Home / Compliance and Governance / Evidence Retention
Compliance and Governance

Evidence Retention for Java Compliance.

When Oracle opens an audit, the side with better evidence sets the terms. A rolling three year trail of dated inventory snapshots and migration records is what lets you answer from your own file instead of accepting Oracle's reconstruction.

An audit is a contest of evidence

When Oracle opens a Java audit, the side with better evidence sets the terms. Not the side that is more right in the abstract, the side that can prove what it claims. The organization that kept dated records of its estate, its migrations, and its decisions answers from its own file. The one that did not is left accepting Oracle's reconstruction, which is built to favor the claim. Evidence retention is the unglamorous discipline that decides which of those two organizations you are when the letter arrives, and it has to be in place long before that day.

The metric and the lookback set the stakes. Since January 2023 Oracle has priced Java SE on the Universal Subscription at 5.25 to 15.00 dollars per employee per month, counting every full time and part time employee, every contractor, and every temporary worker, regardless of who uses Java. Crucially, LMS audits intensified in 2026 examine deployment history going back three years. That three year window is exactly the period your evidence has to cover. A claim about what you ran two years ago is answered with records from two years ago or it is not answered at all.

What evidence actually matters

Not all records are equal in an audit. The evidence that carries weight is dated, sourced, and tied to a specific state of the estate. The goal is to be able to show, for any point in the lookback window, what you ran and why.

Dated inventory snapshots

The core artifact is a series of dated snapshots of your defensible Java inventory, each one a record of the estate at a moment in time. A single current inventory proves today. A trail of snapshots proves the three year history Oracle is actually asking about.

Migration records

Before and after discovery data from any migration proves when Oracle builds left the estate. This is some of the most valuable evidence you can hold, because it converts a vague claim of reduction into a dated, verifiable fact.

Approval and decision records

Records from your approval gate show why each Oracle runtime exists and that it was a deliberate, justified choice. Decision records turn an estate from a thing that happened into a thing you governed.

Download and source evidence

Where you can capture it, evidence of what was downloaded and from where helps distinguish Oracle builds from free distributions under challenge. This ties to controlling Java downloads across the organization.

A retention schedule

An illustrative Java evidence retention schedule
EvidenceCadenceRetain for
Inventory snapshotQuarterlyAt least three years
Migration recordsPer migrationAt least three years
Approval recordsPer deploymentLife of the runtime plus three years
Discovery logsContinuousRolling three years

Indicative only. Align the retention period with the three year lookback at minimum, and longer where your own policy or counsel advises.

Why the three year window drives everything

The single most important design choice in evidence retention is the period. Because the 2026 LMS lookback reaches back three years, evidence younger than that leaves a gap an auditor can fill with assumptions. If you began retaining snapshots only this quarter, you can prove the present but not the two years Oracle is most interested in. The lesson is to start retaining now and to keep a rolling three year window thereafter, so that at any moment you can answer for the entire period an audit can reach. Evidence retention is one of the few audit defenses where starting early is irreplaceable, because you cannot manufacture a snapshot of last year today.

Building the retention discipline

  1. Snapshot quarterly. Capture and date a full inventory record every quarter as a matter of routine.
  2. Keep migration evidence. Retain before and after discovery data for every migration off Oracle Java.
  3. Store decision records. Hold the approval and justification for each Oracle runtime alongside the inventory.
  4. Set the window. Retain everything for at least the three year lookback, on a rolling basis.
  5. Make it findable. Store evidence so it can be produced quickly, because evidence you cannot locate is evidence you do not have.
Next step

Evidence is produced by routine, not heroics. See the cadence that generates it in quarterly Java compliance reviews.

How evidence shifts the negotiation

Evidence does more than answer questions. It changes who controls the conversation. A buyer who can produce three years of dated snapshots and migration records negotiates from a documented position, and Oracle's reviewers adjust their opening accordingly because there is little room to inflate. A buyer with no evidence negotiates against Oracle's reconstruction of the worst plausible case. The gap between those two starting points is large, and it is part of how a governed buyer reaches an average reduction of 68 percent versus Oracle's opening number. The evidence is not paperwork for its own sake. It is the leverage that makes the number movable.

There is a defensive point too. Good evidence shortens an audit. A reviewer who is handed clear, dated records has less to probe and fewer gaps to exploit, so the whole process closes faster and on better terms. Evidence is both shield and lever.

Keeping evidence usable, not just retained

Retention is only half the discipline. Evidence that exists but cannot be found in time is no help when Oracle sets a response deadline. Store snapshots and records where the governance owner can retrieve them quickly, keep them organized by date, and confirm during quarterly reviews that the trail is intact. A retention program that is tidy and current turns an audit response from weeks of reconstruction into a short act of retrieval, which is exactly the position you want to be in when the clock is running.

How a buyer side advisor helps

Most teams can stand up these controls themselves, and everything described here is deliberately practical. Where an independent buyer side advisor earns its place is in calibration and timing: knowing which evidence an LMS reviewer actually weighs, where Oracle's opening number is softest, and how to convert a governed estate into a smaller defended residual. We sit between you and Oracle and we never take vendor money, so the advice points one way only.

We work two ways, both built so the risk sits with us. A Fixed Fee starts from $18,000, agreed up front and backed by our guarantee. Or choose Gainshare, a share of verified savings or avoided exposure, with zero retainer and no risk to you. Across our work we have defended more than $120M in Java exposure and over 300 Java audits, with more than 20 years of combined experience on the buyer side of the table, and an average reduction of 68 percent versus Oracle's opening number.

Where to go next

Evidence is the currency of an audit, and the three year window means the time to start is now. Pair retention with a defensible inventory and quarterly reviews, and ground the approach in our Oracle Java licensing guide for 2026. Keep the evidence and the audit becomes a question you have already answered.

Book a Strategy Call.

Bring your estate and your renewal date. We will show you where Oracle's opening number is softest and how a clean governance record shrinks it.

Book a Strategy Call

Tell us the real numbers.

Fixed Fee or Gainshare, both backed by our guarantee. We sit between you and Oracle and we never take vendor money.

Get a Quote

The Java Audit Brief

Weekly intelligence on Oracle Java licensing moves and the buyer side defenses that work.

Services · Pricing · Case Studies · White Papers · The Java Audit Brief · Licensing Guide
Get a Quote · Book a Strategy Call · New York · London Not affiliated with Oracle Corporation. Independent buyer side advisory only.