Software Escrow Fundamentals

The request for a software escrow was properly brought up last minute when negotiating your software license. The last thing anyone wants is to delay a critical software deal.

In this article, I will show you everything you need to know about software escrows including what a software escrow is, how it can help, the steps to determine if one is needed and if needed how to easily set one up.

A software escrow is a service that helps protect all parties involved in a software license by having a neutral 3rd party escrow agent hold source code, data, and documentation until a mutually-agreed-upon event occurs.

When negotiating a software license at one point a prudent licensee will ask, "What happens if the software vendor goes out of business?" What usually follows is a request to access the source code and any other critical materials used to maintain the software.

From the software vendor's perspective, giving the licensee access to the source code and other confidential materials is a risk to its business. How does the software vendor know the licensee will keep the source code safe and secret and will not prematurely use it? What if dozens of licensees demand the source code?

From the licensee's perspective, not having access to the source code and other materials needed to maintain and update the software is a risk to its business. How will the licensee continue to use and maintain software, it heavily depends on, if the software vendor goes out of business, fails to meet its obligations or any other number of unforeseen events?

This difference in perspectives and concerns is the reason software escrows exist.

Software escrows mitigate, for both parties, the risk inherent in software licenses, by storing source code and other critical materials with an independent neutral 3rd party escrow agent. This independent and neutral storage is the key in mitigating risk to all parties involved. The process is simple:

• 1) Execute an escrow agreement with a reputable software escrow agent

  When deciding which software escrow vendor to use the following factors are important: how long it has been in business, where does it keep your materials, what is its legal expertise, what is its technical expertise, and how easily can you manage the escrow.

• 2) Delivery of source code and other materials to the escrow agent

  Source code, documentation and any other important materials should be easily deliverable to the software escrow agent. The escrow agent should offer submission methods such as escrow synchronization, automated submission scripts via sftp, manual online submission and manual offline submission.

• 3) Source code is securely held awaiting release conditions to occur

  "Release conditions" define if and when the software escrow agent should release the escrow materials to the licensee. This ensures that the escrow materials are only released to the licensee after the occurrence of an in mutually-agreed-upon event.

• 4) The escrow is updated as the software product evolves

  As new versions of the software are developed corresponding updates to the escrow should occur. Modern escrow agents can automate this process which helps keep the escrow always up to date.

• 5) A release condition occurs and the escrow materials are released

  If a software license terminates without a release condition occurring then the materials can either be returned to the software vendor or destroyed depending on the software vendor's wishes.

• Smoother negotiations
• Establishes confidence by addressing the concerns of the prospective licensees (those concerns may be unspoken)
• Safe storage of source code and other materials with one company instead of scattered across multiple customers

• The ability and legal right to maintain, update and enhance mission critical software
• Reduced chance of significant interruption of, or damage to, its business
• Eliminate concerns regarding the software vendor's capabilities
• Business continuity

---

Just some of the companies that use EscrowTech's Services

The first step in effecting a good escrow is to ask if an escrow is needed. Neither the software vendor or licensee should waste time, effort, and money on an escrow if it is not needed.

For example, an escrow is probably needed if the licensee worries that:

• The software vendor is not financially stable
• The software vendor could go out of business
• The software vendor might, willingly or not, discontinue maintenance and support of the software
• The software vendor might, willingly or not, not breach its maintenance or support obligations

In making this assessment, the size and fame of the software vendor should not be the only considerations. Bankruptcies are not limited to small, unknown companies and individuals. Large companies also use the bankruptcy laws to reject contracts. Furthermore, any vendor might decide to drop support and maintenance of software products.

The licensee should envision itself in the position of suddenly being without maintenance or support of the software when any of the following occurs:

• The software crashes, produces erroneous results or experiences incompatibilities with other software
• The software needs to be updated due to changing business needs

In any of these situations, would it be beneficial to have source code and other materials such as build instructions, deployment documentation, virtual machines and a list of developers who built the software?

If so, an escrow might be right for your situation.

---

What EscrowTech customers have to say

Reviews genuinely collected and verified by TrustPilot

---

Selecting the correct software escrow agent is the first crucial step you must take to ensure both the licensee and software vendor are adequately protected. A software escrow agent should have safe and secure vaults, legal expertise and technical expertise.

The length of time a software escrow company has been in business is often a great indicator that it is a reputable company. Most software escrow providers list this information on their website; however, you can independently verify this by doing a business name search for the state their headquarters is located in. For example, here is EscrowTech's registration.

Security is of the utmost importance when sensitive and valuable materials are involved. A software escrow company should store the escrow materials in top of the line, long-term "offline" vaults or in "online" vaults that are regularly checked via penetration testing and other security best practices.

At EscrowTech, we offer both "offline" and "online" vault solutions depending on the customer's unique needs.

When escrow materials are submitted to an escrow company different levels of technical verification can occur. When choosing an escrow company, its technical expertise is a key factor in determining how well, if at all, it will be able to perform these services.

EscrowTech employs its own developers which allows it to adapt to its customers' needs and unique situations.

It is a common mistake to view a software escrow as merely an arrangement for the physical storage and transfer of escrow materials to a licensee in the event of a release condition.

Although storage is a critical purpose of the escrow, there is a second purpose that is just as important to the licensee. A proper escrow will provide the legal structure necessary to ensure a release of the material and use the escrow materials after they are released to the licensee.

Furthermore, every software project is different, which often requires custom agreements. Make sure your escrow provider has the expertise to work with your attorney to properly structure a software escrow agreement to fit any unique need that may arise.

EscrowTech's in-house counsel has many years of experience in software licensing and information technology law. EscrowTech provides the forms, but is willing to work with you and your attorneys to structure the final agreement as needed.

Managing a software escrow doesn't have to be a difficult or a time consuming process. When vetting a software escrow company, ask how you can submit materials, update account information, view account documents and pay bills online.

Modern software escrow companies will have a fully developed online account management application that is accessed through a login on their website. These solutions help software vendors easily fulfill their obligations and avoid out-of-date escrow materials.

EscrowTech's online application "RealTime Escrow" allows you to easily manage your escrow from the convenience of your browser.

While researching what a software escrow is, you have probably come across companies calling escrows several types of names. This list here will hopefully clear up some of the confusion.

This is the most common type of escrow and is designed to store mission critical application's source code, configuration, virtual machines, build instructions and any other critical documentation.

These escrows can be used not only in connection with traditional on premises software licenses, but also development agreements, software acquisition agreements, and other transactions involving software.

While software escrows normally store on-site applications they can also store SaaS based applications assuming the extra protection and features a true SaaS escrow offers are not needed.

Technology escrows are designed to provide the same level of protection as software escrows; however, they contain a wider range of materials and apply to a wider range of licenses and technology deals.

Technology escrows can hold any piece of technology including, but not limited to, encryption keys, product designs, documents, prototypes, samples, chemical formulas and any other embodiment of technology that can be stored physically, electronically or in the cloud.

This flexibility allows savvy customers to use escrows to address a wide range of needs.

At EscrowTech, we treat a technology escrow similar to a software escrow.

SaaS applications are a different breed of software and can often require a more robust solution to obtain the desired protection. This is due to the fact that SaaS subscribers do not have direct access to a running copy of the software and more importantly their own data.

If the SaaS vendor goes out of business, the SaaS subscriber is immediately in a crisis situation. Even if the SaaS vendor remains in business, all it takes is the flip of a metaphorical switch and the SaaS subscriber is without use of the software and without access to its data.

To protect against this, a SaaS escrow can be set up to store not only the source code, but executable code, production virtual machines, data and any other key components of the SaaS solution. These items should be updated on a frequent basis - especially data.

These items must be sufficient to enable the subscriber to get the SaaS solution up and running again. The materials can be stored in a cold, warm or hot state of readiness. They may be on storage media or may be on a configured server ready or near ready to go live. The state of readiness will determine how quickly the SaaS solution can be restored for the customer. The customer needs to offset the higher cost of a hot environment against the need for a speedy restoration.

As more software shifts away from the traditional on-premises licensing model, SaaS and other Cloud escrows will become increasingly important.

Domain Name Escrows are a service that help reduce risk when purchasing a domain or using a domain as collateral. This is accomplished by an escrow agent holding the domain's credentials until a release condition occurs.

These types of release conditions can include a successful payment, end of a loan or any other condition that both parties agree to.

When determining what should be included in the escrow the developer should ask themselves the following question. If I was given a foreign software product what would I need to maintain or support it?

The cornerstone of a software escrow is the source code and its' 3rd party dependencies. After escrowing a large number of software projects we found that the following should be included:

• Internal repositories - This may seem obvious however every now and then during a technical verification we will find that most, but not all, of the internal repositories were escrowed. Performing a technical verification can verify that all of the needed repositories are present.
• 3rd party dependencies - The majority of software is built using frameworks, libraries or other 3rd party dependencies which may be difficult to find years later when the source code is released from escrow. To make it easier for the licensee to use the software, the software vendor should escrow not only the 3rd party dependency, but license keys as well.

There are few things crueler you can do to your development team than give them a poorly documented software product. While a poorly documented software product doesn't render an escrow worthless, properly documented software greatly helps the licensee in the event of a release.

• Build instructions - This type of documentation should include the steps taken when building the source code into an executable. Those steps should be written with the idea in mind that although the reader should be experienced in the relevant programming language and development environment, he or she has no tribal knowledge and has never worked on this software in the past. In the event your software is built using an interpreted language this type of documentation can be omitted; however, other documentation should be included.
• Configuration instructions - This type of documentation should include clear configuration steps of the server running the application and any configurations the software itself needs. For example, server configuration files, usernames, passwords, application startup options, database configurations and anything else useful.
• Any other critical documentation - The whole idea behind documentation is to make the next person's life easier if and when they need to set up the software. If there is a piece of documentation that is critical to the software include it in the escrow.

If the software vendor is holding the licensee's customer data, this should also be included in the escrow materials.

The power of virtualization makes escrowing entire production or build environments possible. This greatly reduces the amount of time a licensee might have to spend when a release occurs.

One often overlooked escrow item is a list of developers and their contact information. Escrows are often released due to the software vendor going bankrupt which normally means their developers are also out of work. This is a great opportunity for a licensee to hire developers familiar with the software they are now intend to maintain.

Escrows can be updated either on-line via the Internet or off-line through the mail or a courier service or personal delivery.

A modern software escrow company should have a fully developed online application which supports secure online submissions of escrow materials. This process typically entails using a username and password to access a secured section of the escrow company's website. Once logged in, a simple process will allow you to submit and upload files to your escrow securely through an encrypted connection.

Additionally, modern software escrow companies will offer escrow synchronization or automated scripts which fully automate the submission process.

After submission, depending on the escrow company, the materials will be removed from the server, a standard inspection will be conducted and upon passing that inspection the materials will be copied onto DVDs or other storage media and then moved to long-term storage vaults.

After the materials are safely stored, your escrow provider should send notifications to all parties involved that the escrow was successfully updated.

At EscrowTech we offer RealTime Escrow as our online escrow management solution which includes a simple to use update process that can be completed in as little as five minutes.

Escrow materials can be submitted to the escrow agent off-line by mailing, using a courier service, or hand delivering the materials. This is an older process that the majority of customers do not use today; however, escrow agents should offer this option as every situation is unique.

Depending on the type of escrow and the escrow agent, materials can be stored in either online or offline vaults.

Offline escrow vaults are physical locations with high levels of security and features such as:

• 24 hour armed security
• 24 hour electronic surveillance
• Natural disaster resistant properties
• Environment controls for ideal long-term storage
• Remote location

This type of vault provides the highest assurance that critical and sensitive materials such as source code is kept safe and available in the event of a release.

Materials can still be delivered electronically to the escrow agent however long-term storage happens offline.

Read more about EscrowTech's offline escrow vaults.

Online escrows vaults use servers to store escrow materials for long periods of time. These servers are normally located in the cloud or are hosted internally by the escrow company.

Keeping materials online generates a different array of risks; however, most of these risks can be mitigated by proper use of best security practices such as:

• Using the latest encryption technologies
• Regularly scheduled penetration testing
• Audits of access logs

Managing an escrow doesn't have to be an expensive or time consuming process. With EscrowTech's RealTime escrow service you can easily manage your escrow with the following benefits:

• Submit escrow materials online - RealTime escrow contains a secure online deposit system that allows the software vendor to submit materials online. It's secure and much easier than dealing with other file transfer protocols. The software vendor simply fills out the electronic deposit form online and then drag or drop their files into the upload tool. The deposit is sent directly to EscrowTech's encrypted FTP server via a Secure Socket Layer using HTTPS.
• View status reports for one or multiple accounts online - As a user of RealTime Escrow, you may register to view one or multiple accounts under one simple username. Every customer under an escrow account has their own unique Status Report. This Status Report provides an account summary including general contact information, balance due, a deposit history log and a list of licensees registered to the escrow account.
• Automatic semi annual status reports - Every six months a detailed Status Report is sent out to all parties on the account outlining in detail the health of the escrow. This helps ensure that escrows will provide the desired protection.
• View deposit confirmations online - EscrowTech generates a Deposit Confirmation for every deposit received. Clients can view Deposit Confirmations online for every deposit submitted. This Deposit Confirmation includes a detailed description of the Deposit Materials submitted by the software vendor, including a signed Deposit Inventory Form from the software vendor. This form helps the owner and beneficiary internally audit what products and version of products have been submitted to EscrowTech.
• Set up new agreements online - All of EscrowTech's agreements and forms are posted online. You may set up a new account by simply downloading the correct form, collecting the signatures and submitting it to EscrowTech.
• Register new licensees online - Licensee forms are available online for download. You may register a new licensee by downloading the form, collecting the signatures and submitting it to EscrowTech.
• View signed account documents - All important signed account documents are stored online. At anytime, you may access your signed agreement, licensee form, deposit confirmations, technical verification reports or amendments.
• Submit updated contact information - Clients can submit any changes to contact information online. This ensures clients will receive important notices such as Deposit Confirmations and Status Reports
• View and pay outstanding balances - Each account's Status Report indicates the current balance of the account. Clients may pay online via EscrowTech's payment portal.

The Single Beneficiary "SB" agreement is a three party agreement between a software vendor (owner), a single beneficiary (licensee) and EscrowTech. This type of agreement is used when:

• There is one software vendor
• There is one licensee

• Deposit Materials - The actual source code, documents and any other important material.
• Release Conditions - What must occur for the deposit materials to be released. See helpful contract language.

The Multiple Beneficiary - Separated Products "MB-SP" agreement is a multiple party agreement between a software vendor (owner), EscrowTech and any additional number of beneficiaries (licensees) for multiple software products. This type of agreement is used when:

• There is one software vendor
• There will be one or more beneficiaries
• The escrow materials contain different software projects
• Not all beneficiaries should have access to all software projects

• Beneficiary Registration Form - This form is used to add a beneficiary to the escrow account. In addition, if needed, this form allows each beneficiary to have unique release conditions different from other beneficiaries.
• Deposit Materials - The actual source code, documents and any other important material.
• Release Conditions - What must occur for the deposit materials to be released. See helpful contract language.

The Multiple Beneficiary - Separated Products "MB-SP" agreement is a multiple party agreement between a software vendor (owner), EscrowTech and any additional number of beneficiaries (licensees) that have their own customized deposit materials. This type of agreement is used when:

• There is one software vendor
• There will be one or more beneficiaries (licensees)
• The deposit materials for each beneficiary are customized and should be stored separately

• Beneficiary Registration Form - This form is used to add a beneficiary to the escrow account. In addition, if needed, this form allows a beneficiary to have unique release conditions different from other beneficiaries.
• Deposit Materials - The actual source code, documents and any other important material.
• Release Conditions - What must occur for the deposit materials to be released. See helpful contract language.

Every software project is different which often presents unique and challenging situations.

At EscrowTech we understand these situations and have, for over 24 years, been customizing our agreements to meet those challenges.

EscrowTech's General Counsel can work with you and your attorney to customize an agreement that fits your situation.

Below is a list of common contract language that may be helpful.

Software Escrow. Licensor and Licensee will enter into a Software Escrow Agreement with EscrowTech International, Inc. to establish an escrow of the Deposit Materials. The Deposit Materials will include the source code of the Licensed Software, compilation and build instructions, and ________________. [The Release Conditions and procedure will be specified in the Software Escrow Agreement.] [Any one of the following Release Conditions will entitle Licensee to a release of the Deposit Materials in accordance with the procedure and terms of the Software Escrow Agreement:

In drafting an escrow agreement, the release conditions (sometimes called trigger events) are just as important as the escrow materials. The occurrence of a release condition entitles the licensee to receive the escrow materials. There may be one or more release conditions.

Here are just a few simple examples of release conditions used in escrow agreements:

• Licensor discontinues business because of insolvency or bankruptcy, and no successor assumes licensor's software maintenance obligations under the license agreement.
• Licensor (or its successor) defaults in its obligation to provide maintenance services as required by the license agreement and fails to cure such default within two weeks after receiving written notice of the default from beneficiary. The notice must describe the default and the action that beneficiary believes is necessary to cure the default. If more than two weeks is reasonably required to complete the cure, licensor (or its successor) shall have such additional time (not to exceed two months) as is reasonably needed, provided that licensor (or its successor) is diligent in completing the cure.
• Licensor ceases to maintain the software for beneficiary while under a maintenance obligation to beneficiary, and no successor to licensor continues to maintain the software for beneficiary.
• Licensor discontinues its business relating to the software and no successor to such business assumes and carries out licensor's contractual obligations to maintain the software for beneficiary.
• Licensor becomes insolvent or admits either insolvency or a general inability to pay its debts as they become due.
• Licensor files a petition for protection under the US Bankruptcy Code or an involuntary petition in bankruptcy is filed against licensor and is not dismissed within 60 days thereafter.
• Licensor refuses or fails to renew its maintenance and support obligations under the license agreement after beneficiary has requested such renewal in a writing delivered to licensor.
• Licensor becomes the subject of a Chapter 7 bankruptcy proceeding under the US Bankruptcy Code, and such proceeding is not dismissed within 90 days after its initiation.
• Licensor is acquired by or merges with a competitor of beneficiary.