SaaS Escrow
Protect your business continuity:
Ensure continuous access to your application and data with our SaaS Escrow services.
What is SaaS Escrow?
SaaS Escrow is escrow for cloud hosted software. ESCROWSURE’s SaaS Escrow is implemented
on the basis of securing up time by providing for continuity of application, hosting, and takeover of
administrator functions in the event of an emergency.
Why do I need an escrow for cloud hosted software?
End user business continuity is threatened under the cloud hosted/SaaS model, in that applications and user data are typically hosted by a third-party hosting service provider, usually paid for by the software vendor.
If your vendor becomes financially constrained, they would likely default on payments to the hosting service provider resulting in the termination of the hosting service, cutting off end user access to both the application and vital data.
Our escrow arrangements for cloud hosted/SaaS applications are implemented on the basis of securing and maintaining uptime by providing continuity of the hosting service through adoption of administrator functions in the event of an emergency.
6 risks that threaten your business continuity
Software vendor stops
paying the hosting service
Loss of access to data
and application
The software vendor
ceases to exist
The software
vendor is liquidated
A breach of licence obligations
by software vendor
The software vendor bought
out by your competitor
Software vendor stops
paying the hosting service
Loss of access to data
and application
The software vendor
ceases to exist
The software
vendor is liquidated
A breach of licence obligations
by software vendor
The software vendor bought
out by your competitor
10 challenges to
your business
1. Lost market share
2. Enraged customers
3. Frustrated clients
4. Regulator fines
5. Lost reputation
6. Lost revenue
7. Lost profit
8. CIO at risk
9. Loss of data
10. Unplanned downtime
9 benefits of SaaS Escrow with ESCROWSURE
Protects access to the
hosting environment
Access to the environment must be
secured in order for the end user to be
able to log in to the service and
implement maintenance and/or updates.
Secures hosting
service uptime
Legal agreement with the hosting service
that the service remains up were the
software vendor to stop paying.
ESCROWSURE to guarantee payment
for a set period of time.
Addresses other
third party dependencies
Identifies and secures critical third party
suppliers in addition to the hosting
service provider.
Safeguards
investment
Ensures that you have access to source
code and technical documentation
in order to update and
maintain the software in the event that
the software vendor is no longer able to
satisfy its licence obligations.
Protects business
continuity
Reinforces business resilience while
underpinning operational continuity and
providing a time buffer for third party
software retirement and replacement.
Manages supplier
relationship
Prevents software vendor from
leveraging unreasonable licence fee
increases by ensuring access to the
latest version of source code and
technical documentation.
Avoids unplanned business
interruptions
Avoid a business black out due to
software vendor’s bankruptcy,
acquisition, or failure to support the
software product.
Satisfies governance
and compliance
Aligns with audit and compliance
requirements. Business critical software
outsourcing regulation, guidance and
best practice. Complies with King IV
good governance codes.
Mitigates supplier
dependency
Mitigates business interruption risk by
ensuring the frictionless deployment of
business continuity strategies with least
possible disruption.
How does SaaS Escrow with ESCROWSURE work?
The objective of a SaaS Escrow arrangement is to ensure that the application remains operational,
accessible and that it can be maintained if the software supplier is no longer able to provide its services.
Step 1
Getting you started
ESCROWSURE’s legal counsel will
facilitate negotiations between
the end user and software vendor
to agree the terms of the escrow
contract including release
conditions, deposit frequency and
aligning verification testing with
risk assessment. The hosting
service provider is also contracted
to engage with ESCROWSURE in
the event the software Vendor
stops paying for its service.
Step 2
Arranging your
deposit material
In compliance with our ISO/IEC
27001:2013 certification,
ESCROWSURE’s operations team
will receive the deposited material
(includes access credentials,
password policies, description of
the production environment and
source code).
ESCROWSURE also
offers a repository integration
service – supported Git platforms
include: AWS Codecommit, AZURE
DevOps, BitBucket, GitHub and
GitLab. Our Escrow Administration Portal
(EAP) provides access to deposit
information and integrates with
Git repositories.
Step 3
Verification testing
ESCROWSURE’s verification testing
department will execute the
required testing specified in the
agreement to confirm the deposit
will enable the end user to update
and maintain, redeploy or retire
the software where the vendor is
unable or unwilling to support.
Verification testing:
SaaS software
For an escrow deposit to be of any value, deposited material must be frequently updated and verified as part of a robust and consistent administrative process.
The focus of ESCROWSURE’s verification services is to ensure to the highest degree possible that the escrow material will be useful in the event of a release condition. To secure uptime in a cloud hosted environment.
ESCROWSURE provides verification testing for:
1. Hosting environment
1.1 Access check
Verification which focuses on verifying the access data as specified by SaaS provider. Components of this verification consist of but are not limited to:
- Checking accessibility of the hosting services environment through the basic information
- Check the accessibility of servers and databases used for user by means of the basic information.
1.2 Maintenance check
To be able to perform maintenance, end user will require administrator access to the environment, this access will have to be verified with regular frequency.
- Mostly used for the access check;
- description of the environment in which the hosting services are provided for the software user;
- Relevant access data of the environment in which the hosting services for software user are provided, including login/access data for servers and databases of software user;
- Used for the access check;
- Information and documentation related to relevant interfaces;
- If any (paid for) interfaces > are actions necessary should escrow release take place?
- Description of the development environment;
- Description of the password policy;
- Mostly to establish how often passwords might change and how often the escrow deposit needs to be updated;
- Information with regard to employees and subcontractors of software supplier involved in the implementation of the SaaS agreement;
- All available documentation with regard to functional,
application and technical maintenance.
2. Source code and technical documentation
Level I
Verification testing
- Deposit inspection
- Check for readability of material
- Check for the presence of source code
- Check for the presence of technical documentation
- Check for the presence of user
documentation - Check for the presence of development environment/ third party software
- Check for the presence of additional material as agreed upon in the escrow contract
Level II
Verification testing
- Software supplier has provided the escrow material (ie source code deposit)
- Escrow beneficiary provides copy of software operational at beneficiary’s site (ie operational material as implemented at beneficiary site)
- ESCROWSURE analyses the software components found in the operational material and checks for presence of corresponding source code for each component
- ESCROWSURE request missing source code items from Supplier If so required, supplier updates source code deposit; ESCROWSURE creates verification report
- ESCROWSURE initiates update procedure
Full
Verification testing
- Software supplier has provided the escrow material (ie the source code and technical documentation as included in the escrow deposit)
- Analyse development environment, ensure that development environment documentation is complete
- Compile source code into binary code, ensure that compile process
documentation is complete - Build binaries into executable software application, ensure that build process
documentation is complete - ESCROWSURE creates verification report
- ESCROWSURE initiates update procedure
Frequently Asked Questions
Is the agreement customizable? How much customization do you allow?
Yes, absolutely. We believe that each escrow environment is unique and requires a customized approach. ESCROWSURE’s in-house legal counsel will craft a bespoke escrow agreement tailoring the provisions to meet the needs of your specific requirements.
Is the agreement customizable? How much customization do you allow?
Yes, absolutely. We believe that each escrow environment is unique and requires a customized approach. ESCROWSURE’s in-house legal counsel will craft a bespoke escrow agreement tailoring the provisions to meet the needs of your specific requirements.
What if we have an unscheduled software update? Can you accommodate additional source code deposits?
Absolutely. We understand the dynamic nature of software and so we offer a flexible approach and can accommodate the changes required within your operational environment.
What events are usually defined as release events?
ESCROWSURE’s standard release conditions include:
- Software vendor ceases its business undertakings without formally assigning its maintenance obligations to a competent third party;
- Software vendor becomes insolvent, is declared bankrupt, is dissolved and/or is liquidated;
- The business of software vendor under the licence agreement is transferred entirely or partly to a third party that does not continue the maintenance obligations or offers to provide them only on terms that are considered by end user to be commercially unreasonable;
- Software vendor breaches its obligations to provide maintenance and support in such a way that it substantially jeopardises beneficiary’s ability to continue to use the product;
- Software vendor fails to perform one or more of its material obligations under the agreement and remains in breach for twenty (20) business days after written notification from ESCROWSURE to this effect.
These are standard release clauses however, our legal counsel can work with you to customize the release conditions requirements.
Why do we need escrow for SaaS applications?
With SaaS applications, software is not accessed on a server located on the end users premises, but instead, is hosted remotely in the cloud by a hosting services provider usually paid for by the software vendor. This introduces an additional layer of risk as it adds to the supply chain dependencies.
In addition, the data generated by the application is hosted in the cloud too. This means that if the software Vendor were to stop answering the phone, both application and data could be beyond the reach of the end user immediately.
Some end users believe that a migration to a cloud service eliminates the need for an escrow arrangement.
But this is not true.
If anything, the need for escrow is greater for SaaS applications, because of the additional layer of risk which puts both the software and the data at risk if the worst should happen.
Why do we need escrow for SaaS applications?
With SaaS applications, software is not accessed on a server located on the End Users premises, but instead, is hosted remotely in the cloud by a hosting services provider usually paid for by the software Vendor. This introduces an additional layer of risk as it adds to the supply chain dependencies.
In addition, the data generated by the application is hosted in the cloud too. This means that if the software Vendor were to stop answering the phone, both application and data could be beyond the reach of the End User immediately.
Some End Users believe that a migration to a cloud service eliminates the need for an escrow arrangement.
But this is not true.
If anything, the need for escrow is greater for SaaS applications, because of the additional layer of risk which puts both the software and the data at risk if the worst should happen.
What differentiates your service provisions from your competitors?
- ESCROWSURE is ISO 9001:2015; ISO/IEC 27001:2013; ISO/IEC 27017:2015 and ISO/IEC 27018:2019 certified, not just compliant.
- The value of an escrow arrangement depends entirely on the integrity and completeness of the deposited material.
For this reason, technical verification of the escrow material is a basic requirement for a quality escrow arrangement. With ESCROWSURE, deposits are subjected to verification testing.
Some escrow service providers do not offer a testing service, and others, offer only a very expensive full compile and build verification service. While ESCROWSURE offers the compile and build service, it is unique in offering a productized Level II verification service, where prices are fixed, not determined by the size of the software product – a very effective and budget friendly approach. We believe this is why we have been selected as best of breed to supply escrow services to more than 13 Central Banks world wide.
What types of escrow arrangements do you offer?
ESCROWSURE offers a wide range of product solutions for our clients:
- SaaS Escrow
- Source Code Escrow
- Technology Escrow
- IP Escrow
- Developer Escrow
- Multi-party Escrow
- Transactional Escrow
Proudly providing bespoke escrow services
to our valued clients world-wide since 2004
Mitigate the risk of downtime and business interruption. Chat to us about SaaS Escrow today!
Simply fill in your details and one of our
escrow specialists will contact you to set
up your free consultation.