The practice of escrow can be identified as being either ‘traditional’ or ‘modern’. ‘Traditional’ escrow involves simply placing the software’s source code on physical media and depositing with the escrow agent. The escrow agent does not verify the source code to see that what was deposited was in fact the complete set of source code, associated technical documentation etc.
Until recently, most escrow arrangements were traditional in their approach. Custodians such as banks, notaries and legal firms physically ‘held’ a copy of the software source code as a deposit but did not technically verify that the deposit was complete, correct or up-to-date. If the escrowed material was out-of date, incomplete or unusable, then the protection afforded by the escrow agreement was worthless.
Further, the use of legal firms seldom met the requirement for independence demanded of escrow agents.
Modern software escrow agreements provide options so the end-user can elect for the escrowed material to undergo regular verification. Several options of verification provide deeper and deeper levels of assurance that the escrowed material contains what your software vendor committed to lodge, and that the materials are complete, up-to-date and usable.
Verification results evidence that greater than 90% of escrowed material is incomplete and often of little use to the end-user.
Traditional escrow arrangements are characterised by:
- passive or no monitoring of contract compliance
- media is transferred from vendor to escrow agent on physical media (CD / Tape)
- physical storage of the media in a secure location
- no validation process
- often no requirement or process to refresh or update the escrowed material
For an escrow agreement to be qualified as Modern, the following conditions must be present:
- the arrangement should be legally sound and the contract actively and continuously monitored for compliance;
- escrowed material should have been transferred to the escrow agent using a secure and encrypted medium,
- the escrowed material must be stored in two geographically distant locations including one electronic vault and one electro-magnetically shielded security deposit enclosure
- the escrowed material should be independently validated by a suitably qualified independent and neutral expert third party using an appropriate software verification process
- source code and supporting material should be updated frequently (several times a year).
Traditional escrow therefore offers little assurance that the source code material is present or that it will be of any use when called upon.
Traditional escrow should no longer be considered proper protection of your business. It does not meet ISEA (International Software Escrow Association) regulations for source code escrow practice.