Software Escrow FAQ

• What business processes depend on this software?
• How many departments, employees, or customers rely on it?
• Is it classified internally as critical, high-risk, or strategic?
• Have you completed a Business Impact Analysis (BIA) for this system?
• Would loss of service disrupt revenue, compliance, or operational continuity?

• How much revenue flows through or depends on this application?
• What would be the cost of downtime in terms of lost productivity, SLA penalties, or customer churn?
• Would disruption result in breaches of contract or loss of clients?
• What’s the potential reputational damage if the system becomes unavailable?

• Do internal policies (e.g., InfoSec, business continuity) require contingency measures for critical vendors?
• Is there a documented and tested exit or recovery strategy in place for supplier failure eg insolvency, breach of contract, transfer of ownership, discontinued support etc?
• Do you regularly receive data or code exports?
• Does your contract guarantee rights to source code, data export, or transition support?
• Are there regulatory obligations (DORA, PRA, FFIEC, APRA) that apply to this vendor.

• Service
  • How easy is it to deal with the vendor?
  • Is the vendor flexible in their ability to amend agreements?
  • How responsive is the vendor to your questions?
  • Are you able to deposit your code automatically from the developer’s git?
• SaaS – Cloud Applications
  • Does the vendor have experience in creating SaaS business continuity solutions within AWS, Microsoft Azure and GCP?
•  Security
  • Does the vendor maintain ISO27001 and ISO27017 certifications?
  • Does the vendor provide secure SFTP uplink to deposit data?
  • Is your data encrypted at all times?

Yes! There are many software escrow vendors in the marketplace. It is imperative to check their cloud/SaaS experience, data security accreditations and their level of customer service.

Another key differentiator is liability cover. Some vendors offer only minimal or token liability coverage, such as the annual value of the agreement which may leave clients exposed in the event of a claim. Robust liability coverage over £1,000,000 / U$1,000,000 or A$2,000,000 not only signals confidence in the service but also provides essential protection for high-value software agreements.

The Escrow Company offers the highest level of liability coverage available in the market today.

Source code verification is the independent testing of the source code and deposit materials to ensure that it can be built and deployed into a working version of the software.

Under The Escrow Company’s software escrow agreement, there is a set process for dispute resolution which is by an independent arbitrator appointed by Escrow London. The decision of the arbitrator is binding. If arbitration is required, The Escrow Company will usually appoint an independent arbitrator in the jurisdiction of the agreement.

In the event of a release event being triggered, the beneficiary must send a statutory declaration or notarized notice to The Escrow Company to advise of the event of default. The Escrow Company will send the notice to the depositor and provide an opportunity to provide contrary instructions. If no contrary instructions are received after a set period of time, The Escrow Company will release the source code and other deposit materials to the beneficiary.

A software escrow agreement outlines the responsibilities of all the parties and includes the pre-defined release events. The events of default can all be negotiated at the time of setting up the agreement. The Escrow Company’s standard events of default are as follows:

• Depositor’s material failure to support the Product in accordance with the License Agreement and failed to cure such material failure within ten (10) Business Days of Beneficiary’s written notice to Depositor of such material failure;
• Depositor becomes unable to pay its debts or is deemed to be unable to pay its debts;
• Depositor applies for or consents to the appointment of a trustee, receiver or other custodian for Depositor, or makes a general assignment for the benefit of its creditors;
• Any bankruptcy, reorganisation, debt arrangement, or other case or proceeding under any bankruptcy or insolvency law, or any dissolution or liquidation proceedings commenced by or against Depositor, and if such case or proceeding is not commenced by Depositor if it is acquiesced in or remains un-dismissed for sixty (60) days;
• Depositor ceases active operation of its business or discontinues the licensing or maintenance of the Deposit Materials in material breach of the License Agreement; or
• Depositor assigns its Intellectual Property rights to the Product to a “Third Party” and within sixty (60) days, the Third Party does not agree to offer the Beneficiary substantially similar protection to that provided by this Agreement without significantly increasing the cost to the Beneficiary.

A software escrow agreement is important because it protects all parties involved in a software licensing arrangement, especially when the software is mission-critical to business operations. Here’s why companies rely on it:

• Business Continuity – If the software vendor goes bankrupt, discontinues support, or breaches the agreement, the software escrow ensures the beneficiary can access the source code and related assets to continue to maintain the software.
• Risk Mitigation – Companies invest heavily in software. Software escrow agreements reduce the risk of vendor lock-in or abandonment by providing a legal mechanism to recover and maintain the software independently if the software vendor is unwilling or unable to continue to support the software.
• Legal Protection – A software escrow agreement clearly defines:
  • What materials are deposited (e.g. source code, documentation, deployment scripts, access credentials, and other digital assets)
  • Under what conditions they can be released (e.g. insolvency, failure to support)
  • What rights the beneficiary has upon release (e.g. right to modify or maintain the software).
• Trust and Transparency – Software escrow builds trust between software vendors and their clients. Vendors show commitment to long-term support, while clients gain assurance that they won’t be left stranded if something goes wrong.

Software escrow is a three party agreement between a software developer (the depositor), the end user (beneficiary) and the escrow vendor commonly used in the USA, Australia, UK and throughout the world. Under the software escrow agreement, the developer must periodically deposit with the escrow vendor the source codes, documentation and items related to the software which may include deployment scripts, container images, system images and databases.

Companies need software escrow as a risk mitigation strategy to protect against the failure or unavailability of third-party software vendors. Software escrow provides assurance that, in the event of bankruptcy, acquisition, or service disruption, an organisation can still access the underlying software components necessary to maintain business continuity. 

A robust software escrow agreement helps meet contractual compliance requirements in procurement and legal negotiations, particularly where access to source code and technical infrastructure is a condition of doing business. 

Software escrow also fosters trust and transparency in technology partnerships, giving clients, investors, and stakeholders greater confidence that operations won’t be jeopardised if the vendor can no longer support the product. 

Typical software escrow deposits include: 

• Source code 

• Deployment scripts and build instructions 

• Technical documentation 

• Databases and configurations 

• API keys and access credentials 

No – while source code is most commonly deposited into escrow for traditional software hosted on premise or for firmware, a software escrow agreement can cover a variety of digital assets required for recovery. For example for cloud hosted applications the beneficiary party may require other assets as well as the source code such as: 

• Deployment scripts 

• Documentation 

• Databases 

• Access credentials for the production environment 

• A replica environment

It should be considered and clearly defined what materials are required to provide the desired outcomes following a supplier default and trigger.  

SaaS escrow are solutions designed for AWS, Microsoft Azure and Google Cloud hosted software and extends beyond source code and can include cloud infrastructure components such as: 

• Hosting configurations 

• Snapshots 

• Container images 

• Access credentials to the production cloud environment  

Depending on the preferred approach.  

It’s designed to protect clients using cloud-based applications if the vendor can no longer maintain the solution. The Escrow Company’s SaaS escrow solutions can also include continuity planning with tested fully managed failover capabilities and resources.  

Software escrow verification services test whether the software escrow materials are complete and can be built and deployed into a working solution. This can cover full compile, build and deployment testing giving independent assurance and the client confidence that the software escrow materials can be used to maintain the software if ever needed.  

Our verification options include: 

• File Integrity Test  (included free of charge with all agreements) – A check is performed on the deposit materials to ensure the source code can be decompressed and is readable, the specified programmatic languages are present, and deposit statistics (e.g., number of files, sizes, and documentation availability) are reported.  

• Comprehensive Build Verification providing the Beneficiary with independent assurance of the completeness and usability of the source code.

• Cloud Deployment Verification (For AWS/Microsoft Azure/Google Cloud)  provides assurance that the deposit materials can be deployed into a cloud environment.

• Cloud Deployment Verification with Code Quality Audit (For AWS/Microsoft Azure/Google Cloud) – this service includes an added verification to review the quality of the code deposited by the software vendor.

• SaaS Recovery Verification (SaaS Recovery Service)  simulates an escrow recovery situation. The Escrow Company will scale up the resources on the vendor deployed environment for testing. The Beneficiary is invited to perform smoke tests on the recovered system.
• SaaS  Release Verification (Managed SaaS Continuity Service) performed independently by The Escrow Company and includes end-to-end testing of the deployment process, achieving a functional state for the beneficiary to perform smoke-testing of the escrow environment.
• Mobile App Verification  is pperformed to verify that the deposited source code for a mobile app may be used to build and run a functioning version of the app for both Android and IOS on a local machine.

Costs vary between suppliers and service levels but is typically only a small percentage of the software licence fee. Pricing can be influenced by various elements such as: 

• the number of applications in scope 

• which tier of service from the escrow agent 

• volume of data 

• infrastructure requirements 

• verification testing level and frequency .  

The Escrow Company offer transparent, flexible pricing for single and multi beneficiary agreements,  SaaS escrow, and enterprise-level solutions. Get in touch for a tailored quote. 

What affects the price? 

Several factors influence the price of software escrow services, and they can vary depending on the complexity of the agreement,  and the specific needs of the parties involved. Here’s a breakdown of the key elements that affect pricing: 

• Type of software escrow agreement : A standard three-party software agreement tends to be simpler and less expensive than multi-beneficiary or more complex Managed SaaS continuity software escrow agreements. 

• Verification Services: Adding software escrow verification which may include validation of access credentials or verification of the build and deploy of the escrow materials increases the cost of software escrow but provides stronger assurance.  

• Storage Requirements or Cloud Vendor Costs: For software escrow deposits exceeding 1 terabyte of files or databases, an additional fee applies. The Escrow Company charges hosting costs based on the direct rates of the underlying cloud vendor, plus a 15% service fee.  For The Escrow Company’s Managed SaaS Continuity and SaaS Recovery services, any cloud vendor hosting costs are invoiced directly to clients, with an additional 15% service fee applied. 

• Liability and Insurance: The level of liability and insurance offered by a software escrow vendor plays a significant role in determining service costs. Vendors with minimal or token liability cover may offer lower pricing, but this often comes at the expense of greater exposure to risk.  The Escrow Company provides a robust standard liability cover of up to £2.5 million / Aus $4 million / U$1 million, with the option to extend coverage up to £5 million / Aus $9 million / U$5 million for an additional fee, giving clients added assurance and protection. This is the highest level of liability coverage offered by any software escrow vendor. 

Both. Software escrow is suitable for both startups and large enterprise companies.  Startup technology companies use software escrow to build trust and credibility with their clients. Some startup founders implement software escrow agreements during the development of their product by third party developers.  

• Establish confidence with enterprise clients by providing assurance of software continuity in the event of a critical failure or bankruptcy. 

• Streamline procurement processes by addressing concerns of risk-averse stakeholders upfront. 

• Elevate their credibility during sales engagements and due diligence by demonstrating proactive risk management 

Enterprise companies typically use software escrow to protect against third-party supplier failure of mission-critical solutions.  

• Recommended when working with a smaller vendor whose financial stability may be uncertain. 

• Consider software escrow with verification if you anticipate vendor lock-in or long-term dependency on the software solution. 

Yes – software escrow can be useful even when open-source components are used, but there are important factors to consider. If your solution includes a mix of proprietary and open-source elements, the escrow agent can store the proprietary code along with deployment tools and environment configs to ensure the entire system is reproducible.  

Important factors to consider: 

• Open-source code is usually publicly available so it may not need to be deposited into escrow unless it has been modified. 

• Licensing obligations – ensure that you are in compliance with the licensing obligations of the open-source code included within your software code base.  

In many cases, we can get a standard software escrow agreement in place within a few days but we also offer complete self-service options. More complex or bespoke arrangements may take a bit longer depending on legal reviews by all parties and technical scope. Our team guide you through the process and handle the setup efficiently. The actual technical setup of the deposits is typically shorter and usually only takes a couple of hours providing the depositor has availability to support the process.  

Ways to speed up the setup process 

• Use standard software escrow agent templates, we provide these for free  

• Agree in advance on what should be included in the deposit, for example: 

• • Source code 

• • Databases 

• • Deployment scripts 

• • Access credentials 

• • Encryption keys 

• • Documentation 

• Agree on the release events in advance of commencing the software escrow agreement setup. 

• Choose a software escrow agent like The Escrow Company, renowned for its deep expertise in structuring and negotiating software escrow agreements. Our team can expertly guide you through each stage of the process, ensuring clarity, compliance, and confidence.