Skip to navigation Skip to main content Skip to footer

23 June 2022

Software Escrow FAQs

Learn more about Software Escrow Agreements and Verification testing options for on-premise and cloud-hosted/SaaS applications, Software Escrow Vaults, Software Escrow Release events, and more in our Software Source Code Escrow FAQs below.

If you have any queries, please don't hesitate to get in touch with our team!

Software Source Code FAQs

What is Software Escrow?

Software Escrow Agreement is a simple and effective arrangement with mutually-agreed terms between the software customer, software supplier and NCC Group, specifically designed to mitigate risk and protect the interests of all parties involved.

When technology is placed into escrow, the service provider or developer is able to retain the intellectual property (IP) rights, and the user gains the assurance that the software source code or other technology will be available if needed.

The independent, third-party escrow agent (NCC Group) makes this happen by providing a secure repository and creating an agreement that specifies release terms, detailing under what circumstances the technology would be shared with the end user.

See our “What is Software Escrow?” blog post for more details.

What is Source Code Escrow?

A “source code escrow” agreement is really just the same thing as a software escrow agreement. Software source code is securely held by the escrow service provider, so sometimes this term is used.

“Technology escrow” is sometimes used interchangeably with software escrow as well since it is more overarching term. Escrow can also be used to safeguard other intellectual property and proprietary materials such as design documentation, formulas, algorithms, recipes, and non-source code-based technology. (Yes, we’ve protected cookie recipes and paint formulas!)“SaaS Escrow” is another term – yes, it gets confusing! When software escrow was first imagined, there was no Software-as-a-Service; your software was housed on-premise at the customer’s physical location. Today, there are multiple software escrow options for SaaS and cloud-hosted applications as well. We offer secure SaaS Escrow solutions for AWS, Azure, and Google Cloud-hosted applications and data.

Alternate names for software escrow include:

How do Software Escrow Services work?

The software customer and software supplier will enter into a legal agreement with NCC Group.

Under the terms of the Software Escrow Agreement, the software supplier provides NCC Group with a copy of the application’s software source code which NCC Group then deposits in one of our secure physical vaults or our secure cloud environment, depending on how the application is hosted. The deposited materials are updated at regular agreed intervals to ensure that the source code held in escrow is always up to date and reflects the current version of the software application.

In the event that the software supplier is unable to meet its contractual obligations, software customers party to the Escrow Agreement can apply for a release of the source code held in escrow under pre-agreed release terms.

Once released, the software customer can then maintain the software, working from the original source code, whether that be in-house or by engaging with another supplier.

What are the benefits of Software Escrow?

Software Escrow can provide organisations with the following benefits:

Who benefits from a Software Escrow Agreement?

Both software buyers (also known as licensees or SaaS subscribers) and software suppliers (also known as developers, vendors, ISVs, or SaaS providers) benefit from software escrow.

Law firms also benefit because lawyers are important referrers of software escrow for their clients.

See our “Who Benefits from a Software Escrow Agreement?” blog post for more details.

What kind of software should be placed in escrow?

A Software Escrow Agreement is important for business-critical applications. If the software has been built specifically for the buyer or if it represents a significant financial investment, these are reasons to consider escrow. If there is concern that the software developer is new or unproven, or there’s a risk that they will be acquired, it’s another good reason to consider escrow.

And from the software vendor's perspective, having software escrow in place for their application can mean that they are more attractive as an investment, and they are more competitive as they are seen as less risky as a supplier. 

Which Software Escrow Agreement do I need?

The most suitable Software Escrow Agreement will depend on whether the software application you are looking to protect is hosted on-premise or in the cloud and if the software application has been specifically written or amended for use by one software customer or if it is an off-the-shelf product used by multiple Software Customers

What is Software Escrow Verification?

Software Escrow Verification tests the source code and material held under the Software Escrow Agreement to ensure it is correct, complete, and can be rebuilt into the working application, providing a higher level of resilience and business continuity assurance.

What are the benefits of Software Escrow Verification?

Depending on the desired level of testing, Software Escrow Verification can provide organisations with the following benefits:

  • Independent assurance that the source code deposited in escrow can be rebuilt into the working software application in a release event
  • Assurance that all the necessary source code files, build scripts and utilities have been stored in the escrow deposit
  • Assurance that the full documentation of the software application build process is stored with the source code in escrow and will be available for immediate use in a release event
  • A complete build of the software application from the source code in the software customer’s environment as well as at the software supplier’s site
  • Vital input to disaster recovery and contingency planning, providing a documented rehearsal of the process to be followed to restore the software application from the escrow deposit material

What level of Software Escrow Verification do I need?

The most suitable Software Escrow Verification option for your organisation will depend on several factors. This includes whether the software application is hosted on-premise or in the cloud, the business-criticality of the application, and the level of business continuity desired should you no longer be able to access the application.

If you are unsure as to which Verification option best meets your organisation’s requirements, a member of our in-house technical team can work with you to determine the most appropriate level of Verification.

What is the specification of NCC Group’s Escrow Vaults?

Physical Vaults

NCC Group has a number of global storage locations throughout the UK, Germany, Switzerland, Netherlands and the United States. We provide a bespoke construction and management solution for each of our clients to ensure that we can accommodate their individual needs. The key features of our physical vaults include:

  • 24/7 monitoring
  • Highly secure, blast proof construction
  • Building close circuit camera system
  • State-of-the-art monitored fire alarm system
  • Single access vault/steel door
  • Strict access controls, including permanent access log
  • Smoke detection sensors throughout
  • Temperature and humidity monitoring
  • Full barcoding providing comprehensive track and trace system

Virtual Vaults (Secure Cloud Environment)

When depositing critical assets into escrow, security, availability and access is of paramount importance. NCC Group’s Virtual Vaults deny all access by external parties and are maintained solely by our Cloud Operations team, who is specifically authorised using a least privileged access model. The key features of our Virtual Vaults include:

  • Access is secured by multi-factor authentication, strong credential policies, conditional access policies, and identity and access management controls
  • Data within the environment is secured by industry-standard encryption
  • Data is geo-replicated within the same region to protect against data centre failure and a 90-day retention policy enables the recovery of data if required

Have a question that we haven't answered above? Why not get in touch? 

Skip to navigation Skip to main content Skip to footer