and the agreements that were reached (or not reached) at various points in time. So in preparation of our meeting in July and to kick off the discussion on the mailing list, Daniel summarized all of our meeting minutes again and we created an overview over the agreed meaning of organization and the relevant arguments and minutes.


Summary of discussions re. “organization”:


Date of call

(Agreed) meaning of “organization”

Minutes summary (if relevant)

Until July 10, 2017

Organization means legal entity.


August 7, 2017

Organization generally means legal entity,

unless legal entity does not work for the structure of the organization that is claiming conformance.


  • Organization is not explicitly defined as a legal entity in the current OpenChain material.
  • It was decided that for now we will define organization as legal entity, but companies with other structures can also self-certify by using Legal entity > StructureName.
  • If they have any questions or need assistance they can contact the conformance work team volunteers.

September 5, 2017

Organization means legal entity.


  • Discussion about what happens in case of acquisitions (re. 85% software staff)
  • Questions:
    • What needs to happen when a conformant company acquires another which is not conformant yet?
    • What should happen with regards to the conformance during the integration phase of the acquired company? Integration takes time for the new part of the company to follow policies and processes.

October 16, 2017, October 24, 2017 January 15, 2018

  • No agreement.
  • Potential meanings:
    • Legal entity.
    • Section of the company, where staff is involved in software development of software.
    • Section of the company, where a particular open source program applies.
    • Business Group of a company.
    • Release of software needs to be certified to be conformant.


  • As long as it is clear whether compliance is for the full or part of the organization it seems perfectly acceptable.
  • Allowing partial conformance is important.
  • In the very beginning of the project and that the focus at that time was on conformance legal entity by legal entity.
  • It may be useful if we could certify that a release was OpenChain conforming.
  • We need to clarify whether conformance is by a program or a legal entity.
  • From a legal perspective it is easier to define conformance by legal entity but in practice it may be easier by program.
  • It may be useful to allow different stages of conformance (full organization, partial conformance) to encourage a pathway to full conformance.
  • Our current understanding of the spec is that it applies to a program, and 85% of the staff related to a program need to meet the requirements of the spec (rather than the company as a whole).
  • There is an expectation of a company being conformant. There may be a detrimental reliance issue. If it is not full entity conformance there will have to be a lot of clarification.
  • Looking at standards like ISO it had organizations being partially conformant but in open source we need to have complete conformance.

November 6, 2017

  • Agreement that organization does not need to be a whole legal entity.
  • The reference point of the spec is “program”.
  • It is not relevant, if a whole entity to be conforming.

February 5, 2018

  • No agreement.
  • Potential interpretations:
  • Headcount of the people in an area.
  • Team.



In my opinion, the starting point of our discussion should be:

  1. The goal of OpenChain, which is to build trust. That requires that we have clarity about what the organization is that has the OpenChain conformant program.
  2. The recipient of the Supplied Software needs to be able to trust, meaning that the relevant question is, what the recipient would expect organization to mean (Would they expect it to mean legal entity or the combination of all those involved in creating the Supplied Software irrespective of which legal entity happens to employ them?).


On the more formal side, we should also consider, what the proper procedure is, as we are essentially changing an agreement that was reached by the OpenChain project at an earlier stage. We should also consider how the conformance and especially the logos should be presented on the website.


Looking forward to all your input.


Best regards,



Dr. Miriam Ballhausen


Rechtsanwältin / Senior Associate

Bird & Bird



Direct +49 (0)40 460 63 6269

Mob    +49 (0)151 7212 3911

Tel       +49 (0)40 460 63 6000

Fax      +49 (0)40 460 63 6011


Bird & Bird LLP
Großer Grasbrook 9
20457 Hamburg








Der Inhalt dieser Email ist vertraulich und unterliegt möglicherweise auch dem Anwaltsgeheimnis. Wenn Sie diese Email irrtümlich erhalten haben, löschen Sie sie bitte und benachrichtigen Sie bitte umgehend per Antwort-Email den Absender. Diese Email darf weder kopiert oder für andere Zwecke verwendet noch darf ihr Inhalt anderen Personen offengelegt werden.

Bird & Bird LLP ist als limited liability partnership unter OC340318 in England und Wales registriert. Registersitz: 12 New Fetter Lane, London EC4A 1JP.

Einzelheiten finden Sie unter

Bitte beachten Sie unsere Datenschutzhinweise ( Dort erfahren Sie welche Kategorien personenbezogener Daten wir erheben, wie wir diese Daten verarbeiten, an wen wir diese Daten im Rahmen unserer Leistungserbringung übermitteln und welche Rechte und weitere Möglichkeiten Sie in Bezug auf die Verarbeitung Ihrer Daten haben.

Nähere Angaben über Bird & Bird LLP und die mit der LLP verbundenen Anwälte (gemeinsam als “Bird & Bird“ bezeichnet) finden Sie unter

For our privacy policy, including the types of personal information we collect, how we process that information, who we may share it with in relation to the services we provide and certain rights and options that you have in this respect, see

Any e-mail sent from Bird & Bird may contain information which is confidential and/or privileged. Unless you are the intended recipient, you may not disclose, copy or use it; please notify the sender immediately and delete it and any copies from your systems. You should protect your system from viruses etc.; we accept no responsibility for damage that may be caused by them.

Join to automatically receive all group messages.