We are releasing a self-hosted platform that builds on the open source project we have developed. Recently a prospective customer asked if we would put our source code for the platform in escrow. As additional context, our platform is used in an OEM capacity in some cases and this is why the customer insists on an escrow. I’ve been warned by lawyers that this could cause problems for future acquisition or investment. This is the first request we’ve had for this and I’m trying to get some more information if:
1. Source code escrow is still a thing?
2. If you have dealt with this in the past, how did you work around it.
3. Are there some licenses that could both protect us commercially and ensure the source code existed if we dissolved the business?
Customer is either worried your company is too young/unstable or it's the standard procedure. If your company goes bankrupt then it's indeed unclear to me who owns the source code, the escrow contract might cover that.<p>Increase the price, double it, that's a very custom request for you.<p>We did it 6 years ago with a big enterprise customer. The escrow company got read access to one git repository (custom development outside our usual offering). I think the other option was to send them a DVD with the code. Customer paid for the escrow. A year later they either forgot or cancelled, we never had to update our code. Monetary the customer contract value was worth the trouble. We never had another escrow request.
I had to do this 10 years ago for a SAAS application. It was standard procedure from the customer in question (a large multinational corporation) for "critical applications" - and I could understand their motivation. However, on renewal of the contract, the escrow clause was dropped - I'm not sure if this was because we were more trusted, or their policies changed (I think the cost was a factor).<p>Many other large customers consumed our services, but none of those have asked for an escrow - some have contracted for "special ways" to remove their data (for example direct access to database backups and so on) in the case that we would go insolvent - I'm not sure that legal mechanism this used.<p>For the customer in question they had several "levels" of escrow - and in this case they wanted the full escrow, which is more than just a dump of the code - it required all code, all dependencies, all bootstrap data, all configuration files, all build tools, and detailed instructions for building and running the app. An external company worked with us so that they could independently build the application, and witness it running. It was very expensive, very disruptive, very time consuming (it took about 3 days of prep, and 5 days with the external company). I remember it felt like a life time. The customer picked up the bill for the Escrow, that included the cost of the independent company, and our time (but not the opportunity cost).<p>In my opinion they are of very little value (for example the code continually goes out of date, who's going to run the service because they don't have the skills). In my experience it was a total PITA, and personally I'd avoid it, and try as hard as I could to use a different device to provide the assurance that they need (e.g. contracting that they can access their data in the event of insolvency, or at a push putting the built artifacts and runtime configurations into escrow).
Hi there,<p>In the spirit of openness, brand new user so forgive me if I break any rules early doors and I work for the world's largest software escrow company......so sorry if this comes across as a little biased!<p>Yes, source code escrow is still a thing and is in fact being used significantly more frequently due to a raft of regulatory changes going on globally that directly name escrow as a requirement. (PRA, OCC, MAS, HKMA, IOSCO, FFIEC to name a few).<p>If you need any help I'll do my best.
Source code escrow can indeed be a consideration in scenarios like this, where your platform is used in an OEM capacity. While it can provide reassurance to the customer, it's important to navigate it carefully. There are licenses, such as the GNU General Public License (GPL) or the Apache License, that can protect your commercial interests while ensuring the availability of the source code.<p>To delve deeper into software licensing and commercial protection, Rather Labs (<a href="https://www.ratherlabs.com" rel="nofollow noreferrer">https://www.ratherlabs.com</a>) offers insights into AI, GPT, and blockchain development, which can be valuable in addressing such complex matters. It's worth exploring to make informed decisions regarding source code escrow.
I presume you have made non-open source additions, so only those additions require escrow assurance for the customer. Why not just license those portions? You would still retain all the IP.