Source Code Escrow
Safeguard your business continuity by protecting business-critical software, insisting on a deposit of source code with a trusted third party – ESCROWSURE.
What is Source Code Escrow?
Source Code Escrow involves the deposit of the source code of a software application with ESCROWSURE for safekeeping. In the event of a release condition, ESCROWSURE will release the most recently deposited copy of source code and technical documentation to the end user for the protection of your business continuity. Source Code Escrow applies to software installed on-premise and software accessed in the cloud (SaaS).
Why do I need a Source Code Escrow?
4 typical risks that threaten your business continuity
The software
vendor ceases
to exist
The software
vendor
is liquidated
A breach of license
obligations by
software vendor
The software
vendor bought out by
your competitor
8 threats to
your business
1. Lost market share
2. Enraged customers
3. Frustrated clients
4. Regulator fines
5. Lost reputation
6. Lost revenue
7. Lost profit
8. CIO at risk
6 benefits of protecting source code with ESCROWSURE
Safeguards investment
Ensures that you have access to source
code and technical documentation in
order to update and maintain the
software in the event that the software
vendor is no longer able to satisfy its
licence obligations.
Protects business continuity
Reinforces business resilience while
underpinning operational continuity and
providing a time buffer for third party
software retirement and replacement.
Manages supplier relationship
Prevents software vendor from
leveraging unreasonable licence fee
increases by ensuring access to the
latest version of source code and
technical documentation.
Avoids unplanned
business interruptions
Avoid a business black out due to
software vendor’s bankruptcy,
acquisition, or failure to support the
software product.
Satisfies governance
and compliance
Aligns with audit and compliance
requirements. Business critical software
outsourcing regulation, guidance and
best practice. Complies with King IV good
governance codes.
Mitigates supplier
dependency
Mitigates business interruption risk by
ensuring the frictionless deployment of
business continuity strategies with least
possible disruption.
How does Source Code Escrow work?
Step 1
Getting you started
ESCROWSURE’s legal counsel will
facilitate negotiations between
the end user and software vendor
to agree the terms of the escrow
contract including release
conditions, deposit frequency and
aligning verification testing with
risk assessment. The hosting
service provider is also contracted
to engage with ESCROWSURE in
the event the software vendor
stops paying for its service.
Step 2
Arranging the deposit
In compliance with our
ISO/IEC 27001:2013 certification,
ESCROWSURE’s operations team
will receive the deposited material
and vault digitally and physically.
Our Escrow Administration Portal (EAP)
provides access to deposit
information and integrates
with Git repositories.
Step 3
Verification testing
ESCROWSURE’s verification testing
department will execute the
required testing specified in the
agreement to confirm the deposit
will enable the end user to update
and maintain, redeploy or retire
the software where the vendor is
unable or unwilling to support.
Verification testing
For an escrow deposit to be of any value, source code and relevant Material must be frequently updated and verified as part of a robust and consistent administrative process.
The focus of ESCROWSURE’s verification services is to ensure to the highest degree possible that the escrow material will be useful in the event of a release condition.
To achieve this ESCROWSURE offer
three levels of verification testing:
Level I
Verification testing
- Deposit inspection
- Check for readability of material
- Check for the presence of source code
- Check for the presence of technical documentation
- Check for the presence of user
documentation - Check for the presence of development environment/third party software
- Check for the presence of additional material as agreed upon in the escrow contract
Level II
Verification testing
- Software supplier has provided the escrow material (ie source code deposit)
- Escrow beneficiary provides copy of software operational at beneficiary’s site (ie operational material as implemented at beneficiary site)
- ESCROWSURE analyses the software components found in the operational material and checks for presence of corresponding source code for each component
- ESCROWSURE request missing source code items from supplier
- If so required, supplier updates source code deposit; ESCROWSURE creates verification report
- ESCROWSURE initiates update procedure
Full
Verification testing
- Software supplier has provided the escrow material (ie the source code and technical documentation as included in the escrow deposit)
- Analyse development environment, ensure that development environment documentation is complete
- Compile source code into binary code, ensure that compile process documentation is complete
- Build binaries into executable software application, ensure that build process documentation is complete
- ESCROWSURE creates verification report
- ESCROWSURE initiates update procedure
Frequently Asked Questions
Is the agreement customizable? How much customization do you allow?
Yes, absolutely. We believe that each escrow environment is unique and requires a customized approach. ESCROWSURE’s in-house legal counsel will craft a bespoke escrow agreement tailoring the provisions to meet the needs of your specific requirements.
Is the agreement customizable? How much customization do you allow?
Yes, absolutely. We believe that each escrow environment is unique and requires a customized approach. ESCROWSURE’s in-house legal counsel will craft a bespoke escrow agreement tailoring the provisions to meet the needs of your specific requirements.
What if we have an unscheduled software update? Can you accommodate additional source code deposits?
Absolutely. We understand the dynamic nature of software and so we offer a flexible approach and can accommodate the changes required within your operational environment.
What events are usually defined as release events?
ESCROWSURE’s standard release conditions include:
- Software vendor ceases its business undertakings without formally assigning its maintenance obligations to a competent third party;
- Software vendor becomes insolvent, is declared bankrupt, is dissolved and/or is liquidated;
- The business of software vendor under the licence agreement is transferred entirely or partly to a third party that does not continue the maintenance obligations or offers to provide them only on terms that are considered by end user to be commercially unreasonable;
- Software vendor breaches its obligations to provide maintenance and support in such a way that it substantially jeopardises beneficiary’s ability to continue to use the product;
- Software vendor fails to perform one or more of its material obligations under the agreement and remains in breach for twenty (20) business days after written notification from ESCROWSURE to this effect.
These are standard release clauses however, our legal counsel can work with you to customize the release conditions requirements.
Why do we need escrow for SaaS applications?
With SaaS applications, software is not accessed on a server located on the end users premises, but instead, is hosted remotely in the cloud by a hosting services provider usually paid for by the software vendor. This introduces an additional layer of risk as it adds to the supply chain dependencies.
In addition, the data generated by the application is hosted in the cloud too. This means that if the software Vendor were to stop answering the phone, both application and data could be beyond the reach of the end user immediately.
Some end users believe that a migration to a cloud service eliminates the need for an escrow arrangement.
But this is not true.
If anything, the need for escrow is greater for SaaS applications, because of the additional layer of risk which puts both the software and the data at risk if the worst should happen.
Why do we need escrow for SaaS applications?
With SaaS applications, software is not accessed on a server located on the End Users premises, but instead, is hosted remotely in the cloud by a hosting services provider usually paid for by the software Vendor. This introduces an additional layer of risk as it adds to the supply chain dependencies.
In addition, the data generated by the application is hosted in the cloud too. This means that if the software Vendor were to stop answering the phone, both application and data could be beyond the reach of the End User immediately.
Some End Users believe that a migration to a cloud service eliminates the need for an escrow arrangement.
But this is not true.
If anything, the need for escrow is greater for SaaS applications, because of the additional layer of risk which puts both the software and the data at risk if the worst should happen.
What differentiates your service provisions from your competitors?
- ESCROWSURE is ISO 9001:2015; ISO/IEC 27001:2013; ISO/IEC 27017:2015 and ISO/IEC 27018:2019 certified, not just compliant.
- The value of an escrow arrangement depends entirely on the integrity and completeness of the deposited material.
For this reason, technical verification of the escrow material is a basic requirement for a quality escrow arrangement. With ESCROWSURE, deposits are subjected to verification testing.
Some escrow service providers do not offer a testing service, and others, offer only a very expensive full compile and build verification service. While ESCROWSURE offers the compile and build service, it is unique in offering a productized Level II verification service, where prices are fixed, not determined by the size of the software product – a very effective and budget friendly approach. We believe this is why we have been selected as best of breed to supply escrow services to more than 13 Central Banks world wide.
What types of escrow arrangements do you offer?
ESCROWSURE offers a wide range of product solutions for our clients:
- SaaS Escrow
- Source Code Escrow
- Technology Escrow
- IP Escrow
- Developer Escrow
- Multi-party Escrow
- Transactional Escrow
Proudly providing bespoke escrow services
to our valued clients world-wide since 2004
“Their work has been a major factor for IT Risk success, as we hold a number of our business-critical applications in escrow with them.”
“We have been depositing our source code and technical documentation with ESCROWSURE for the many years and have consistently been impressed with the level of service by the team.”
“The level of service that the team provides, has provided our clients with assurance that their customized solutions are securely stored and professionally verified.”
Your Vital Business Lifeline: How Software Escrow Protects Your Operations
The financial services industry is no stranger to risk. Every day, you deal with a complex array of regulations, cybersecurity threats, and operational challenges. Amidst all this, the software you rely on – often from third-party vendors – is a crucial lifeline, but...
Protecting IP in South Africa’s Energy Transition
IP protection is a critical need for Risk Managers. South Africa is on the brink of a significant energy shift. With Minister Kgosientsho Ramokgopa leading the newly created Ministry of Energy and Electricity, the country is poised to accelerate its transition to...
How software resilience and cybersecurity protect the vulnerable
Software resilience isn't just about protecting data and IP – it's about protecting the most vulnerable members of our society. The recent IT incident at the Department of Justice and Constitutional Development (DOJ&CD) serves as a stark reminder: protecting...
Chat to us about getting
your source code into
escrow today.
Simply fill in your details and one of our
escrow specialists will contact you to set
up your free consultation.