Open Source as Default
Every Formray product is open source. DARC, AEGIS, PRISM — the code is public, the architecture is documented, the decisions are visible.
This isn't idealism. It's a design decision with trade-offs we've thought through.
The argument for
Privacy software that isn't auditable isn't privacy software. It's a promise.
DARC handles whistleblower reports. PRISM analyzes text locally. AEGIS manages audio compliance data. If the code behind these tools isn't visible, users are trusting a claim instead of verifying a fact.
Open source aligns incentives. When users can read the code, the pressure to write good code is structural, not aspirational. There's no "trust us, we don't log your data." There's "read the function, it doesn't log your data."
| Closed Source | Open Source |
|---|---|
| Trust the company | Trust the code |
| Security through obscurity | Security through transparency |
| Vendor lock-in by design | Fork if you disagree |
| Documentation is optional | The code is the documentation |
The argument against
Open source has real costs. Ignoring them is how projects die.
- Support burden — people file issues. Many are not bugs. They still need responses.
- Competitive exposure — competitors see your approach. They can copy it.
- Maintenance pressure — abandoned open source projects are worse than no project. They create false expectations.
- Revenue complexity — you have to find a business model that works alongside free access to the code.
We're not naive about this. Open source is a commitment, not a checkbox.
How we handle it
Licensing
Not every product uses the same license. Each one fits its ecosystem.
| Product | License and Why |
|---|---|
| DARC — whistleblowing, compliance | AGPL-3.0 — community contributions flow back |
| AEGIS — audio compliance | AGPL-3.0 — core open, revenue from hardware and services |
| PRISM — text detection, consumer tool | MIT — maximum adoption, zero friction |
| PRELUDE — Kubernetes validation | Apache-2.0 — CNCF/K8s ecosystem standard |
AGPL protects the commons for privacy-critical tools. MIT removes friction for consumer adoption. Apache-2.0 matches what the Kubernetes community expects. The principle is the same: the complete product is always free. Enterprise licenses are available for organizations that need different terms.
Documentation as product
If the source is open but incomprehensible, it's not really open. Every product has architecture docs, setup guides, and ADRs (Architecture Decision Records) explaining why decisions were made, not just what they are.
The README is the front door. If it takes more than 5 minutes to understand what the project does and how to run it, the README has failed.
Contribution without obligation
We don't expect community contributions. We welcome them, but the products are built to be maintained by the team. If the community disappears tomorrow, the project continues.
This is important because many open source projects create implicit social contracts they can't sustain. We'd rather under-promise and over-deliver.
The business model question
"If the code is free, how do you make money?"
The code is free. The product is more than code.
- Hosted versions — managed deployment, monitoring, updates
- Enterprise licenses — different terms for organizations that need them
- Support contracts — guaranteed response times, dedicated help
- Custom development — tailored features, integrations, deployment
The open source product proves the quality. The commercial offerings save time and reduce risk for organizations that value both.
This model works when the product is genuinely good. If the open source version is deliberately crippled to push people toward paid tiers, the trust breaks. We don't do that. The free version is the full product.
What we believe
Privacy and open source aren't separate values at Formray. They're the same value expressed differently.
Privacy says: your data belongs to you. Open source says: our code belongs to everyone.
Build in the open. Ship the source. Let users verify instead of trust.
Not because it's easy. Because it's the only approach that holds up to scrutiny.
Both are about transparency. Both require discipline. Both are harder than the alternative.
We build this way because the alternative — closed code handling sensitive data, asking users to trust without evidence — isn't something we'd use ourselves.
Every Formray product is available on GitHub. Read the code. File issues. Fork it if you want. That's the point.