Software escrow – an overview of legal considerations
Technology, Media & Telecoms Focus
Riyadh recently welcomed thousands of visitors for the LEAP conference and technology event. Amongst them was Alex McCulloch of Escode, who took some time to meet with Nick O’Connell, Riyadh-based Partner, to talk about software escrow.
Law Update: Issue 368 - Technology, Media & Telecoms Focus
Nick O’ConnellPartner, Head of Digital & Data - Saudi Arabia
Riyadh recently welcomed thousands of visitors for the LEAP conference and technology event that took place in early March 2024. Amongst them was Alex McCulloch of Escode (part of NCC Group), who took some time to meet with Nick O’Connell, Riyadh-based Partner in our Digital & Data (Tech | Media | Telecoms) team, to talk about software escrow.
Alex McCulloch: Visiting Riyadh for the first time has been a great experience. It's evident that Saudi Arabia is swiftly becoming a global hotspot for startups and entrepreneurs alike. Participating in LEAP was fascinating. The focus on innovation and teamwork really highlighted the importance of Vision 2030, Saudi Arabia's big plan for the future. I found it super enlightening to keep up with all the latest trends and chat with leaders from all corners of the globe. Plus, having speakers from various fields like technology, AI, and digital transformation, along with key decision-makers, sparked some really important conversations about entrepreneurship and why investing in new and innovative ventures is so crucial.
AMcC: Many organisations are familiar with NCC Group. We're in the business of cybersecurity and software escrow, and we operate globally, covering various sectors and technologies. Following a strategic review, in March 2024, we launched Escode. It's essentially our software resilience business but with a fresh name. We felt it was time for a change to better support our next phase of growth. Escode is currently safeguarding over 16,000 organizations worldwide. We're there for them when unforeseen disruptions occur in their software operations – whether it's in development, supply, or usage of critical applications - ensuring access to vital source code and digital assets.
AMcC: A software escrow agreement typically involves three key parties: the software supplier, the software customer, and an independent escrow provider. The agreement requires the software supplier to deposit the application software source code or other intellectual property (IP) securely with the independent third-party escrow provider. In the event of the supplier's inability to support the application due to specified reasons (e.g., bankruptcy or breach of contract), the escrowed materials are released, enabling the customer to maintain their critical application. Throughout negotiations, the independent escrow provider facilitates discussions to ensure alignment with the licensee's intended use and protection of the software supplier’s intellectual property rights (IPR).
AMcC: Software escrow services are tailored according to the hosting setup, whether on-premise or in the cloud. For on-premise solutions, an entry-level verification is recommended, facilitating a comprehensive knowledge transfer between the escrow service provider and vendor representatives. Additionally, an independent build process may be conducted to ensure completeness. Cloud-hosted solutions require verification exercises, with variations based on hosting arrangements. Single-tenant setups involve capturing administrator credentials, while multi-tenant configurations necessitate full production cloud stack replication and documented build processes, including database backups.
Release events, defined within the escrow agreement, typically cover insolvency of the owner, failure to maintain the package, or transfer of intellectual property rights to a new owner without continued escrow protection.
AMcC: Deposits are aligned with the frequency of application updates, requiring suppliers to make additional deposits beyond the initial agreement. Parties must decide on a suitable frequency to ensure an up-to-date version of the material is consistently available. For example, we offer a secure online portal, providing 24/7 access and visibility to the software escrow portfolio. Our portal allows users to monitor deposit activity, set alerts for expected deposit dates, request additional services, etc.. These tools ensure that the escrow account receives the necessary attention and is not neglected.
AMcC: The escrow agreement is only one aspect of the entire escrow process. While it guarantees access to the software source code, an independent escrow provider typically recommends verification services to ensure the reliability of the deposit in a release scenario. The extent of verification required varies depending on the customer's needs and the criticality of the software application. Verification testing proves most beneficial for applications critical to business operations, providing customers with the assurance they need to restore the application and seamlessly assume maintenance and management responsibilities, thus facilitating the enactment of their business continuity plans. At a minimum, material deposited with us undergoes an integrity check to ensure accessibility, virus-free content, and the correct source code type. This check occurs upon material upload, in accordance with pre-defined contractual agreements. Various verification service options exist. With us, the highest ‘Escrow Verification’ level simulates a release event and offers crucial insights for business continuity planning. Typically, verification testing occurs initially and then whenever significant software changes are made or in line with an annual update.
AMcC: Release events, defined within the escrow agreement, typically cover insolvency of the owner, failure to maintain the package, or transfer of intellectual property rights to a new owner without continued escrow protection. The release process involves submitting a notification to the owner, followed by an objection period. Dispute resolution procedures, set out the escrow agreement, may involve appointing an independent expert or alternative methods per agreement amendments.
AMcC: Under the standard terms of our escrow agreement, we promptly forward any notification of a release event received from the licensee to the owner. The owner is then given a period (in our case, 14 days) to submit a counter-notice, indicating either that they believe no release event has occurred or that the circumstances leading to the event have been addressed. If we do not receive a counter-notice within this timeframe, the material is released to the licensee. However, if we do receive a counter-notice, it is forwarded to the licensee. At this point, the licensee has the option to initiate the dispute resolution procedure, if they so choose. It's worth noting that these timeframes are subject to adjustment if agreed between the owner and licensee.
AMcC: Our standard escrow agreement outlines the procedure for dispute resolution. As per the standard template, if the licensee wishes to challenge the owner’s counter-notice and initiate a dispute resolution procedure, they must notify us. Subsequently, we would appoint an independent expert to adjudicate the dispute. In the event that either the owner or the licensee objects to the appointed independent expert, they have seven days to mutually select an alternative independent expert. Failure to appoint an independent expert within this timeframe prompts us to request the appoint an independent expert by way of an arbitration institution. However, should the parties prefer an alternative dispute resolution method, such as litigation or a procedure outlined in the underlying licence agreement, we can typically accommodate that preference. The escrow agreement can be amended accordingly to reflect the chosen dispute resolution mechanism.
AMcC: The question of fees for software escrow services has long been a point of discussion in the technology escrow landscape. Developers often argue that their licensees should bear the costs of the escrow agreement and associated fees. Conversely, licensees contend that developers should cover the expenses as a standard cost of conducting business. The most practical resolution to this debate lies in the party who desires to dictate the terms of the agreement should assume responsibility for the associated costs. When developers shoulder the expenses of the escrow agreement, licensees may inadvertently develop a false sense of security, leading to infrequent monitoring of the escrow account, often limited to significant milestones throughout the business relationship. In reality, licensees should regularly monitor the escrow account, ideally on a quarterly basis. On the other hand, when licensees fund the escrow agreement, they tend to pay closer attention to the deposit schedule and maintenance of the escrow account. As the business relationship progresses, licensees maintain vigilance over the developer's business activities in tandem with their escrow deposits to pre-empt any potential financial setbacks. It's essential to note that once a developer enters crisis mode, cooperation becomes increasingly scarce as self-preservation becomes their primary concern.
Software escrow is an important consideration on high value technology projects, and likely to be of particular relevance in Saudi Arabia as the Kingdom moves towards 2030.
For further information,please contact Nick O'Connell.
Published in May 2024
