What is a Software Source Code Escrow Agreement?
A software source code escrow agreement is a contract between a software developer, a licensee of the software or an expert third-party escrow agent. Its purpose is to provide a secure means to store, maintain, and manage digital copies of the software source code, binaries, and any related documentation in an independent, neutral repository.
Software source code is a human-readable set of long, complex instructions or statements with a prescribed structure that one or several persons must execute in order to give life to the program . Decompiling software usually results in the production of the original object code, which is a set of numerical instructions, but it will not generate the original source code, which is used by the developers to maintain the software for re-issue and is usually protected by copyright laws.
Software source code escrow agreements are mainstays of software development agreements today. Entering into such an agreement is an integral part of software transactions to protect all parties from any eventuality that may put the success of the software project in jeopardy.
Components of an Escrow Agreement
A source code escrow agreement will generally set out the following materials and components: types of materials being deposited into escrow; obligations of the software/baseline provider (licensor) to deposit and maintain the escrow materials; obligations of the software licensee (licensee/escrow beneficiary); obligations of the escrow agent; obligations of both parties upon receipt of a software source code escrow request upon a valid release condition; obligations of both parties upon activation of the software maintenance functionality; obligations of both parties upon an escrow update or periodic version update; rights of both parties to audit (with or without notice); and with respect to the escrow materials, have their confidentiality obligations cease so long as the licensee does not have any obligation to pay any maintenance fees to the escrow agent or licensor.
Regarding the types of materials, a source code escrow agreement will typically have Schedules setting out the "Escrow Material" delivered by the licensor and the "Delivery Details" or elements provided by the licensee, along with the licenses and one or more escrow usage agreements. The principal types of materials involved in a software source code escrow agreement include reference in Schedule 1. The following materials may also be included:
The licensed escrow materials will clearly be subject to the copyright and other proprietary right of the licensor. The materials will be kept secure and confidential by the escrow agent, and will be released to the licensee only upon proper and legitimate power of attorney, and certification that the software/baseline provider is no longer in business and has ceased its business operations for its licensed materials. Notwithstanding, the contractor will be able to audit the source code and remain entitled to receive on a regular basis updates to the source code thereafter.
Advantages of Source Code Escrow Agreements
Software source code escrow agreements can be particularly beneficial to both the software developer and its customer. A source code escrow agreement provides an extra level of security for the customer if the software developer fails to meet its commitments to maintain the software or goes out of business. More importantly, the customer is ensured that it will have access to needed source code for long-term maintenance even if the software vendor goes out of business. Source code escrow agreements create and preserve the economic value of a software asset for the parties. They help protect investments in software development by ensuring that the Intellectual Property assets in the source code can actually be utilized long after the initial purchase as envisioned by the parties.
The customer typically pays substantial maintenance fees for updates and patches to the software. These regular maintenance fees are typically required for as long as a customer continues to use the product. To mitigate the risk of losing access to critical source code with each maintenance update, the software vendor and the customer agree to deposit the source code with a neutral third-party escrow agent for safe keeping. If parties have integrated third-party software into their product, including open source software components and proprietary third party software components, then they deposit those third parties’ source code into the escrow.
The source code is held by the independent third-party escrow agent. Failure of the software vendor to deliver updates trigger the release of the source code as set forth in the escrow agreement. The failure of the vendor to continue to do business in accordance with the agreement will also trigger the release of the source code after notice and grace period. Release of source code is usually subject to the customer’s acknowledging the software vendor’s ownership of the source code.
How to Put an Effective Escrow Agreement in Place
Implementation of an Effective Escrow Agreement
Implementing a software source code escrow agreement requires the parties to take certain steps:
- Engage a qualified, experienced escrow agent.
- Enter into a written agreement providing for all the necessary details for the escrow agreement.
- Consider whether the agreement should provide for an initial, third-party audit of the software source code in order to ensure that the appropriate executable files and files are included in the escrow deposit, and how the escrow agent will verify the accuracy and completeness of the deposit(s) thereafter.
- Consider whether the agreement should provide for periodic updates to the deposit, and the manner in which those updates are to be made.
- Consider whether materials other than source code or object code need to be deposited into escrow. These may include the build process for compiling or linking the source code to create the object code; the commands used to execute the source code once compiled; system requirements or other instructions for generating any executables from the source code; and/or documentation, training manuals, or product information that may be necessary by the licensee to fully utilize the software.
- Consider whether the license agreement or other agreement under which the software is licensed, sold or distributed should also include the same or similar escrow obligations as those in the software source code escrow agreement to which the source code deposit is subject.
- Draft the agreement to achieve the parties’ objectives as to how the escrow code is to work from a functional perspective, the release conditions for the licensee’s rights to its use, and the obligations of the parties and the escrow agent.
- Draft the agreement to avoid any unnecessary complexities, and to avoid obligations on the part of the escrow agent that cannot or will not be performed. For example, provisions for archiving old code are entirely appropriate, and are frequently provided, but such requirements can only be implemented if the escrow agent can be expected to comply with them.
Common Issues and Areas of Concern
The scope of the products or technologies that are available for licensing is increasing rapidly as a result of e-commerce and global development. At issue here is whether source code is an appropriate subject matter of an escrow arrangement.
Technology has changed dramatically from the time that software programs were commonly saved on floppy disks. In addition to changing the location and format of electronic data, technology has also drastically altered the manner in which software source code is maintained, accessed, distributed, and protected.
Because of the historical use and ease of implementation of software source code escrow arrangements, many licensees continue to request software source code escrow arrangements when licensing software products. However, due to changing user requirements and the technological realities associated with software source code, it is becoming less realistic to expect software source code to be maintained and more difficult for a licensee to justify why a source code escrow arrangement is necessary.
A potential source code escrow solution is a "Read Only" CD. A "Read Only" CD allows for licensed technology to be protected and delivered to licensees along with the associated documentation on a CD. The CD is "Read Only" by the licensor therefore no alterations or improvements can be made to the program maintaining the technology in its original condition. Once the "Read Only" CD is sealed, the lock code and documentation are put into escrow by the licensor. Once the licensed product is installed, the "Read Only" CD is read into the licensee’s computer system making the technology available for immediate use.
Another potential solution is the "Web-Based Repository". The "Web-Based Repository" is an Internet based application that provides online access to licensed source code. The "Web-Based Repository" allows for online delivery of the licensed technology and all source code through a licensed web server. Unlike a traditional source code escrow arrangement, the licensee can view and test the code at their own convenience. Additionally, the source code is backed up automatically and is constantly protected from unauthorized access and/or damage.
Another potential solution is the "On-Demand Repository". An "On-Demand Repository" is a threat response to online vulnerabilities that deliver the protection of an on-premise backup that is stored offsite. The "On-Demand Repository" is a secure, subscription based solution allowing the subscriber to retrieve licensed technology instantly upon request. Subscribers create an account with a chosen user ID and password and are provided with secure remote access to a dedicated global server. Each day a software vendor backs up one or more of the solutions and sends it to an off-site data center to be stored. The "On-Demand Repository" provides the licensed technology vendor with the ability to instantly recover day to day operations while providing the subscriber with the ability to test the data backup and application recovery procedures on a scheduled basis without having to contact the software vendor.
The following protocols may be included in any software escrow agreement , such as; a proprietary service level agreement, an enterprise application service level agreement, a software escrow agreement and/or a referral for internal technical support.
Data Security Regulations require security to be implemented to a degree that is reasonable and appropriate for the type of data. The more sensitive the data the tighter the security requirements. Furthermore, data security regulations often require access restrictions (based upon the sensitivity of the data) that will aid in limiting access to only those users who have a reason to access the data. In this regard, using either the "Web-Based Repository" or the "On-Demand Repository" makes access restrictions and auditing of users easier to enforce than in a traditional software source escrow arrangement.
With almost every contract that is signed, disputes arise between the parties. The following language may be used in a software source code escrow arrangement to guard against the risks associated with an unresolved dispute. Otherwise known as a dispute resolution clause, the following example will serve as a guideline only and should not be considered as legal advice. You should seek professional counsel who specializes in conflict resolution and has the relevant experience in dealing with software technology to assist you in negotiating a resolution of a dispute with a party to a software source code escrow arrangement.
Buyer and Seller agree to make good faith efforts to settle disputes arising under this Agreement. If a dispute remains unresolved, either party may refer the dispute to mediation to Partin Dispute Resolution Group; 69 N. Cortez St. Suite A; Prescott, Arizona 86301; 928-445-5700. In addition, the parties may contact Mediation Certification and Contracting; P.O. Box 826; Sun City Center, Florida 33573; or [email protected]; 1-800-364-9426 to obtain a list of qualified mediators to assist in the dispute resolution process. Mediators are experienced professionals including attorneys, counselors, project management professionals, human resource officers, and therapists with Master’s degrees or higher. During mediation conducted under this provision, Buyer and Seller agree to participate in good faith. In the event the parties are unable to mediate the dispute as between them, and if applicable, then the dispute shall be referred to neutral party and escalated up the chain of command until (1) such person resolves the matter, (2) mediation is successful, or (3) Buyers mediation efforts are not conducted in good faith. In the event of a failure to reach resolution through the escalation process, then the dispute may be adjudicated, and (if judgment must be entered thereon) in any Federal or State court sitting in the State of ________________ having subject matter jurisdiction, and purchaser hereby submitts itself to the jurisdiction of such court.
Legal Ramifications of an Escrow Agreement
Intellectual Property Rights: The Agreement should expressly identify who owns all rights associated with the source code and object code. In many respects, the deposit of the programming language should have no effect on the ownership of the material. Typically, the developer continues to own the rights to the program. This is especially true if the escrow agreement allows the developer to deposit periodic updates and ensure that the licensee is receiving a current version of the program. Still, when drafting an escrow agreement, it may be necessary to incorporate specific provisions granting certain rights to the program’s licensees.
Confidentiality Provisions: There are generally two types of confidential information involved in an escrow agreement: (a) The source code being deposited in the escrow account by the developer and (b) the site licensing information that is contained within the source code. Most escrow agreements require the beneficiary(ies) to sign a non-disclosure agreement to protect the confidential components of the site licensee’s records. Similarly, the escrow agreement should also have some provision that electronic and physical access to the source code deposited is restricted to only those persons authorized by the depositary and must be returned in the event that the licensee withdraws or suspends the agreement.
Big Picture Issues: Escrow agreements are governed by the Uniform Commercial Code. Issues may arise from the state to state application of the law. This is particularly important if the escrow agreement includes an arbitration clause or forum selection clause. If this is true, the parties will want to make sure they are familiar with both the law of the jurisdiction and how the law has been applied by the courts of that jurisdiction.
Future Developments in Source Code Escrow
Future Trends in Software Source Code Escrow
As software development continues to evolve through the adoption of new technologies, the practice of software source code escrow is likewise becoming more sophisticated. A trend that is already gaining traction this year is the use of automation in the escrow deposit and releasing process. New technologies are being introduced to make software releases easier, quicker and more secure. Technology is also being implemented to accelerate the deposit process for deposits through a dedicated client portal or cloud platform. The use of portals and platforms streamlines the process so that deposits are not hand-carried to the escrow agent. Depositors can deposit large amounts of data by simply dragging and dropping multiple files with multiple versions all at once. Technologies developed for code scanning also make it possible to automate the code scanning verification process as well as confirm that all binaries are present at time of deposit. With the addition of these technologies to the escrow process, the escrow agent plays a crucial role in increasing the efficiency and effectiveness of the source code escrows .
As businesses and development teams adopt collaborative methodologies such as Agile and DevOps, the benefits of implementing an escrow arrangement to mitigate code risks will continue. These methodologies could benefit from the use of a dedicated client portal or cloud technology to manage customer communications as well as the associated documentation supporting the status of an escrow deposit. As prescribed in many commercially available Agile project management tools, keeping track of collateralized documentation to support an escrow will become essential as Agile product development increasingly incorporates outsourcing or team collaboration across geographies.
Implementation of automated code verification technologies for both existing and new deposits could also transform the role of the software escrow agent. In anticipation of the need to automate the code validation process, existing escrow agents have already invested heavily in the latest code scanning verification technologies. As these technologies advance even further, several different technologies could emerge with the potential to greatly enhance source code escrow arrangements.