Q. Why would I need Iron Mountain to verify my technology escrow deposit?
A. A technology escrow arrangement is an excellent vehicle to protect all parties involved in licensing intellectual property, but the value of the escrow arrangement is seriously compromised if the deposit materials are incomplete. A thorough verification of the materials provides assurance that, in the event of a deposit release, the technology user (also known as the licensee or the escrow beneficiary) would be able to read, recreate and maintain the developer’s technology in-house — in essence, “step into the shoes” of their vendor. Our experience has shown that over 76% of deposits sent into Iron Mountain for analysis are incomplete, and therefore would compromise that user’s ability to benefit from having access to the deposit materials. Most times the technology placed into escrow is software source code, but other technology can be escrowed as well. At Iron Mountain, we’ve escrowed secret formulas, a jet engine and even a cookie recipe!
Q. What are some of the possible ramifications of an incomplete deposit?
A. Should there be a release of incomplete deposit materials the following realities can result:
Q. How can Iron Mountain’s verification services reduce my company’s risk?
A. Iron Mountain’s verification services provide your company with insight into the composition of your escrow deposits. We identify what is needed to use the technology, including anything that is missing from your deposit. Iron Mountain can also recreate the technology for you. The information we collect through our analysis is developed into an easy-to-read report, which you can use as a guide to reconstruct the technology from the deposit materials, should you ever need to do so. Performing the testing to recreate the product independently, away from the developer’s office or environment , is a crucial process as it replicates the conditions the beneficiary will likely experience if there is an issue with developer support.
Q. What does my company need to do to use source code released from escrow?
A. Your company must accomplish the following to use source code released from escrow:
Q. When should the escrow deposit be verified?
A. Iron Mountain recommends verifying a deposit at the outset when the escrow account is established. In all cases, verification should be performed before a release condition has occurred, in order to most effectively limit your exposure to risk.
Q. How frequently should deposits be tested?
A. This requires a cost-benefit analysis. If there is material change to the technology or if the risk profile of the developer changes detrimentally, new deposits should be verified. However, for mission-critical applications, Iron Mountain recommends testing each deposit update at some level. In less critical cases, technology users typically require testing with each major version release or bug fix. Iron Mountain’s verification service levels are designed to allow for the maximum flexibility in protection during the life of the technology and escrow.
Q. What problems does Iron Mountain typically find with escrow deposits?
A. Recent data on deposit testing has revealed the following:
Q. How does the verification process work?
A. Prior to performing verification tests, Iron Mountain requests that the software developer (depositor) complete an escrow deposit questionnaire (Exhibit Q). This enables Iron Mountain to understand the scope of the work required so that a detailed Statement of Work (SOW) and cost estimate for the testing can be prepared. The SOW is fixed price based on our experience and good faith estimates that the developer’s representations are accurate on build times and adequacy of the instructions. Upon execution of the Statement of Work, receipt of payment and receipt of appropriate deposit materials, Iron Mountain begins testing the deposit. During testing, Iron Mountain notifies the parties of its progress. Once the testing is complete, Iron Mountain provides detailed reports of its findings to all parties. Iron Mountain will also follow up with a technical resource to review the test results with the user of the technology. Parties interested in requesting a verification of deposited materials should contact their Iron Mountain sales representative.
Q. What are the types of technical verification?
A.
Q. How do I know which verification level I need?
A. Iron Mountain’s dedicated staff of verification experts will consult with you to determine which verification level best suits your requirements. The recommended type of testing largely depends on the criticality of your licensed technology and the business risks of your developer. For mission-critical software, Iron Mountain recommends seeking the most thorough verification testing for optimal protection against incomplete or inoperable technology escrow deposits.
Q. What is source code?
A. Source code is the written version of a software application that is readable by programmers. It is like a secret recipe and is often deemed a trade secret. That’s why software development companies do their best to protect their source code – it is their most valuable piece of intellectual property. Licensed software cannot be repaired or upgraded without the source code.
Q. What is object code?
A. Object code is the translation of source code into a language that only computers can read. It consists of a series of ones and zeros. Object code is generally created by taking proprietary source code and running it through a software program that transforms the source code into object code. Object code is then “bound” into executable code.
Q. Why is it necessary to know what “third-party software” is required to support the deposited code?
A. Third-party applications are utilized in nearly every software development environment and are needed to recreate the depositor’s executable code. A beneficiary that does not know what additional third-party software is needed to run in conjunction with the source code will have an extremely difficult time learning this on its own. Iron Mountain’s verification process helps to identify third-party applications that are required to build executable code.
Q. What is executable code?
A. Near the end of the software development process, object code is linked or bound together with other object code (which may be created by third parties) to create executable code. Typically, executable code is licensed to beneficiaries and installed in a live operating environment. Software developers feel confident in licensing executable code because it is extremely difficult to reverse the process and discover the nature of the source code by examining the object code.
Q. How do typical software licensing arrangements create risk for licensees?
A. Most software licenses involve the licensing of executable code and not source code, which is needed to modify the technology. Because of this, the software user (licensee) is only able to correct bugs in the software, upgrade the product, and maintain the software through the software developer (licensor) – the only one who has access to the source code. This puts most software licensees in an extremely vulnerable position, especially if the software vendor goes out of business, is bought by a competitor, files for bankruptcy, or discontinues providing maintenance support for any reason. The most widely used solution to this problem is to establish a technology escrow account that contains a copy of the source code and maintenance materials needed to compile and support the program.
Q. What unique risks do Software As A Service (SaaS) Application Providers create?
A. Since SaaS applications are running in the cloud, and not on-premises in the beneficiary’s environment, the operating environment is often unfamiliar. Therefore, for SaaS environments, information about the Application Service Providers (ASPs) operating environment should be included in the escrow deposit. In addition, your company’s user data also must be placed in escrow (since this also lives in the cloud) or other arrangements need to be made ensure access to the data. If these additional steps are not taken, the escrow deposit will not be useful to you upon release. Iron Mountain offers specific SaaS escrow services designed at mitigating risks of doing business with SaaS companies by addressing application continuity, service sustainability and unfettered access to data.
Q. What is included in a standard Iron Mountain “inspection” of deposit materials?
A. Iron Mountain opens every sealed escrow deposit and visually checks the deposit materials against the documentation provided by the developer (depositor). This ensures that the description of materials matches the deposit (Exhibit B). For example, if the Exhibit B states that the deposit should include three CDs and that those CDs are labeled “A,” “B” and “C,” then Iron Mountain will count the number of CDs in the deposit and check that they are labeled correctly. Once the visual inspection is completed, notifications are sent to the parties according to the contract terms. Of course, this is only a visual inspection, and we recommend adding additional verification services for optimal protection.
Q. Verification Next Steps
A. By establishing an escrow arrangement with Iron Mountain, you have recognized that your licensed mission-critical technology is an important aspect of your organization’s business operations. Complementing your escrow arrangement with verification services will help to mitigate potential risks by providing complete intellectual property protection and management, and ensuring a more rapid recovery for your organization should circumstances require it.
NCC Group Software Resilience has acquired Iron Mountain’s Intellectual Property Management (IPM) business. For more information on the acquisition, please visit our dedicated information hub, or contact Iron Mountain IPM.
