This guide is based on UK law.
Escrow generally refers to the placing of property which is the subject of a commercial transaction (money, title deeds, software source code, etc.,) into the hands of a trusted third party for safekeeping until some specified event occurs which will trigger the release of the property to one party to the initial transaction.
Generally speaking, when a party creates a software program (a "creator"), two 'iterations' of that software are created: the source code version and the object code version. The source code is human-readable programming code; that is, details of instructions which the program will carry out. If a program has bugs or is to be modified, it is the source code which will need to be amended in order to make the object code run differently.
A computer cannot read source code. Object code is the computer readable code written in machine instructions which the central processing unit of a computer can understand.
Most source code is converted to object code by means of a compiler. When you buy a software program 'off the shelf', you are acquiring use of the object code.
Where a creator allows another party to use its software, usually the creator retains ownership of the software and grants a licence to the user (the "licensee"), to use the software. The licensee will normally be provided with a copy of the object code version only. By only supplying the object code, the creator guards its intellectual property rights by restricting access to the source code, decreasing the chances of it being used or modified without permission for another's commercial benefit. The creator is also increasing the likelihood that the licensee will have to look to the creator to maintain or upgrade the software, fix any bugs or make any customisations the licensee might require. Often these additional services will provide more revenue to the creator than the initial licence itself.
It is always to a licensee's benefit if the source code of software which they are licensed to use is put into escrow, particularly if failure of the software to operate correctly would have a marked impact on the licensee's business. There may be concerns about the financial stability of the creator, the creator's ability to complete a software development project, or the creator's ability to support and maintain the software for a required period. To best allay these concerns, it will be important that the escrow release conditions are clearly stated, to minimise the risk of dispute as to whether the source code should be released to the licensee. It will also be important to ensure that the deposited source code is kept up to date, regularly tested (usually by the escrow agent) and accompanied by the documentation and/or tools necessary to build the source code into a working system.
Where the software user has actually been assigned the intellectual property rights in the software, and has been given the source code, an escrow agent may provide more secure means of storing the source code than the user itself is able to provide.
While a licensee would always benefit from having the right to access an application source code kept in escrow, a creator may not be and is in fact rarely inclined to put its source code into escrow. Microsoft, for example, would not put the source code of its 'off the shelf' software into escrow, and enter into escrow agreements with all its millions of users. Furthermore, Microsoft would not want standard users to be able to access its source code in any circumstances, as software is the company's lifeblood. A creator is more likely to agree to escrow where it has created bespoke software, or where it will be receiving substantial licence and maintenance fees from a licensee.
A creator can benefit from putting source code into escrow as well. A creator may put source code into escrow as a way of protecting intellectual property rights. A deposit of source code into escrow may be used as evidence to support the creator's status as author of the software.
Another circumstance where source code may be put into escrow is where a creator pledges its intellectual property rights in its software as security for finance provided to the creator. The lender may want the code kept in escrow, with the terms of the escrow agreement permitting the lender access if the creator defaults in its repayment obligations.
The most common type of escrow arrangements, however, are those granting a licensee rights to access and use source code in certain circumstances.
A discussion of NCC's standard forms of such agreements follows.
NCC is a Manchester, UK-based organisation which also has offices in Germany and the US. According to its website NCC is the world's largest software escrow provider. It has secure software deposit vaults each with monitoring, deadlock, intruder alarm and fire prevention systems. The NCC's escrow agreements are commonly seen in Europe.
NCC's contact details are as follows:
The NCC Group
Manchester Technology Centre
Oxford Road
Manchester
M1 7EF
Telephone: +44 (0)161 209 5200
Fax: +44 (0)161 209 5100
Email: [email protected]
See NCC's web site for further information.
NCC has standard forms of agreement for a range of escrow scenarios, such as:
As the name suggests, multiple licensee customer agreements are designed to work where there are multiple licensees of the same software, in distribution or ASP arrangements, for example. The software owner or distributor puts the source code into escrow under an agreement with the NCC. The licensee becomes a party to that agreement and takes the benefit of it by signing a confirmation agreement.
Any deviation from NCC's standard terms will be considered to be 'non-standard' and the party paying the escrow fees (most commonly the licensee) will incur extra costs charged by NCC for their review of, comment on, and entry into non-standard agreements. Responsibility for payment of escrow fees, and the amount of any extra charges, should be negotiated and agreed before any negotiations relating to amendments to the escrow agreement commence.
The basic ingredients of the standard escrow agreements are the same. The software owner has 30 days to deposit the source code materials with NCC. NCC will run the integrity and/or full verification tests agreed by the relevant parties to the agreement (see discussion of testing below). Provided that the tests uncover no issues with the material put into escrow, NCC will then retain the escrowed materials until either a 'release event' occurs, or the escrow agreement is terminated. Release events are events which trigger the release of the source code to the licensee and include insolvency of the software owner or material default by the owner of any maintenance obligations it may have to the licensee.
NCC offers a number of levels of testing services on deposits of source code material. These services range from a basic inventory of the deposited materials, confirmation that no viruses are present on the medium on which the materials are provided (usually a CD) and that the materials can be de-encrypted (if encrypted), decompressed and read, to a full compilation of the code at the licensee's (or an independent) site to ensure that what is deposited can accurately reproduce the application.
The level of testing required by the parties (most likely the licensee) should be determined by the licensee's assessment of the business risk associated with unavailability of the source code. The more comprehensive the testing of the deposited materials, the lower the risk of business interruption or lost investment due to the deposited materials being unable to accurately and fully reproduce the software program.
NCC's standard forms of agreement provide that replacement deposits are requested from the depositor a given period after the last deposit, depending on the subject matter of the agreement.
Again, depending on factors such as the business criticality of the software and the frequency with which the source code is likely to be amended or updated, the licensee may wish to ensure that the escrow agreement requires not only that the software owner will make repeat deposits after each amendment or update, but also that NCC will test each new deposit. Repeat testing may have cost implications (depending on the type of escrow agreement and frequency of testing), but if the software is business critical any additional cost could be prudent business continuity expense. For any escrow agreement to be effective, the obligations to deposit software need to be policed and there needs to be follow-up action to ensure that any failures of testing or repeat testing are rectified.