In software we trust: the case for software escrow

Published 10 diciembre 2019

Nowadays, it wouldn’t be an exaggeration to say there is barely any sector or industry left “untouched” by software. Add lots of data to the mix, and most businesses are heavily reliant on software and having access to data 24/7.

The importance of software escrow is often overlooked, however. When two or more parties negotiate a software licence or a software as a service offering, software escrow can be a way of mitigating risk (and especially important in the context of business critical/regulated services).

Software escrow at a glance

What is escrow again?

Escrow is a legal concept in which an asset is held by an independent third party on behalf of other parties that are in the process of completing a transaction, on terms which are negotiated and agreed.

Software - object code vs source code

Software is defined generically as the programs and other operating information used by a computer (in other words, the instructions that control what a computer does).

Typically the programmer writes code in a textual form (“source code”), and this code is translated (by a program called a compiler) into another form (“object code”) which can be executed directly by a computer and is made up of binary (0s and 1s). The object code is usually what is supplied to software customers who are licensed to use the software. The source code of the program will usually be required in order to fully understand the program, to correct errors or bugs in it, or to allow it to interface with other programs and often has a more fundamental value, being the “building blocks” of the software.

What is software escrow?

In the software context, a source code escrow is an arrangement between the licensor (either the owner or the distributor of the software) and a licensee of software in which the licensor deposits a copy of the software's source code (and related technical components and documentation) with an independent escrow agent. The respective rights and obligations of the agent, licensor, and licensee are set out in a multi-party escrow agreement which typically instructs the agent to release the source code to the licensee if and when a specified event occurs, such as the licensor becoming insolvent or defaulting on its core obligations under the principal licence agreement (other trigger events may be included).

Why enter into a software escrow agreement?

Software escrow provides protection to the customer should the software provider go out of business or discontinue support and/or maintenance for the licensed software. For the supplier/software developer, the software and source code are its “crown jewels” and accordingly, the source code is of great commercial importance and carefully guarded. So, there will always be some competing interests.

Contractual arrangements will of course depend on the specifics of the deal, including for example, whether or not the customer has the in-house skills or capability of maintaining or utilising the source code itself or whether it would need to use an alternative vendor, perhaps for hosting capabilities in the SaaS (software as a service) context. It may also depend on whether the agreement with the supplier envisages having a copy of all relevant data in near real-time (the latter helping to mitigate some of the risk).

An added complication for software escrow: “software as a service” (“SaaS”)

The traditional software licensing model is where the developer delivers software that its customers install and use locally. SaaS is, however, becoming increasingly popular for reasons that are beyond the scope of this piece (we will be exploring SaaS, separately, in our article series). However, with SaaS, the customer never receives the actual software, but instead goes online to access it and associated services via the cloud.

Therefore, to protect against the threat of downtime or other default, both the software provider and the user will typically need to bolster the traditional software escrow with a separate escrow account for storing executable code, and an automated data backup and recovery service so continued access to data is guaranteed. This way, access to SaaS applications and data is protected in the event of unforeseen circumstances.

Given the increasing importance for all businesses to be up and running 24/7, having software escrow at the back of your mind when entering into technology contracts (whether you are a supplier or a customer) is important.

To discuss anything covered in this update, or technology contracts more generally, please contact Tim Ryan or your usual DACB contact.