Voltage SecureData token and key management licensing
Voltage SecureData licensing turns on units that are easy to misread under audit pressure. Voltage SecureData token and key management licensing depends on how protected data operations, key management scope, and deployment topology are counted, and a finding inflates when those units are read at their broadest rather than at their licensed definition.
Voltage came into the OpenText estate through the Micro Focus acquisition that closed on January 31, 2023. Most Micro Focus products are governed by Additional License Authorizations rather than by the OpenText EULA, and Voltage SecureData is no exception. That matters because the ALA is where the unit definitions live, and the unit definitions are where token and key management findings are won or lost. A finding that asserts a metric without anchoring it to the ALA is asserting an interpretation, not a fact.
Start with the Additional License Authorizations
Before any number is conceded, the governing ALA has to be on the table. The ALA defines what is being counted for your specific SecureData entitlement, whether that is a capacity measure, a deployment measure, or a measure tied to protected data operations. Because the ALAs are the key trap area across the Micro Focus portfolio, a SecureData finding should never be evaluated against a generic metric description. It is evaluated against the authorization that was actually sold, and the gap between the two is frequently the whole argument.
When the unit definition is ambiguous, the audit reads it broadly and the buyer should read it to the ALA. The difference between a broad reading and the authorized definition is often the difference between the finding and a defensible position.
How token and protected data operations get overcounted
SecureData protects data through tokenization and encryption operations, and where a metric touches the volume of those operations, the count can balloon. Repeated operations on the same underlying data, operations in test and development flows, and operations generated by integration testing can all be swept into a single figure that looks like licensed consumption but is not. The defensive work is to separate distinct licensed activity from repetition and non production traffic, then hold the finding to the ALA definition of what actually counts.
Key management scope and topology
Key management introduces its own counting questions. The number of key servers, the deployment topology, high availability pairs, and disaster recovery instances can each be read as separate licensed units or as part of a single licensed deployment depending on the ALA. A finding that prices every node and every standby as an independent unit may be charging for resilience the agreement already contemplates. Resolving topology against the authorization, and collapsing failover and recovery instances where the ALA allows, removes charges that were never licensed consumption.
- Operation counting. Separate distinct protected data operations from repeated operations on the same data and from non production traffic.
- Key server topology. Establish whether nodes, standbys, and recovery instances are separate units or part of one licensed deployment under the ALA.
- Environment scope. Remove development, test, and lab instances where the metric is scoped to production use.
- Version entitlement. Confirm the entitled version and edition, since capacity definitions can differ across releases.
Reconstruct independently before the script runs
The four Rs apply to SecureData as they do to every line. Respond by taking over the channel inside the seven day notice window. Reconstruct the effective license position from the ALAs and the entitlement before any vendor measurement runs. Rebut the finding line by line on operation counts, key server topology, and non production scope. Resolve on terms that convert forward cleanly. The reconstruction is what turns a SecureData finding from a vendor assertion into a documented reconciliation the buyer controls.
A recent engagement
In a recent engagement a SecureData position had been priced with every key server node, including standby and recovery instances, counted as an independent licensed unit, and with protected data operations summed without separating repeated operations from distinct ones. Reading the topology and the operation metric back to the governing ALA, and removing non production traffic, brought the position down to the authorized definition. No new facts were invented and no numbers were negotiated in the abstract. The finding simply met the authorization it should have been measured against from the start.
The questions to settle early
Confirm the governing ALA and edition, the exact unit the metric counts, whether key server topology is one deployment or many units, and where non production scope applies. Settle those and a SecureData finding stops being an open ended capacity argument and becomes a bounded reconciliation against a document you can read.
Why the acquisition history matters for SecureData
The governance question is not academic. OpenText acquired Micro Focus in a transaction that closed on January 31, 2023, and brought the security portfolio, including Voltage, under its compliance program. The OpenText ECM line predates that acquisition and is governed by the OpenText EULA, while Voltage and its siblings remain governed by the Additional License Authorizations. Buyers sometimes assume a single OpenText agreement now controls everything, and an audit is happy to leave that assumption unchallenged when it favours a broad reading. It does not. A SecureData entitlement is read against its ALA, and the metric definitions there can differ materially from the language an auditor uses in a finding summary. Insisting on the correct governing document is the first defensive move, because it determines every count that follows.
Version and edition entitlements
SecureData has shipped in multiple editions and versions, and capacity definitions are not constant across them. An entitlement bought under one release may define a protected data operation, a key server, or a deployment differently from a later release, and a finding that applies current definitions to an older entitlement is measuring against the wrong yardstick. Confirming the entitled version and edition, and reading the metric as it was defined for that entitlement, can remove charges that exist only because the audit applied a newer or broader definition. This version entitlement check sits alongside the topology and operation work, and together they hold the SecureData finding to the authorization the buyer actually holds rather than the one that produces the largest number.
Have a Voltage SecureData finding to evaluate?
We read the metric back to the governing ALA, resolve key server topology, and reprice the finding against your authorized entitlement. To get a defense team on the file, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security audit defense cluster cover the Voltage and entitlement mechanics. Each links back to the complete OpenText audit defense playbook for 2026.
- Voltage data protection license metrics explained
- NetIQ identity and access license counting traps
- NetIQ Identity Manager metric definitions
- reconciling ArcSight entitlements before an audit
- Sentinel event and data volume audit considerations
If you have received an OpenText or Micro Focus audit notice, the first seven days shape every week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, cut the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.