How Octopus Cloud became the world's first KPMG-assessed SPLA tool

The room was silent except for the frantic clicking of keys. It was 3 AM in a hotel in Cologne (Köln), Germany. Four hours remained until we had to face KPMG again. Our laptops were glowing in the dark, and we (three founders) were running on a volatile mix of caffeine and pure adrenaline. At the time, we couldn't have imagined that we would define the gold standard for Microsoft SPLA tools.

Everything was on the line.

We were attempting something that had never been done in the Microsoft licensing world: subjecting a SPLA compliance tool to a rigorous, independent, third-party assessment. That night, a list of "unresolved edge cases" stared back at us from the screen.

Before the sleepless nights, there was frustration. If you’ve ever managed Microsoft SPLA (Service Provider License Agreement), you know the "Excel nightmare". It’s a world of endless spreadsheets, manual calculations, own scripts, based on the Service Provider Use Rights (SPUR), and a nagging anxiety that a single broken formula or script could lead to a million-dollar audit penalty.

Our vision was simple: a "magic button". We wanted to build a platform that took the guesswork out of reporting and generated audit-ready results automatically, with just one click, the magic button.

But we hit a wall early on: The data collection problem. We tried external partners. We tested "generic" data collectors. None of them worked. They couldn't capture the granular, specific data required for true SPLA accuracy. We realized that, to solve the problem properly, we had to build our own technology from the ground up.

We walked into KPMG’s offices with "healthy confidence”. We knew SPLA inside and out, or so we thought. Then, after basic questions, the tricky ones started:

• "How do you license Microsoft Access Runtime?"
• "What about SQL Express, which versions do you include, which ones to exclude?"
• “Office Language Packs, all versions, or some?
• “What about SQL Server Standard core vs. SAL licensing?”
• “Do you optimize licenses? Physical cores with unlimited possibilities vs. virtual core licenses?
• “What about tracking the high-water-mark usage?”
• “License mobility? Do you track potential VM movements?
• etc.

By 5:00 PM, we weren't just exhausted; we were humbled. KPMG handed us a long list of gaps and missing functionalities. If we didn't fix them by the next morning, the assessment would fail, confirming the industry's belief that SPLA was too complex to ever be truly automated.

We didn't go to sleep. We went to work. We rewrote licensing logic, improved bundle detection algorithms, and coded until 4:00 AM when our brains simply couldn't process more.

Day two was redemption. The look of genuine surprise on the auditors' faces when we cleared every single hurdle, is a moment I will never forget. We became the world’s first KPMG-assessed and validated SPLA tool.

For our second KPMG assessment, we didn't want a controlled environment with manually fed data. We wanted the real deal.

We brought in an actual customer, a real service provider with real environments, real complexity, and real data being collected by our systems in production. KPMG wouldn't be assessing theoretical capabilities; they'd be validating live, operational accuracy.

KPMG was genuinely impressed by the second generation of our platform. They could see how our specialized data collectors gathered every SPLA-relevant detail needed to generate accurate reports. They tested the full lifecycle: from automated data collection through processing, calculation, and final report generation.

The assessment went smoothly. We passed with flying colors.

But more importantly, our customers were passing their audits. That was the real validation.

This year, we're preparing for our third KPMG assessment. After more than 6 years since our last one, you might wonder: why do it again?

The answer is simple: the SPLA world hasn't stood still.

We've completely rebuilt Octopus Cloud from the ground up for 3.0. This wasn't a minor update; this was a fundamental reimagining of what our platform could be. We took a decade of experience, feedback from hundreds of customers, and lessons learned from countless audits, and we engineered something new.

Why? Because Octopus Cloud 3.0 isn't just a SPLA solution anymore.

The licensing landscape has fundamentally changed:

• Multi-vendor environments are now the norm. Service providers aren't just dealing with Microsoft licenses; they're managing complex portfolios across multiple vendors, each with their own licensing models and compliance requirements.
• Subscription models have exploded. The shift from perpetual licensing to subscription-based models has added new layers of complexity to compliance tracking.
• Flexible Virtualization Benefits have introduced new optimization opportunities, and new compliance challenges.
• Azure Arc is bridging the world between on-premises and cloud, creating hybrid scenarios that traditional SPLA tools were never designed to handle.

We're already integrating Azure Arc functionality into our platform, creating seamless bridges between Azure and SPLA for service providers. Throughout this year, we'll be adding even more Azure capabilities that deliver genuine value for daily operations.

I should be transparent: KPMG assessments are not cheap. They represent a significant investment, in direct costs, in preparation time, in the resources required to meet their rigorous standards.

So why do we keep doing it?

Because our customers' trust is worth more than the cost.

When a service provider chooses Octopus Cloud, they're not just buying software, they're placing their compliance risk in our hands. They're trusting that when a Microsoft auditor shows up, our platform will have given them accurate, defensible, comprehensive data.

That trust has to be earned continuously, not once.

The third assessment will likely include new checks:

• Flexible Virtualization Benefit scenarios
• Azure Arc integration validation
• Multi-vendor license tracking accuracy

Microsoft gives service providers more flexibility than ever before, which is wonderful, but that flexibility comes with complexity. Keeping track of everything, staying compliant across all these moving parts, understanding how different licensing models interact - that's where Octopus Cloud becomes essential.

Our customers have saved millions of dollars in potential penalties. They achieve full ROI within the first year. They face Microsoft audits with peace of mind because their data processing isn't just "software-generated", it’s KPMG-assessed.

If anything, the SPLA and cloud licensing landscape is becoming more complex, not less.

Consider what service providers are juggling today:

• Traditional SPLA licensing alongside CSP agreements
• On-premises infrastructure mixing with Azure and multi-cloud environments
• Flexible Virtualization Benefits with complex eligibility rules
• Subscription transitions for legacy perpetual licenses
• Multi-vendor licensing across their entire stack

The days of managing this with spreadsheets are over, or at least, they should be.

Every month that a service provider operates without proper automation and validation is another month of potential compliance gaps accumulating in the shadows. These gaps don't announce themselves. They sit quietly in your environment until an auditor finds them.

And when they're found, they become very expensive problems.

That sleepless night in Cologne twelve years ago taught us something fundamental: there's no shortcut to excellence in compliance.

We could have cut corners. We could have avoided the assessment. We could have relied on the same "trust us" approach that dominated the industry.

Today, as we prepare for our third assessment, that same principle drives us: continuous validation, rigorous standards, and independently verified accuracy.

Because when your customers' financial exposure runs into millions, when your business relationships depend on compliance, "good enough" isn't acceptable.

You shouldn't have to learn that lesson the hard way. That’s why we built Octopus Cloud: a tool with proven validation, documented results, and independently verified accuracy.

‍

Spreadsheets and manual controls were never designed for today’s licensing complexity. Octopus Cloud was built through real audits, independent assessments, and years of hands-on experience, so service providers can operate with confidence, not uncertainty. Book a demo today, to see how a KPMG-assessed platform turns compliance into a competitive advantage.