Technology escrow is commonly used by companies to protect their source code or investment. Software escrow services are often sought by software developers when their client requests protection of source code or data contained in an application. This requirement is often stipulated in the software license agreement between the developer and the customer. Likewise, with the increase in the use of hosted SaaS applications, companies today are looking to ask a technology escrow provider to ensure that they have a third-party continuity process in place in the event unlikely that anything would happen to the SaaS provider.
Choosing the right tech escrow provider can be tricky. This article reviews the key attributes of what to look for in a technology escrow provider to ensure that your source code and intellectual property are always protected and secure.
Key Attributes to Look for in a Tech Escrow Provider
Competent process management from start to finish
It is advisable to choose a technology escrow provider that can handle the entire process of managing a software escrow agreement, from initiation to testing through to the release/trigger event process. This management process should cover the 4 key areas below:
- Data storage – The deposit and storage of data such as source code or database files is an essential part of the technology escrow agreement. The tech escrow provider should offer a simple yet secure process for this. Select a technology escrow provider that can offer a seamless process to securely and automatically upload your files in one of the following ways:
- Directly from your Git repository such as GitHub, GitLab or Bitbucket;
- Via secure file transfer protocol (SFTP); Where
- Directly within the cloud hosting provider such as AWS S3, Microsoft Azure Blob Storage, or Google Cloud Storage. Your data should be encrypted in transit and at rest. .
- Security – As mentioned above, your data must be secure. Look for a technology escrow provider that can provide the highest level of information security and data protection. They should hold the appropriate information security accreditations, such as ISO27001 and ISO27017, to have peace of mind that your data is safe and secure.
- Version control management – Once a technology escrow agreement is in place, it is essential to ensure that the source code is updated at an agreed frequency. You must select a technology escrow provider that can provide the means for automated repositories from Git. This ensures that the developer can automatically download source code from their Git repository using SSH encryption and maintains version control of previous repositories. This process ensures that the technology escrow provider always maintains an up-to-date version of the source code.
- Publication process – In the unlikely event that a release/trigger event occurs, you will need to ensure that the technology escrow provider you have selected is experienced enough to ensure that the release process is handled in a sensitive, professional and neutral manner . This may even include a dispute resolution process if one of the parties disputes the release of the escrow documents.
Testing of source code in a Technology Repository is an integral part of every Technology Repository Agreement. It is essential to choose a technology escrow provider that has in-house technical consultants with a strong background in source code management and verification. As more companies turn to SaaS-based applications, and if this applies to your organization, also check to see if the tech escrow provider has consultants who are certified engineers at major vendors cloud infrastructure such as AWS, Google Cloud and Microsoft Azure.
Streamlined sales cycle
As the majority of software applications have been hosted within AWS, Microsoft Azure, or Google Cloud, technology escrow has become more complex. Source code alone is usually not enough for most escrow applications. A common frustration among software developers is having a product sold in escrow by sales reps who don’t fully understand the technologies they are selling. This usually requires a second or third call with a technical representative followed by a lengthy questionnaire to complete in order to prepare a proposal. Look for a technology escrow provider who can ensure that all sales reps have in-depth knowledge and understanding of major cloud hosting providers and third-party integrations. They should aim to limit their initial call to a maximum of 20-30 minutes with a following proposal the same business day.
You should review the technology escrow provider’s relevant experience, particularly with respect to SaaS hosted applications within Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. Case studies published by the technology escrow vendor are a great way to learn about their relevant business experience in providing software escrow solutions. Accreditations such as ISO27001 and ISO27017 indicate that the tech escrow provider has put information security at the forefront of what it does.
No delay in the legal review process
A technology escrow agreement typically needs to be reviewed and approved by three parties. Developers and their customers often modify the agreement to meet their specific needs, which must then be approved by the technology escrow provider. Delays in the review process and inflexibility of the technology escrow provider often cause frustration for both the developer and their beneficiary customer. This has been identified as a major issue and by a technology escrow provider with an in-house legal department, agreements in red can be canceled typically the next business day. On top of that, the tech escrow provider should offer as much flexibility as possible as long as certain parameters are met. This way, they can make deals easier rather than becoming another hurdle to overcome. Escrow London offers a variety of free template agreements that can provide a great starting position when negotiating the perfect tech escrow agreement.
Unlimited automated deposit process
In a world of automated deployment from Git repositories such as GitHub, GitLab, and Bitbucket, software developers find the manual repository requirements of some technology escrow providers outdated and inefficient. To overcome this potential headache, they need to choose a technology escrow provider that can provide unlimited automated repositories from unlimited Git repositories integrating source code repositories into the software development lifecycle. Choosing a technology escrow provider that limits the number of repositories or the size of files can lead to increased costs in the future.
Remote and timely verification treat
Verification is an independent test to provide assurance to the grantee that deposited code or SaaS environments can be rebuilt and deployed if triggered. During a verification exercise, the developer will need to demonstrate the build process to the technology escrow provider. A good tech escrow provider will aim to minimize developer time for verifications. Verifications should be performed remotely using video conferencing and verification consultants should be empowered to minimize the time required from developers. For repeat audits, the same consultants (where possible) should perform the test to ensure that no new knowledge transfer is required.
Trusted legal expertise
A reputable tech escrow provider will have extensive legal experience negotiating software agreements in multiple jurisdictions, including the US, UK, EU, Switzerland, Australia, and Canada. Not all software escrow agreements are the same, so be sure to select a software escrow provider that can provide a number of template agreements to suit your business needs.