The Ultimate Guide to Software and Source Code Escrow

Written by Marko Petric | Published on June 19, 2020 | 0 Comments

If you’re a SaaS company and you’ve been in business for a few years now, you may have already come across a prospective business partner who was pretty insistent on the inclusion of a software or source code escrow agreement as part of the license terms. Eager to close the deal you’ve been negotiating laboriously for weeks or months, you now need to figure out how to give your client what they want while finding a way to save resources — whether it’s time or money.

If, on the other hand, you’re a company looking to gain a competitive advantage by using new technology and automating your business processes, you may be outsourcing the development of said technology (i.e., software application) to an emerging software company. And if that company is not quite established or profitable yet, you may now be considering minimizing the risk for your own company with a software escrow agreement.

Whichever camp you fall into, this article will cover everything you need to know about implementing a software or source code escrow agreement in your processes.

Before diving into the mechanics of a software escrow agreement, we will take a look at some of the ways in which software escrow and verification services can help protect your company. We will also consider some important factors to look out for when choosing the right software escrow agent; examine what deposit materials can and should be escrowed; talk about the verification process; and detail some actionable steps towards implementing a source code escrow agreement that works for you (and not the other way around).

What is a software or source code escrow agreement?

In simple terms, source code or software escrow is an agreement set up between a software developer or vendor (aka "Depositor" or "Licensor"), their client (aka "Beneficiary" or "Licensee"), and a trusted third party ("Escrow Agent"). In particular, software escrow puts a contractual obligation on the software vendor to store—with a trusted escrow agent—all source code, data, build instructions, third-party tools, and anything else that would enable the licensee to update or maintain the software.

It is most often used when a company wants to protect its software from unexpected events, such as their software developer discontinuing support for their software, running out of business, or breaching their contract. If any of these (or other) predetermined events occur (each, a "Release Condition"), the escrowed materials (i.e., source code, credentials, instructions, etc.) are then made available to the company so they can ensure their operations go on uninterrupted irrespective of the developer who provided the software.

 

Download Free Sample Escrow Agreement

Download Now

 

Who is who in a software escrow agreement?

We use the following terms interchangeably throughout this article:

The licensor is typically a software developer or vendor who deposits source code and other materials into escrow. Sometimes they’re also called the depositor. The client or the authorized end-user is typically called a beneficiary or licensee. A neutral third party, such as Codekeeper, typically serves as the escrow agent, providing secure storage of the source code and other materials, and making available (releasing) the contents of an escrow account to its beneficiary (or, beneficiaries) — only when a release condition is met.

What’s the difference between software vs. source code vs. SaaS escrow?

Software escrow. Source code escrow. Saas escrow. Technology escrow. Data escrow. Information escrow. Domain escrow. So many escrows!

If you’ve been researching what a software escrow agreement is—and since you’re reading this article, I will take a wild guess and assume you have—you’ve probably come across these and other terms. But what do all of them mean? 

“Software escrow” and “source code escrow” are terms that are used interchangeably, and they essentially mean the same thing. As described throughout this article, this is the most common type of escrow, designed to store not only source code, but also build instructions and any other important documentation that would allow a licensee to update and maintain a mission-critical software application. Though they are most commonly used for traditional on-site software licenses, software escrow can also be used for development agreements, software acquisition agreements, and any other transactions involving software.

However, as software shifts away from the traditional on-site licensing model, SaaS and other cloud escrows are becoming increasingly more important.

For all intents and purposes, SaaS escrow is quite similar to a regular software escrow; however, it is tailored to the unique needs of Software-as-a-Service (SaaS) applications, which often require a more robust solution to ensure a necessary level of protection. Much like software escrow, it contains code, virtual machines, data, and any other components necessary to ensure a SaaS product remains viable.

By establishing a SaaS escrow agreement, a company that subscribes to a SaaS application protects itself from a potential sudden loss of access to critical SaaS services—whether temporary or long-term—and secures direct access to a running copy of the software and their own customer data in case release conditions are met.

In addition to software and SaaS escrow, some escrow agents such as Codekeeper have the capacity to manage all sorts of different escrow arrangements.

Some other types of escrow arrangements that you may come across include:

  • technology escrow (typically holds items of physical technology, such as encryption keys, prototypes, product designs, chemical formulas, and any other variation of technology that can be stored physically, electronically, or in the cloud);
  • data escrow (applies to custodians of data such as service providers or internet domain registries, and it ensures that up-to-date copies of domain name ownership and contact details are held in escrow in the event of a registry’s business or technical failure);
  • domain escrow (holds the credentials of a domain and helps reduce risk when purchasing a domain or using a domain as collateral).

How does software escrow work?

Software escrow agreements vary depending on the agent’s scope of services, including verification services, but the core responsibilities of the parties are more or less consistent across the board.

The infographic below describes the responsibilities of all parties to a software escrow agreement.


body illustration codekeeper 2

 

Why is having access to source code so important?

In the case of typical off-the-shelf software, only object code (i.e., executable code) is licensed out to the end-user. In commercial licensing deals, however, the licensee may have a legitimate interest in object code and source code as an assurance that their mission-critical systems will remain functional. Accessing source code allows the licensee to see how the software is processing data or performing functions, and can even allow the licensee to change the operation of the software if necessary.

In that sense, source code is the DNA of a software application. It is code that is written in a programming language that is readable (and modifiable) by humans, and without it, developers can’t debug or upgrade software applications. In other words, they can’t ensure they will continue working as intended.

So if, for instance, a software vendor goes out of business, without modifiable source code, the software is as good as dead. Depending on how critical the software is to your business, the effects of losing access to the source code can be nothing short of devastating. Later in the article, we will examine some of the risks that software escrow helps mitigate, as well as the benefits that it offers to both licensors and licensees.

What are some examples of release conditions?

Parties to the agreement are free to negotiate any release terms that can be validated independently by the escrow agent. Most commonly, however, these terms revolve around the licensor's financial or operational standing. A release may be triggered if, for example, the licensor enters voluntary or involuntary bankruptcy, or if the licensor fails to operate in the ordinary course of business (OCB).

Once a release event occurs, the licensor is informed in writing by the escrow agent that a request for the release of escrowed materials has been received. And typically, they are given a notice period to contest whether the release condition in question has actually occurred. If the licensor fails to contest the release in a timely fashion, the escrow agent releases the deposit materials to the beneficiary and terminates the agreement.

Who pays for software escrow services?

The question of who should pay the escrow fees—the licensor or the licensee—has no right or wrong answer, and there is no established standard practice.

On the one hand, there are certainly instances when the beneficiary pays the escrow agent directly. However, for the most part, it’s actually the licensor who is responsible for payment of escrow fees. This is something that is often considered an expected cost of running a licensing business.

But even though the licensor may pay the fees, the licensee ultimately often reimburses the licensor. In fact, they may even pay a greater fee to the licensor at the outset to cover both escrow fees and the licensor's administrative expenses.

Tip: To read more about who should pay for source code escrow (and how much), check out this article.

Do I need a software escrow agreement?

Comprehensive software escrow services protect the interests of technology developers, as well as the businesses that purchase their products or subscribe to their services. In this section, we take a look at some of the benefits a well-executed software escrow agreement can bring to both developers or vendors (licensors) and corporate end-users (licensees).

What are some benefits of software escrow for developers

As a software developer or vendor (licensor), the first thing to consider when deciding whether you need to offer a software escrow agreement with your license is whether your clients require it. And in today’s age of digitalization, it’s more likely than not that they do.

Offering the services of a trustworthy escrow agent to your clients gives you leverage in agreement negotiations. It’s for this reason that software escrow is often referred to as “the great sales enabler”, as it creates a sense of partnership and trust while eliminating a very common hurdle to sealing deals with your clients.

If your development agency is pretty new, you can use software escrow services to establish credibility among your clients and prospects while positioning yourself on par with bigger, established competitors. But no matter whether you’re new to the market or a seasoned veteran, escrowing software sets you apart from your competitors. And in today’s saturated market, developers can use all the edge they can get.

Last but not least, software escrow can protect your intellectual property rights and help you avoid courts and litigation. Needless to say, having to worry about litigation is not only a major nuisance, but it also costs a lot of money — a lot more than a cost-efficient software escrow solution would cost you.

What are some benefits of software escrow for beneficiaries

When it comes to corporate end-users (licensees), different companies have different reasons for escrowing their most critical software applications.

The three most common reasons are that escrow protects them:

  • in case the software vendor goes out of business;
  • in case the vendor discontinues the maintenance and support of the software;
  • as part of a larger risk management process, which may include meeting legal requirements by demonstrating due care and due diligence.

If you’re unsure whether you even need a software escrow agreement, start by considering the risk. You only need to ask yourself a couple of questions:

  • If my software provider goes out of business, what happens to my company’s critical systems and processes that depend on their software?
  • If my software provider fails to provide support or updates for whatever reason, what would be the effect on my company, my employees, and my clients?

If losing access to up-to-date, mission-critical software would impact your revenue, productivity, customer service, or safety, you have your answer.

Tip: If you’re looking for more actionable tips on how to minimize business risk for your company, check out our article on enterprise risk management.

How do I choose the right software escrow?

Is traditional software escrow a good choice?

A more traditional source code escrow service was originally intended for a traditional software product, which is different from today’s software in many ways, but most significantly in that it is downloaded to hardware and updated on a periodic, scheduled basis — typically once or twice a year.

This frequency was enough back in the day because the actual source code only really changed one to two times per year. So if a beneficiary was eligible for an escrow release, they were likely to get the most recent source code.

Traditional escrow agents tend to employ the waterfall development model, which is a far “less iterative and flexible approach, as progress flows in largely one direction ("downwards" like a waterfall) through the phases of conception, initiation, analysis, design, construction, testing, deployment and maintenance.”

Besides being less iterative and flexible, as a more labor-intensive solution, this approach is also much slower and significantly more expensive. This is especially true when a traditional escrow provider takes on SaaS companies as clients, who innately have greater needs — especially in terms of ongoing updates. This means the escrow agent has to perform more services and dedicate more resources and workers to meeting their SaaS customers’ needs.

One way in which this manifests is with deposits. It’s not uncommon to see considerable additional charges for licensors whenever it’s necessary to deposit a new version of a software; or for end-users, whenever they need to access new features and functionalities.

In the same vein, the backup and storage of data are not likely to be addressed in a traditional source code escrow agreement. Having access to the most up-to-date source code, as well as all accompanying materials and data necessary for a successful recovery, is a prerequisite to a successful software escrow relationship. From the perspective of the end-user, this is an absolute must-have for any source code escrow agreement today. 

Needless to say, traditional software escrow solutions were not designed for the agile software development methods that we see in SaaS environments today, where software is updated on an ongoing basis. Should the software supplier or the customer ever need to rely on the source code being up-to-date, a traditional solution would typically not be the most effective way of escrowing software.

How's an automated software solution better?

A new, “agile” approach to software development is being employed across virtually all software companies that want to become and stay competitive, including SaaS companies. This approach is in, many ways, changing the world through innovation, and it has also dramatically impacted how software escrow services are delivered and maintained to ensure relevance and value. 

Outdated software escrow solutions have been evolving very slowly alongside developer workflows. And with source code now being updated frequently—weekly or even daily—most of them are no longer able to keep up with today’s pace of innovation. 

In contrast to traditional software escrow solutions, which virtually guarantee your source code and other deposit materials will be outdated should you need them, a modern software escrow service such as Codekeeper was built around the needs of the modern developer. We know that setting up source code escrow can seem daunting, especially when it's new to an organization; so our mission here at Codekeeper is to make this process as seamless as possible for your organization.

With the help of powerful automation technology, Codekeeper seamlessly integrates with developer workflows on SCM-platforms like Github, Bitbucket, Gitlab, and others, allowing it to sweep for updates to the source code and other documentation on a frequent basis. This continuous update of deposit materials not only removes the unnecessary burden of making manual deposits, but it also ensures that your materials are always up-to-date and of a high level of quality — while simultaneously helping you streamline your workflow and save time.

Companies such as Snapchat, Intuit, GE, Pepsico, Nestlé, P&G, and Daimler use Codekeeper to significantly cut their costs and optimize their software escrow processes. Thanks to our cutting-edge automation technology, our clients get a higher level of service and uninterrupted access to the entirety of deposit materials for a considerably lower price than with traditional escrow agents.

Codekeeper ensures that our clients have reliably up-to-date source code deposits, but it also includes official escrow agreements, release terms, beneficiary management, data escrow, verification, and an arsenal of other services. Such a modern solution is more likely to be a good fit for modern software companies.

Tip: Learn more about how Codekeeper’s superior technology and pricing can help you ensure your mission-critical systems remain unaffected through any circumstance.

What should be deposited in my software escrow?

Should you decide to escrow your software, the first next step you’ll need to take is to draw up a list of all the materials that need to be deposited. This is a way of making sure that you don’t forget anything you may need in the future. Without this list, you could find yourself missing a crucial element that enables you to make use of your escrow when you need it the most. This section will walk you through some of the important things to consider that will help you avoid making an incomplete deposit. 

Consider the following when determining what you want deposited in software escrow: 

  • A general description of the items that are being deposited (e.g., the size of the deposit; function of the software; integrations, utilities or third-party tools used to create the deposit; etc.)
  • Source code (common file types include .java, .c, .cpp, etc.)
  • Any applications necessary to compile and build executable code, objects, libraries... (e.g., the names of all required applications, version numbers, vendor names, and contact information)
  • Build instructions and design documentation (source code architecture, overall design of the source code, and interactions among modules)
  • Encryption information (e.g., required passwords, crypto keys, and software applications required to access the deposit)
  • Key developers’ contact information (emails, phone numbers, and any other relevant contact information)
  • Samples/examples of any data or databases required to run the software

Though the list above is not exhaustive, and considering that deposit materials vary on a case-to-case basis, it’s a good place to start when thinking about what items could help you minimize risk.

Once you’ve decided what items need to be deposited into escrow, you need to make sure they actually make it to your escrow agent. Having a clear idea of what items you want to be escrowed—and supplying this list to your escrow agent and software developer in advance—will facilitate the entire escrowing process.

This is an important “best practice” because it helps your escrow agent when it comes to quoting the most accurate fees for verification services and determining the deposit materials requirements. And communicating the list to the software developer in advance helps avoid problems down the road because they may not always be able to escrow everything for any number of reasons, including legal restrictions or contract limitations.

When it comes to software escrow agreements, another critical thing to include is verification services. This is a means of ensuring that, in case an escrow release is necessary, the beneficiary will be able to read, alter, and upgrade the escrow materials, including source code, independently from the vendor. The following section covers verification services in more detail.

Do I need to verify my software escrow deposit?

The short answer is: Yes, you do.

Escrow materials can sometimes contain files or data that are corrupted, incomplete, password-protected, difficult to use, or contain viruses. Verification is the only way of being certain that, in case of a release event, all the escrow materials will work as intended and that you will be able to effectively use them in a timely fashion.

Verification services are a critical part of a successful software escrow relationship because they are used to validate the completeness, accuracy, and usability of materials deposited into escrow. Verification helps ensure that the beneficiary (end-user) has everything they need to update or upgrade the software application, without assistance from the licensor (developer), before they actually need it.

Skipping this step could mean finding out too late that your escrow materials are useless, which would not only potentially negatively affect your customers or employees, depending on the nature of the software, but it would also be a waste of effort and money.

Verification services offered by a trusted software escrow agent, such as Codekeeper, give you a complete look into the content of the beneficiary’s escrow deposits and ensure that the beneficiary is equipped with everything they need to use their developer’s source code in-house or to transition to another vendor effortlessly. 

The level of verification that’s right for you depends on your budget, risk tolerance, and degree of customization of the software. At Codekeeper, we offer different levels of verification to ensure that all parties to the escrow agreement—especially the beneficiary—get the level of protection they need. 

In a future blog post, we will explore the subject of verification services in more detail, as well as cover the levels of verification that Codekeeper offers.

Conclusion

If you are contemplating a software licensing agreement and are seeking further assurances of the future accessibility of the licensed application, we advise you to consider a software escrow arrangement. This can be an effective means of ensuring business continuity in the event of a realized risk.

But software escrowing can be complex in nature and requires careful structuring of release conditions, payment responsibilities, and other services as necessary. Modern software escrow providers, such as Codekeeper, are stepping up to this challenge by providing technological solutions built around software developers’ workflows and their end-users’ needs. And this way, they’re providing more value and a higher standard of service for a lower price.

 

Over to you! Is there anything else you’d like to know about software and source code escrow? Let us know in the comments below and we will update this article in the future.


 

Scale up your source code and data security with Codekeeper! Automatically deposit materials, streamline your escrowing processes, and cut costs with Codekeeper.

 

START NOW

   
Back to blog