Skip to navigation Skip to main content Skip to footer

27 June 2023

SaaS Escrow Frequently Asked Questions

SaaS Escrow Frequently Asked Questions

The migration of business applications to the cloud shows no signs of slowing down. In fact, Gartner projects the SaaS (Software-as-a-Service) industry will experience its largest annual growth between 2022 and 2023, reaching a value of $195.2 billion by the end of this year.

However, many organizations dove into SaaS headfirst, assuming security and software resilience are handled by the SaaS provider or the cloud services provider (CSP), but this is simply not the case. Often, SaaS applications are adopted directly by the line of business (LOB) owners and are unlikely consulting the IT department.

The result? Security precautions, risk mitigation, and resilience measures that should all take place when procuring software are ignored.

In this post, we’ll answer five of the most frequently asked questions from our customers about migrating business-critical applications to the cloud, and how the software escrow services relied on to protect on-premises applications for decades have been effectively adapted to different cloud deployment models as well.

SaaS Escrow FAQs

  1. Does Escrow apply to SaaS?
  2. What is SaaS Escrow?
  3. Is the SaaS Vendor responsible for my application and data?
  4. Is SaaS Escrow necessary for large SaaS vendors?
  5. Do I need SaaS Escrow if we have a Disaster Recovery plan in place?

Free Guide

De-Risk your SaaS Applications with SaaS Escrow

Discover how Software Vendors & End-users can proactively manage Cloud Computing Risks & ensure Cloud availability with SaaS Escrow.

Download Now

Does Escrow apply to SaaS?

In short, yes. But first, we will review on-premises software escrow to lay the groundwork.

In an on-premises situation, a software escrow agreement is pretty straightforward because your software sits on a server within your organisation and the escrow agent also holds a copy.

The escrow agreement is a tripartite legally binding contract with mutually agreed upon terms between the software customer, software supplier, and escrow agent. The supplier periodically deposits a copy of the software source code and associated materials for secure storage with the escrow agent, ensuring that the material can be accessed and released should the need arise.

It is strongly recommended that the deposit is verified by the escrow agent to ensure that it can be successfully recreated in the future. If an agreed-upon release condition occurs (i.e., bankruptcy, lack of support), the escrow agent then releases the materials to the software customer who can maintain the software, working from the source code either in-house or by engaging with another supplier.

So how are things different in the cloud?

With SaaS applications, your software no longer sits on a corporate server, but instead, is hosted in the cloud by a cloud services provider which introduces more variables and supply chain dependencies. Your data resides in the cloud now too. Additionally, the risk of supplier failure would be felt more immediately than on-premises as there would be a total loss of functionality for a SaaS application if the vendor were no longer there to support it.

Some customers believe when they are migrating their on-premises software application to a cloud service that they don’t need an escrow agreement anymore.

However, this is a misconception. If anything, the need for escrow is greater for SaaS applications, because both the software AND the data need to be protected.

Learn how to protect your critical data and de-risk your SaaS applications here

What is SaaS Escrow?

We often get asked by our customers, what is SaaS Escrow? And what is Cloud Escrow? At its simplest SaaS Escrow is:

  • Holding SaaS application live environment access credentials in NCCs SaaS Escrow virtual vault and testing that the details are correct, complete and enable access to the SaaS application in the event of SaaS provider failure.

  • Holding SaaS application data, source code and other application-specific material in Escrow and testing that the material can be utilized to recover the SaaS application and data in the event of SaaS provider failure.

  • Where a SaaS application is shared or used within a multi-tenanted environment SaaS Escrow involves holding a separately hosted, mirrored instance of the organization’s SaaS application environment and unique data within NCC’s SaaS Escrow virtual vault. This can then be released to the organization in the event of SaaS provider failure.

There are several different SaaS escrow services available, the most suitable solution for you will depend on your chosen business continuity plan.

To determine which SaaS escrow service you need it’s always best to consult with your SaaS escrow agreement provider. It is recommended that all business-critical SaaS applications should be protected by a SaaS escrow agreement to ensure resilience.

But before the SaaS Escrow agreement is signed and any applications are deposited into escrow, testing on the application, environment and architecture should be undertaken to validate the accuracy and ensure the usability of the materials held under the agreement.

The technical information produced from the verification acts as a guide to help the SaaS end-user understand, redeploy, and maintain the third-party SaaS application, without additional support from the SaaS vendor.

Is the SaaS Vendor responsible for my application and data?

Not entirely. In fact, there is a shared responsibility model (SRM) that is inherent to the use of cloud services.

As described in a report by Oracle and KPMG, this shared responsibility model conveys how a cloud service provider is responsible for managing the security of the public cloud, while the subscriber of the service is responsible for securing what is in the cloud.

Therefore, data security is always the customer’s responsibility.

To clarify, a cloud service provider, or CSP, is a company that offers components of cloud computing -- typically, software as a service (SaaS), infrastructure as a service (IaaS), or platform as a service (PaaS).  Cloud services typically are priced using various pay-as-you-go subscription models. The most well-known cloud service platforms are Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.

For our purposes, we’ll focus on SaaS. With SaaS products, cloud service providers may either host and deliver their own managed services to users or they can act as a third-party, hosting the application of an independent software vendor (ISV), or SaaS provider.

In the cases where you have a CSP and an independent SaaS provider, the CSP can be holding up their end of the bargain in terms of hosting, but this doesn’t mean you will have access to your application if something happens to your software vendor – the CSP can’t just hand over the software it is hosting to the vendor’s customers.

Often, software subscribers think that if their SaaS vendor is no longer around to support their application, they can contact the CSP and their application and data will be there waiting for them, but this isn’t the case.

That’s where a SaaS escrow agreement comes in. With a SaaS escrow agreement, both your application and your data are protected by the escrow agent in the case of a release event.

Is SaaS Escrow necessary for large SaaS vendors?

Certainly, larger well-established software vendors tend to be more stable and less risky than startup vendors.

That said, SaaS escrow addresses risks across the cloud software supply chain.

That risk goes beyond a SaaS provider going out of business – there are many ways their businesses can shift; from discontinuing support of a product that you rely on, to being acquired by another company. In addition, larger vendors will be greater targets for ransomware and hacks.

In any of these situations, a copy of your software source code and data securely stored with an escrow provider is an important safeguard for your business.

If your cloud-based software application is business-critical or hosts critical data, you should consider SaaS escrow.

Do I need SaaS Escrow if we have a Disaster Recovery plan in place?

A disaster recovery plan is important, but it does not replace the need for escrow. Disaster recovery (DR), which is a subset of business continuity (BC) and focuses on the IT systems that enable business functions, is an organization's ability to respond to and recover from an event that negatively affects business operations.

It is important to note, as outlined in the Bode Law blog, that “disaster recovery does not cover the situation where the SaaS supplier itself becomes insolvent.”

“In these circumstances, a SaaS customer will have no right to access its data and backups at the data centre, as it is not a party to the hosting agreement between the data centre and the SaaS supplier.”

Escrow services with service continuity options can supplement disaster recovery plans and provide the SaaS customer with a solution to mitigate supply chain risk and keep their application up and running.

Now that we’ve debunked some of the key misconceptions around cloud migration, here’s how things really work: 👇 

  • Escrow is still relevant for the cloud. Escrow is still relevant for the cloud. Escrow for SaaS applications addresses the short-term risk of having no access to the cloud application AND relevant data. A SaaS escrow agreement provides additional protection for the licensee.

  • CSPs and software vendors are not responsible for your application and data. CSPs cannot just hand over the software it is hosting in your vendor’s environment.

  • There are various cloud escrow agreements available. However, all escrow agreements should be supported by verification to validate the accuracy and usability of the materials held under the agreement.

  • No matter how large or small a software vendor is, it is essential to plan for business disruption. To safeguard your business, ensure a copy of your software source code is securely stored with an escrow provider.

  • Disaster recovery does not cover the situation where the SaaS supplier itself becomes insolvent so supplement your current disaster recovery with software escrow.

Click here to get started and De-Risk you SaaS Applications

Skip to navigation Skip to main content Skip to footer