Update: See the reply below (
https://news.ycombinator.com/item?id=31853107). Incorrect email.
Context:
We're a B.V. (Dutch LLC) incorporated in the Netherlands, ran by me from the Netherlands with contractors from around the world. Two of these contractors were located in Russia, one of them has recently moved to the Netherlands on a skilled migrant visa, another is still in the process of obtaining the required travel documents and is still communicating (albeit unable to be paid) with us. It should be noted that neither of these contractors are in any way related to a sanctioned entity according to EU legislation, nor should they be related to any such entity according to US legislation either.
We use Mattermost 'Enterprise' (self-hosted!) for our organization's internal communications. This was a logical option as we thought Mattermost was a modern organization, it had a fancy on-boarding flow, an open source variant of their products, and a lot of transparency.
During the order process, I had provided the information for the B.V., and my personal details, both indicating very clearly that the organization is based in and operates from the Netherlands.
What happened:
I received an email from Mattermost today claiming 'Our understanding is that your organization is located in either Russia or Belarus. Because of this, we must pause interactions with your organization until the sanctions are lifted.', which I'll quote verbatim in the comments due to the HN character limit.
My interpretation:
First off, it worries me that they do not provide the data on which they have based this 'understanding that [our] organization is located in Russia'. This probably implies there's telemetry being sent on the IP addresses our self-hosted install is being accessed from, which currently still includes one (singular) Russian user, as there is no other way they can have derived any such (wrong) information.
Secondly, we do not have a 'legal counsel' specialized in 'U.S. sanctions rules', in fact we have no relationship with the USA at all, so we can not contact their compliance department whatsoever, as they also explicitly say that due to this misunderstanding, they can not answer any questions from us whatsoever.
We're glad we're using the self-hosted version of their product, as at least we can still export our data and eventually migrate to an actual open source solution like Zulip in case this isn't resolved, nor does there seem to be a kill switch on the self-hosted product (but given there is likely unexpected telemetry, we can't be sure this isn't the case either! the Enterprise Edition is actually a binary blob Golang binary).
As we're explicitly not allowed to contact Mattermost, Inc. without legal counsel experienced in U.S. sanctions rules, and we are effectively unable to communicate as an organization now as we are 'asked not to use our license key', I've ended up with the usual route for tech corporations being unwilling to cooperate: posting a plea for help (and a warning to other users of Mattermost Enterprise that they're not the transparent organization they claim to be) on a public forum like this.
We've had administrative error in our compliance automation. If you received an email from compliance@mattermost.com on June 23, 2022 titled "Our limitations due to new United States sanctions" please disregard it.
Ian