Source code storage (escrow software)

15 June 2020

Are you planning to deploy a new information system? Are you going to invest in expanding an existing solution? Are you worried about the limited lifespan of software? Are you looking to ensure the long-term development of the acquired information system? Do you lack the security of long-term support? Are you worried about depending on the supplier of your information system? If you answered yes to one of the previous questions, then you should be interested in the source code storage service.

Your investment in information systems and the availability of your data are entirely dependent on the functioning and cooperation of the developers of your information systems. Only with access to complete source codes can you provide technical support and long-term development of the information system. And this is the basic function of the so-called escrow software: secure storage of code and its release after meeting the conditions defined in the contract between the software manufacturer, the customer and the escrow agent. Put simply, escrow software can be compared to property insurance, through which you insure your IT investments and your company's data.

Source code storage is a traditional and commonly used service abroad (today over 90% of Fortune 500 companies use source code storage for their information systems). But it is a relatively little-known institute in the Czech Republic. Source code storage is also a common part of projects funded by European grants, in cases of support for beginning developers, for critical information systems (e.g. banking and hospital information systems).

Investment risk

In general, the main benefit of deploying an information system is to increase the efficiency of business processes and the functioning of the company. The intensity of your expectations is directly proportional to the amount of money spent, which from a certain amount creates a legitimate fear of return. Discontinuity of information system development and support is the strongest risk to the return on investment in its acquisition and implementation, and in the case of significant and critical information systems can jeopardise the very operation of the company and access to its data. The most common cause is non-compliance with the support contract, the terms of which are often dictated by the software vendor, who is usually well aware that you as a user have only very limited options to replace its solution with another. The demise of the software supplier is also a very real threat of the unplanned termination of support and further development of the supplied information system.

Source code requirement

Eliminating the above-described risks consists in safeguarding the continued development and support of the information system in case of a problem with its supplier, and thus in cases where it is a significant or critical information system from the customer's point of view, ensuring "business continuity" and the running of the company. This can only be ensured through access to the complete source codes and documentation of the relevant information system. Only in this way can the investor/user be sure that it will secure further development and support with the help of a third party if the supplier is unable to meet its obligations. Source code is the designation of a computer program in a readable and editable form. If you need to modify or develop a computer program, you can make changes in the source code that are not otherwise possible.

Technical support and long-term development of the information system or the possibility of another supplier taking over the administration and maintenance of the information system can be ensured only with access to complete source codes.

In most cases, the source code is not part of the delivery of the information system, because from its content it is possible to read all the supplier's technological know-how, whose importance far exceeds the value of the finished functional application, but also the security elements of the information system. The cost of providing source code exclusivity can therefore be several times that of the software. If the supplier plans to use the information system supplied by it for other customers, the release of source codes would open the door to the competition and present a huge security risk for all users of the information system.

Solution: escrow software

The essence of the service lies in the secure storage of application source code with an independent party (the escrow agent) based on a conditional tripartite agreement between the user, the software supplier and the escrow agent. Upon fulfilment of the agreed conditions (termination of the supplier, breach of SLA, etc.), the contract entitles the escrow agent to issue source codes to the user in order to continue to support and develop software with another partner.

It is therefore not just a matter of storing a copy of the code, which the software creator does not control, with the customer, but a comprehensive service providing the necessary legal actions associated with the keeping in escrow (not just storing) of the source code and its eventual release under predetermined conditions.

The escrow process

Let's take a look at the phases of our secure software escrow service.

1. Consultation of contractual relations

We will provide legal advice on new or existing software development and maintenance agreements and design a suitable software escrow agreement (source code escrow agreement).

2. Creating inventory

We will prepare and approve with you a list of essentials for full maintenance and operation (source codes, development environment, system components). Quality inventory is the basic building block of escrow software.

3. Basic verification or audit of escrow content

Without the need to read the contents of the source code files, we will verify that the stored material corresponds to the inventory or we will audit the contents of the escrow according to the agreed scope.

4. Issuance of source codes

After verifying that the conditions for issuing the escrow have been met, you will receive an encrypted package and decrypt it with a private key.

By using a secure version of the escrow software, we eliminate the risk of source code disclosure during the entire escrow process.

More options for verifying your software

As is clear from the previous paragraphs, the basic function of the escrow software is to securely store the code and release it after fulfilling the conditions defined in the contract between the software vendor, the user and the escrow agent. However, before taking the code into storage, it is advisable to check that it does not contain security risks and that it can actually be converted into a machine-readable form. We regularly provide such verification to clients who use escrow software with us.

Audit of the escrow content

The audit of the escrow content significantly increases its usability and the efficiency of the procedure for issuing the escrow in defined situations. A baseline audit should be performed whenever accepting something into escrow. The level of the audit can be chosen with regard to the importance of the software for the users. It can greatly simplify the work of both the supplier and the user in the process of software implementation.

The source code audit includes the following activities:

  • inventory of files in escrow and verification of their integrity
  • identification of tools for maintaining and compiling source code
  • compilation of the product and creation of executable files
  • verification of installation options and application settings
  • basic functional testing of the application
  • confirmation of the validity of the source codes

Escrow software solution with BDO Digital

We have a 10-year tradition of providing source code escrow services and are the only dedicated provider of these services in the Czech Republic. Our specialised team and Deponest, which provides the escrow software service, is a worldwide accredited entity for Microsoft programs.


Jan Bednář, Dan Vaníček

[email protected], [email protected]