Skip to navigation Skip to main content Skip to footer

Software Escrow Gets GitHub

Contact Us

How modern is your client’s software? The answer to that question really depends on how agile the solution is. Some companies work on the model that most software changes approximately once a year (and if it’s a “high end” solution than probably twice a year). In reality, the ability to adapt and respond quickly to changes such as system and new business operations has become a requirement for today’s “mission-critical” software applications. I work with lawyers to provide information on best practices for managing an escrow relationship. A lot of the conversations that I have start with a lawyer’s misconception that software escrow is no longer applicable in today’s world because most software solutions are hosted and supported through the cloud. A comment I typically hear from the legal community is, “How can software escrow help my client when the source code is constantly changing? When the provider submits a deposit into escrow, the code in deposit is outdated by the next morning.”

If you have read any of my previous blog posts, you know that I am very respectful towards the people I speak with, even if our opinions differ. I love to hear about their contract negotiation challenges while providing some “food for thought” during our discussions. However, I have to admit, this comment couldn’t have come at a better time; allow me to explain.

Source code is constantly changing and most developers today use systems for managing the changes to their programs and documents, while tracking their code’s entire genealogy in case there is a problem, and they have to fall back to a previous change to keep development moving forward.

The process for managing software development is known as Software Version Control (SVC) or Source Code Management (SCM) and there are approximately 57 providers globally. Depending on whom you ask, the top SVC/SCM providers are Git, CVS, Subversion, Mercurial, AWS CodeCommit and Visual Studio to name a few, many store code in repositories like GitHub, BitBucket, SourceForge etc. Because technology is constantly changing, so is software – literally every day. Developers need a way to collaborate with each other internally so that they can modify and update their code effectively. SVC/SCM systems provide a timestamp and the name of the last person that modified the code. This lets developers have the ability to resolve conflicts when merging updates from multiple contributors. In other words, these tools allow developers to work in parallel on different features while still having the ability to integrate features for each software release.

For the last 38 years, Iron Mountain has provided escrow services, which are essentially a contingency plan for mission-critical business relationships. With Iron Mountain’s secure escrow account, developers can provide their clients the entire genealogy of their software solution in the event of their unforeseen demise or inability to support their product.

Escrow can be a daunting task if your client’s software solution is frequently changing. The goal of every escrow account is to run parallel with the development of the software. For some software providers, keeping up with the escrow deposits is probably their toughest challenge. Today, we understand that a lot of our software developers are currently utilizing SVC/SCM systems for the management of the source code development, that’s why Iron Mountain has created an integration capability for supporting GitHub repositories to make escrow easy.

The integration process is simple:

  • GitHub users create a remote repository that they share with Iron Mountain
  • GitHub users generate an access token code and URL to the remote location for Iron Mountain to use
  • Iron Mountain will store the information provided in a database that will generate a JSON file
  • The JSON file is shared with our sFTP server and this will securely connect our sFTP to the developer’s remote location with GitHub
  • When the service is activated it will pull information every two hours from the GitHub remote location and securely store the data in Iron Mountain’s back-end server

Note: This last part is where the difference lies. Many escrow agents leave code in GitHub repositories of their own. However, security-minded escrow agents pull the deposits to secure servers behind their own firewalls.

This new “set it and forget it” approach to escrow will make the deposit process so much easier for developers, while providing a real-time email notification of each deposit as confirmation the process was complete.

Bringing our conversation back “full circle” – To answer the question that I typically hear, “How can software escrow protect my client…?”

GitHub integration with software escrow will help your client feel confident that their software is protected by the developer’s current version of the code. Or, if your client is the developer (licensor), they will have an easy, secure, and safe way to stay compliant and protect their IP while meeting contractual obligations.


NCC Group Software Resilience has acquired Iron Mountain’s Intellectual Property Management (IPM) business. For more information on the acqusition please visit our dedicated information hub, or contact Iron Mountain IPM.

Get in touch

Skip to navigation Skip to main content Skip to footer