Criticality + Cost + Time + Vendor Assessment = Risk
Not all technology developers will be asked to provide access to their IP (source code) via a technology escrow arrangement. It all depends on the market you sell into and if your prospects consider your application mission-critical enough to take the necessary steps to protect it and reduce their corporate risk.
This assessment is based on the 5 point scale used by the National Institute of Standards and Technology with 5 being high and 1 being low. We apply the same scoring system on defining cost, time, and overall assessment of you as the developer and then add up the four totals for an overall application security score. The higher the score, the higher the application security risk.
To determine if technology escrow is applicable for your organization, you should go through the self-assessment to determine your level of risk to an enterprise organization.
Once you have completed the self-assessment and determine that your application could be considered high risk by customers and potential customers, then you can follow these six simple steps to put an effective escrow program in place.
Developer Company: Who is developing the technology for the account.
Your Deposit Account: Each deposit account represents separate technology containing IP, such as source code. Best practice is to set up different accounts for your different technologies. However, you can elect to set up one account for everything, but all licensees enrolled into that account will receive all deposit information if a release happens. It is up to you whether or not you want to share everything with all of those enrolled. Whatever you decide, a Master Agreement will help you to quickly and efficiently enroll new customers.
Your Deposit Materials: What is in the deposit account. You are allowed unlimited deposits, so we recommend a naming convention description that is easy to understand. If an escrow release is requested, and the conditions are met, all assets in the deposit account will be released to the designated contact at the licensee company.
Your Licensee Customers: Your beneficiaries with access rights to your deposit.
Designated Contact: The individuals at both the developer and licensee level that have been identified as the main point of contact to be notified by us for account notifications (release, deposits, non-payment, etc.).
It is important to establish a core team to represent all of the departments that should have input into the escrow process and policy you are trying to create for your organization. Escrow should be a part of your overall intellectual property or IP risk management strategy, so it is important to get all necessary teams onboard. We typically see that a core team includes representation from legal, contracts, IT, sales, and senior management. If you have another vendor’s technology embedded in the solution you sell to your customers, then vendor management and procurement should also be involved.
Some of the best run cross-functional teams are the ones where there is an executive sponsor that is assigned to help add credibility, visibility, and assist in cutting through red tape. The take away here is that all of the departments asked to support your escrow initiative should have a seat at the table to help create an escrow policy.
Once you have a cross functional team, the next step is to define your escrow policy and create a repeatable process that simplifies your ability to address prospect concerns and close business faster. The goal of this process is to establish a set of minimum standards to make it as easy as possible for you to establish an escrow agreement.
Benefits of a Master Three Party Agreement: A Master Three Party Agreement is an agreement with your organization’s terms and conditions that you can have ready when you need to enroll a customer into your escrow account. Having a Master Three Party Agreement will provide your organization with a repeatable process that has greater escrow protection than your organization may receive if you use your customer’s agreement (which many licensees will have).
With the Master Three Party Agreement, you can incorporate your strategies directly into the agreement. This will enable your company to appropriately address unfavorable situations that may occur during vendor/customer negotiations. This can include: what will be deposited, at what frequency deposits will be made, who pays for the agreement, what triggers a release of the information in escrow, and who manages the process. We’d love to be able to tell you to “set it and forget it,” but it is important to make sure that your escrow account is up to date. Step 6 will go into this in further detail.
The main point is to establish a plan early on and execute against it to strengthen your position as you negotiate with your customers.
NCC Group Software Resilience has acquired Iron Mountain’s Intellectual Property Management (IPM) business. For more information on the acquisition, please visit our dedicated information hub, or contact Iron Mountain IPM.
