This post is the second in a series on key technology escrow strategies. You can start at the beginning with An Intro to Key Escrow Strategies and read the first strategy, What’s in Your Software Escrow Deposit? or you can just jump right into this topic by reading on.
Over the course of the past seven years, I’ve worked at Iron Mountain, the number one question I hear the most, is “Why would I need to verify my software escrow deposit?”
The answer is simple: A software escrow agreement means that the developer’s intellectual property (IP) will be released if a release condition is met. This IP, often in the form of software source code, enables the user of the technology to keep their business operations up and running. Unfortunately, there’s no assurance that the intellectual property will be complete, usable, or even readable when it’s released to you. That’s where escrow verification services come into play.
Verification services are used to validate the completeness, accuracy, and functionality of the escrow materials. This critical audit of the escrow deposit helps to ensure that everything you need to recreate the software application is in the account before you actually need it.
A technology escrow arrangement is an excellent vehicle to protect all parties involved in licensing intellectual property, but the value of the escrow arrangement is really contingent upon two things, first – is the agreement structured and legally sound, second, the most important, the accuracy of the deposit material. A thorough verification your escrow materials will provide assurance that, in the event of a deposit release, the technology user (also known as the licensee or beneficiary) will have the ability to read, recreate, and maintain the developer’s technology without any assistance. In essence, “stepping into the shoes” of the vendor.
That’s the short answer. If you want all the details, please read on:
Here’s how it works: Before you receive your first escrow deposit, I strongly recommend requesting that your developer complete an “Escrow Deposit Questionnaire”. This will enable your third-party escrow provider (such as Iron Mountain) the ability to understand the scope of work required in order to produce a detailed “Statement of Work” (SOW) or “Cost Estimate” for testing your escrow material.
Note: The SOW is typically a fixed price based on experience and good faith estimates that the provider’s representations are accurate on build times and adequacy of the instructions.
Verification Services are custom projects that typically cover two phases of technology; the “Build” process and the “Run” process. If you’re running software in-house (on-premises) which is developed for you, by your provider, then the most critical aspect to you relationship is your ability to build/compile the source code. Compiling software is your ability to re-engineer the software to in order to correct “bugs” or to improve compatibility with other hardware devices for migration of the software when devices become outdated.
(Phase I) – Building/Compiling Software Code includes two test levels:
- A complete audit and inventory of your deposit
- Including analysis of the deposited media – to verify the presence of build instructions and identification of materials necessary to recreate the original environment
- Validate whether the development environment can be recreated from the documentation and files supplied in the escrow deposit
Outsourcing software responsibilities is definitely cost effective but it also carries the highest risk from an application continuity standpoint. In the event that your software is completely hosted your verification service level is simple, “Full Usability” testing. Since your provider builds and runs the software for you, it’s important for you to know both aspects as well. Phase I will cover the building of the software and Phase II will cover the process for recreating the environment for running the software.
(Phase II) – Full Usability Testing includes both levels from “Phase I” plus:
- Testing the functionality of the compiled deposit by comparing the files built (in the previous test) to the Licensed, executable file running at your location
- Confirm that the source code placed in escrow is fully functional in the event of a Release. Series of tests are run to ensure that the replicated software runs properly
Upon execution of the SOW, receipt of payment, and receipt of the appropriate materials from the developer, the testing of the escrow account begins. Once the test is complete, your third-party escrow provider will produce a detailed report of its findings to all parties.
Determining your company’s risk tolerance is not strictly based on cost. Here’s a quick calculation you can perform to determine your company’s risk tolerance for a given software application.
Operational Dependencies (number of users, customer impact, lost productivity/revenue) +
Replacement Costs (licensing fees, retraining, customizations, reprogramming, hardware costs) X
Time to Replace (identify substitute products, re-code software, application dependencies, new vendors) =
your Risk Level.
At the end of the day, we’re big fans of Ronald Regan’s adage of “Trust, but verify.”