As software is increasingly supplied to businesses on a cloud-hosted SaaS basis, software escrow agreements are arguably more important than ever. Here, we take a look at how software escrow agreements work with traditional, on-premises software licensing, as well as some of the additional considerations that need to be taken into account where software is supplied as a service.
Not sure what a software escrow agreement is? Please read our introduction to software escrow agreements here.
The ’traditional’ on-premises software licence
Traditionally, a business will purchase a licence from a software supplier, which gives it the right to run the supplier’s proprietary software on its own servers and hardware. The software is typically supplied in ‘object code’ form, which can be directly read and executed by a computer. This is different from the source code written (and retained) by the software developer, which has to be translated into object code.
Software licensors tend to be very reluctant to provide a licensee with access to the source code, as it represents a valuable intellectual property asset which could provide a rival with the opportunity to copy or reverse engineer the software. However, access to the original source code is often essential when it comes to maintaining, developing and supporting the software as, in most cases, it isn’t possible to fully reconstruct the original source code using the object code.
A source code escrow agreement provides a means for the licensee to protect itself against the failure of the licensor to meet its support, maintenance or development obligations in respect of the software, for example where it becomes insolvent or ceases trading for some other reason. The licensor will deposit a copy of the source code with a third party escrow agent, to be held securely and only released to the licensee if specific conditions or events occur. Except where the licensee is added to an existing escrow agreement maintained by the licensor, the triggers for release of the source code are usually subject to negotiation between the parties to the escrow agreement. They commonly include the insolvency of the supplier or a material breach of its obligations under a support or maintenance agreement. This gives peace of mind to the licensee who uses the software day-to-day in its business, that if the worst should happen, it will still have access to the source code needed to keep the software running and up-to-date.
A source code escrow agreement should be monitored and the source code regularly tested, ideally by the independent escrow agent, to ensure that the deposited code remains up to date and effective. The licensor should also be required to update the source code from time to time, including when it issues any updates or upgrades.
Cloud software escrow agreements
As time progresses, the popularity of the traditional ‘on premises’ software licensing model is being eclipsed by the ‘software as a service’ or SaaS model. SaaS sees licensed software delivered and supported remotely, via the cloud. This means that the production environment of the software, including its object code (as well as its source code) is remotely managed and controlled by the licensor. The licensee’s data within the software also tends to be held remotely, which presents an added risk if, for example, the software supplier becomes insolvent.
Cloud software escrow agreements are designed to provide protection to a licensee using software under the cloud-based SaaS model against the same risks as in the case of an on-premises software license. In essence, they seek to ensure that the licensee can continue to access, run and maintain the cloud-hosted software and the data within it, in the event of specified conditions, such as the supplier’s insolvency or material breach of a maintenance agreement. However, due to the key differences in the delivery mechanics of cloud-based SaaS as compared to the on-premises licencing model, a cloud software escrow agreement has to take into account additional factors, not least the fact that data inputted into or created by the cloud application doesn’t sit on the licensee’s corporate server.
As such, a cloud software escrow agreement will also typically need to cover items such as this data, cloud subscriptions and access credentials to the relevant software development environment.
Cloud software escrow agreements can be split into two broad categories, known as ‘access solutions’ and ‘replicate solutions’.
Access solutions and Replicate solutions
Access solutions
Access solutions are designed to provide the licensee with access – subject to the occurrence of a triggering event specified in the escrow agreement – to the latest version of the supplier’s cloud-hosted software, along with the data within it, within the supplier’s production environment. Under this type of arrangement, it is the access credentials for the supplier’s production environment in respect of its cloud-hosted software that are placed into escrow, to be released to the licensee upon the occurrence of specified events.
If entering into an access solution type agreement, the licensee should ensure that the agreement requires the escrow agent to regularly test the supplier’s access credentials to ensure they remain valid, and should also require the supplier not to change the credentials once they have been deposited into escrow.
The licensee should also be mindful of the risk that where the software production environment is hosted by the supplier itself, rather than by a third party such as a cloud services provider, an event triggering release of the access credentials from escrow, such as a winding up of the supplier, may mean the software ends up being removed from the environment, or the software and code become unusable or cannot be updated. Where the software does remain accessible within the production environment following release of the access credentials, there is nevertheless a risk that the materials deposited with the escrow agent may only allow the licensee access to the then-current iteration of the software, with little or no ability to further improve or update it.
On the whole, access solutions can offer a relatively cost-effective and straightforward means of protecting a licensee who needs to ensure access to the present version of cloud-hosted software. Due to the risks and limitations noted above, however, they are generally regarded as being most suitable for software applications that are not business-critical.
Replicate solutions
The second category of cloud software escrow agreements are known as ‘replicate solutions’ and offer a greater degree of protection. Rather than access credentials for the supplier’s production environment, these agreements see a mirrored copy of the software and the supplier’s production environment, placed into escrow. Upon release to the licensee following a triggering event, a replicate solution allows the software to be hosted independently of the supplier, on infrastructure chosen by the licensee. This affords the licensee a greater degree of control over the production environment. Having a copy of the production environment held in escrow mitigates the inherent risk of an access solution that access to the supplier’s production environment is unsuccessful, whether due to a deliberate act by the supplier or as a result of the event which triggered the release of the escrow materials. Such agreements tend to be more costly than access solutions, but are recommended for business-critical software applications.
When deciding which approach to adopt, licensees may find that the structure of the supplier’s cloud software architecture determines the feasibility of an access solution. In some cases, the supplier may have allocated each licensee its own independent instance of the software and its own individual database. In this case, both an access and a replicate solution are likely to be feasible. However, in other cases the supplier may have used a single instance of the software to serve several licensees, along with a shared database, subject to segregation which prevents any one customer from being able to access another’s data. In this scenario, which is relatively common with SaaS suppliers, the fact that the licensee shares the cloud-based production environment with other customers may mean that an access solution is not feasible, as it could create a risk of inadvertent access to other customers’ data within the mirrored production environment.
If you’re contemplating entering into a software escrow agreement, contact one of our Commercial specialists to see how we can help ensure you get the best protection and peace of mind here.