Source Code Escrow: How to streamline a potentially painful process

What do life insurance, dentists and source code escrow have in common? No one is excited to do it but everyone acknowledges that it is a necessity. When faced with a necessary but potentially frustrating task, the best thing a source code escrow vendor can do is to streamline the process for you.

Source code escrow often forms part of a software license agreement or a SaaS service agreement between a developer and their client. Under a traditional on-premise software agreement, the client, usually a larger company requests for the application’s source code and documentation to be deposited with a trusted third-party source code escrow vendor.

With a SaaS agreement for an application hosted within Amazon Web Services (AWS), Microsoft Azure, the source code escrow requirement is usually different as the client may require the developer to deposit the source code, deployment scripts, system images, databases and access credentials to the production environment.

Source code escrow is often seen by developers as a necessary evil to secure a large account and to provide their clients with comfort that if they end up in bankruptcy or a serious failure in service, an independent party has a copy of the source code, database or operating environment.

From our experience in speaking with thousands of software developers, we have identified what has frustrated them with their past experience with other source code escrow vendors to learn how to improve their overall experience and to turn source code escrow into a painless process.

  • Sales cycle – as the majority of software applications have moved to being hosted within AWS, Azure or Google Cloud, source code escrow has become more complex. Source code alone will not usually suffice for most applications being placed into escrow. A common frustration amongst software developers is being sold an escrow product by sales representatives that don’t fully understand the technologies they are tasked with selling. This usually requires a second or third call with a technical representative followed with a lengthy questionnaire to complete in order to prepare a proposal. Source code escrow vendors need to acknowledge this frustration and ensure that all sales representatives have extensive knowledge and understanding of the leading cloud hosting vendors and third-party integrations. They should aim to keep their initial call to a maximum of 20-30 minutes with a proposal following the same business day.

  • Legal review process – a source code escrow agreement usually needs to be reviewed and agreed upon by three parties. Developers and their clients often amend the agreement to meet their specific requirements which then needs to be approved by the source code escrow vendor. Delays in the review process and the inflexibility of the source code escrow vendor often causes frustration with the developer and their beneficiary client. This was identified as a major pain point and by having an internal legal department, red-lined agreements are usually turned around by the next business day.  In addition to this, the source code escrow vendor should provide as much flexibility as possible as long as certain parameters are met. In this way, they can facilitate agreements rather than becoming another hurdle to overcome. Escrow London provides free sample agreements available for download by following this link.

  • Old school deposit process – in a world of automated deployment from Git repositories such as GitHub and Bitbucket, software developers find the manual deposit requirements of some source code escrow vendors antiquated and inefficient. To overcome this potential headache, they should choose a source code escrow vendor who can provide unlimited automated deposits from Git repos integrating the source code deposit into the software development lifecycle.
  • Verification – verification is an independent test to provide assurance to the beneficiary that the deposited code or system (for SaaS environments) can be rebuilt and deployed in the event of a trigger. The verification is usually performed onsite at the developer’s office and source code escrow vendors usually allocate 3 or more days onsite for this process. During a verification exercise, the developer will need to demonstrate the build process to the source code escrow vendor. Developers find the typical verification procedure frustrating as they distract their internal software developers from further development of their core products. To minimise the time required, verifications should be performed remotely by using video conferencing and the verification consultants should be empowered to keep the time required from the developers to an absolute minimum. For repeat verifications, the same consultants (wherever possible) should perform the test to ensure that no new knowledge transfer is required.

Source code escrow is an important component of any robust software or SaaS license agreement. It is vital that the developers are onboard and comfortable with the process. It is important to keep in mind that the decision of a source code escrow vendor should be mutual between the developer and the beneficiary as it is a 3-way agreement even if the beneficiary is paying the costs.

As a tuned in source code escrow vendor, Escrow London recognises that the escrow process is something that the developers find distracting from their core business and as such we aim to make the process as efficient as possible for the developer.


About Escrow London

Escrow London is a global software escrow vendor headquartered in the United Kingdom. Our global coverage is provided across our London office, Escrow London North America Inc in Atlanta, and our Australian office in Sydney.

We have invested considerable resources into innovation to reinvent software escrow for a SaaS world. Escrow London provides a range of SaaS Continuity escrow solutions suitable for AWS, Microsoft Azure and Google Cloud Platform hosted SaaS applications. We support a wide range of clients includes major banks, central banks, insurance firms, technology companies and government.