10 Things to Know About Software Escrow

Software escrow sounds simple: put code in a vault, release it when something goes wrong. But the reality is more nuanced.

Most businesses sign escrow agreements without understanding how they work. They assume all escrow is the same. They don't know what triggers a release or what happens during verification. Some don't even know if their escrowed materials would be usable.

If you're considering software escrow or reviewing existing agreements, these 10 facts will help you understand what you're really getting.

» Understand software escrow basics—what it is and why you need it 

1. Software escrow releases are happening more often

In the past, software escrow was insurance you hoped never to use. Most agreements sat for years without triggering release conditions. This led many businesses to view escrow as a formality.

That's changing. We're seeing more vendor acquisitions as larger companies buy up competitors. Economic pressures force tough decisions about product lines and support. These shifts mean escrow releases happen more often than they did five years ago.

The protection matters more now because vendor risks keep growing. Companies that thought escrow was unlikely insurance now see it as necessary planning.

2. SaaS escrow captures complete environments

SaaS escrow is different from traditional software escrow. Instead of just securing code, you're protecting deployment configurations, database schemas, API integrations, cloud infrastructure setups, and data.

Advanced SaaS escrow solutions can even capture running applications and recreate them in different environments. So when your SaaS vendor disappears, you get everything needed to keep your operations running.

Because when a SaaS vendor fails, source code alone won't restore your application. You need the complete environment that makes the software work in production.

3. Escrow agents can't access your code

All your escrow assets get encrypted before reaching the escrow agent. And only legitimate release events trigger key sharing for authorized parties.

The encryption uses AES-256 protocols with keys split between multiple parties. Some arrangements even add multi-factor authentication and time-locked release mechanisms to prevent unauthorized access by anyone, including the escrow provider's own employees.

This setup also addresses the biggest obstacle to escrow adoption. Vendors worried about code theft can participate, knowing their intellectual property stays protected until specific conditions occur. Clients get assurance that materials are stored and accessible when needed.

4. You can split escrow costs between parties

Most escrow arrangements divide costs logically between agreement parties. Vendors typically handle storage and deposit fees since they control the materials being protected, while clients cover verification services and release processing since these services directly benefit their protection needs.

Annual software escrow costs can range from $50 to $50,000 depending on complexity, verification requirements, and update frequency. (For a single application at Codekeeper, prices start at $99 per month.)

Regardless of whether you split the costs, they're far less compared to platform migration costs, which often exceed $100,000 for enterprise software, or regulatory penalties that can reach millions.

» Browse our escrow plans for transparent software escrow costs

5. Most deposits need fixes before they're usable

Agents like Codekeeper have a team of experts running software verification tests on deposited materials to confirm they function as expected. This includes dependency checking, build verification, documentation review, and functional testing. We even offer staging environment deployment to test complete application functionality under realistic conditions.

Without verification, you might discover during a crisis that materials contain critical gaps or outdated dependencies. Almost all the escrow deposits we verify aren't complete or useable when first tested. We've seen missing third-party libraries, outdated configuration files, incomplete database schemas, broken build scripts, and documentation that doesn't match the actual code.

When verification fails, we work with vendors to fix problems before you ever need the materials. This collaborative approach ensures that escrow protects you rather than creating false confidence.

6. Some escrow updates automatically

Traditional escrow relies on vendors manually depositing code updates every few months. This creates a problem: by the time you need escrow materials, they're often three to six months behind your production environment.

Advanced systems solve this by connecting directly to development repositories. When developers push new releases to GitHub, GitLab, or Bitbucket, the escrow system automatically captures and stores the updated materials. Some arrangements trigger on release tags, while others sync continuously with main branches every day or week.

This automation eliminates the lag time that makes traditional escrow less useful during crises. Instead of getting outdated code that won't integrate with your current infrastructure, you receive the exact version running in production when the vendor fails.

» See how you can easily deposit your source code and keep it in sync

7. International escrow creates legal complications

Operating across borders makes escrow much more complex than domestic arrangements. What is perfectly acceptable in the US might violate data sovereignty laws in Europe or Asia.

GDPR, for example, requires EU citizen data to stay within approved jurisdictions, while China's Cybersecurity Law restricts cross-border transfers for critical infrastructure. Russia also demands domestic storage for citizen data. Each country adds its own rules about encryption standards, access controls, and emergency procedures.

These conflicting regulations force companies to choose between compliance and practicality. You might need separate escrow arrangements for different regions or specialized "sovereign escrow" services that maintain data centers in multiple countries to meet local requirements while supporting global operations.

8. Release triggers extend far beyond bankruptcy

Most people think escrow only activates when vendors go bankrupt. Modern agreements are much smarter than that. They include release triggers for scenarios that happen more and more often: extended support failures, repeated security incidents, ownership changes, or failure to provide critical updates.

The best agreements use measurable criteria instead of vague language. Instead of "inadequate support," they specify vendor unresponsive for 30+ days, critical vulnerabilities unpatched for 60+ days, or support response times exceeding SLA by 200% for three consecutive months. Some include "sunset clauses" that automatically trigger when vendors announce product discontinuation.

This precision matters because vague terms create disputes when you need materials most. Clear metrics around response times, patch delivery, and communication requirements give you enforceable protection rather than arguments with lawyers during a crisis.

9. Vendor acquisitions create bigger risks than failures

Startups fail, but successful companies get bought. When your vendor gets acquired, you face a different kind of risk that's often worse than bankruptcy.

New owners bring their own priorities and technology strategies. They might see your vendor's product as competition to eliminate rather than an asset to grow. Oracle has acquired over 145 companies since 2005, discontinuing many products afterward. Salesforce bought Tableau for $15.7 billion, then forced users onto their platform with different licensing terms. If Adobe's $20 billion Figma acquisition wasn't terminated, it could've eliminated a competitive design tool entirely.

The pattern repeats constantly: acquiring company buys competitor, integrates useful technology into their existing platform, discontinues the original product. Customers get 90-180 days to migrate regardless of how deeply they've integrated the software or how complex their setup is.

» Learn how to use software escrow for vendor risk management

10. You need to choose your escrow agent carefully

The team you choose to secure your code will directly influence how well your escrow protection works. Most agents simply store files, but the best ones ensure you can use what they're protecting when crises happen.

Look for agents with ISO compliance, 24/7 emergency processing capabilities, and technical staff who understand software development — like Codekeeper. We've successfully processed hundreds of emergency releases and understand what works under pressure.

We ensure your agreements go beyond file storage to include documentation, training materials, configuration guides, and temporary consulting support during transitions. When your vendor fails, you have the materials and the expertise to use them effectively.

» Follow these tips to choose the right software escrow agent to suit your needs

Get your protection right the first time

Software escrow has evolved far beyond simple code storage. Modern arrangements protect complete environments, update automatically, and include sophisticated triggers that address real business scenarios rather than just bankruptcy.

The key is understanding what you're getting. Most escrow deposits don't function without proper verification. International operations create legal complications that require specialized solutions. Vendor acquisitions pose greater risks than failures, and your agent choice determines whether you can use the protection when you need it.

» Want to work with agents who understand the technical and legal complexities of your software dependencies? Talk to Codekeeper about escrow solutions that help you build software resilience