Open source is not a marketing strategy. It's the architecture.

Apache 2.0 over MIT because of the explicit patent grant. If a contributor holds a patent that reads on the code they contributed, they grant you a license to it. MIT doesn't.

Not AGPL because AGPL would block the QuickBooks and Xero plugin Trojan horse — the whole point is shipping Bitcoin data into legacy accounting stacks that won't touch copyleft code.

Not Business Source License (BSL) because it undermines community trust. "Open source eventually" is not open source. We chose the license that the audience we want actually respects.

If the code were the moat, open-sourcing it would be self-defeating. It isn't, so it isn't.

What's actually defensible: signed partnership agreements with banks and wallets, verified-adapter quality, SOC 2 Type II and HIPAA paperwork that takes years to build, and the network effects of being the open spec the rest of the ecosystem builds against.

A fork can copy the code in an hour. It cannot copy two years of compliance audits and dozens of partnership contracts.

We sell operational leverage: managed hosting, SSO, audit log retention, SLAs, signed partner adapters, compliance attestations.

We do not sell crippled features. The free self-host has the same adapters, the same zero-knowledge mode, the same API. Paid tiers add ops — not capability.

If we ever feel tempted to hold a feature back to push you onto a paid plan, you have our git history to call us out with.

ZKA is enforced by a split-connector pattern: the connector runs on your machine (or your server), holds the credentials, decrypts the data, and only sends back encrypted blobs we cannot read.

The guarantee is mechanical, not promissory. We're not asking you to trust our intentions — we're inviting you to read the code and verify that the architecture makes data theft impossible by us, even under subpoena.

If you find a way for our infrastructure to read plaintext transaction data in ZKA mode, that's a bug. Report it to security@orangerails.com — GPG key on the docs site.

Code contributions and adapter contributions both welcome. Adapters get a co-maintainer on the core team for the first 90 days after merge.

Security disclosures: security@orangerails.com with our GPG key. We commit to a 24-hour acknowledgement and a public CVE timeline.

Hall of fame for responsible disclosure. We list the people who made this safer — by name, on the website, with a permanent link.