Thoughts on software escrow

All too often a business person comes to me and says “we need to include escrow in that agreement we’re working on.” Sometimes it makes sense, sometimes it doesn’t. Sometimes it can be more trouble than it’s worth.

If your company licenses a piece of mission-critical software, it’s your job as the attorney (read: the risk manager) to ensure that the licensor continues to support and maintain the software (e.g., by releasing bug fixes and updates) for the term of your license. That’s typically done by adding terms to the license to ensure that they will make updates available to you either at no charge or a mutually agreed-upon charge (e.g., upgrade fees for feature releases and no charge for maintenance releases, bug fixes, new releases which correct security issues or are needed to comply with applicable law, etc.), or by executing a separate maintenance agreement for the software that gives you all updates for a monthly or yearly fee. You’ll also want to ensure that you are entitled to software support from the licensor (email, phone, in-person visits, user conferences in Bermuda, etc.).

That’s all well and good, but it rests on a very important assumption — (1) the company stays in business, and (2) the company doesn’t breach the agreement and you terminate (thereby terminating the license), either of which could leave your company hanging high and dry. The solution most often suggested? Software escrow. (There are other protections you can implement as well, such as ensuring you have a perpetual license and ensuring you have 365(n) language in your license agreement, but those are topics for another entry.)

Software escrow is, essentially, a form of insurance. A third party (such as Iron Mountain, called the “escrow agent”) will hold a copy of the source code for the software and other related materials “in escrow,” and release it to a party (such as the licensee of the software) if certain release conditions (usually called “release triggers”) are met. This way, if a release trigger occurs, you (the licensee) can go directly to the escrow agent and request a release of the escrowed materials, without necessarily involving the licensor. If the software is released from escrow, the licensee can use the source code to continue to update and support the software.

The simplest way to address escrow is to add an escrow provision directly into the license agreement. At a high level, the typical escrow provision (if you are the licensee) should contain the following at a minimum: (1) agreement on who the escrow agent is, (2) agreement on who will negotiate the agreement with the escrow agreement and pay for escrow services, (3) agreement on what materials will be escrowed, (4) agreeent on the release triggers, and (5) agreement on the licensee’s rights to escrowed materials upon release (make sure this is pretty broad if you’re the licensee).

I’ll note a couple of important considerations when drafting an escrow provision:

  • Materials to be escrowed. I’ve seen too often where an escrow provision says that the source code for the licensed application will be escrowed, and that’s it. That’s going to make escrow pretty useless, and result in your ops team yelling at you later on (and if an escrow release is needed, you can bet that it’ll be a “fire drill” situation so nerves will be on edge anyway, and they may be looking for someone to throw under the bus.) You want to ensure that the software in the escrow is updated regularly to ensure that the escrowed version is as close to the current release as possible (say, every quarter or six months); otherwise, you could be left with a significant out-of-date version of source code released from escrow. You also want to ensure that the software that’s escrowed is tested by the licensor (i.e., that they’ve taken the source code, compiled it, and have verified that it works). Most importantly, you want to ensure that the escrowed materials include detailed instructions on how to compile the software to make it usable, and what third party tools are needed to compile and use the source code. Otherwise, escrow is pretty useless. You should also ensure that any open source tools used in connection with the source code are included in the escrowed materials, to save your team the trouble of having to go find them.
  • Ensure you have access to licensor personnel for help. If there’s an escrow release, the best way to ensure you can work with the materials is to get help, ideally from the licensor’s own personnel. However, if your contract has a nonsolicitation or non-hire provsion, you could be prohibited from contracting with them. You should ensure your escrow provision allows you to engage the licensor’s personnel for assistance with use of the escrowed materials.

One other very important thought here…you can’t escrow a service or environment. I’ve seen requests for software escrow for the codebase for a licensed ASP application or other software as a service used by a company. A standalone software application is one thing, but an outsourced environment is a whole another ball game. The source code is all well and good, but if you don’t have the ability to replicate the platform and environment in which it resides, the source code won’t be much help to you. If you’re really willing to go there (and it’s that mission-critical), ensure that the escrowed materials includes network diagrams, lists of third party software/hardware needed to replicate the environment, and all other materials your business and operations teams will need to make a significant go at replicating the environment in which the escrowed code will reside. You may also want to consider requiring the licensor to meet with your operations team to walk through how this would work, and provide documentation on this outside of escrow, so that your ops team can hit the ground running.