Mark Ryan and Tom Sweet of SES Secure trace the evolution of software escrow and the impact of AI on its use
As many readers will know, software escrow is a risk mitigation tool that safeguards the critical assets, such as software applications, organisations are reliant on. It typically involves a tri-party legal agreement being set up between an end-user (e.g., employees at a law firm), a software vendor, and a trusted escrow agent. Having a software escrow solution in place ensures that critical assets remain accessible and operational to an end-user, even during disruption events (such as a vendor facing bankruptcy).
The rising demand and use for software runs in tandem with the ever-increasing level of risk associated with its use. As a result, the implementation of software escrow has become increasingly prevalent across the globe.
Within modern legal practice, examples of critical software applications that are commonly safeguarded by software escrow include case management software, communication and collaboration software, and document automation software. The safeguarding of these applications supports the best interests of all stakeholders that are in some way impacted by them, such as lawyers, clients, and collaborators.
The Evolution of Software Escrow
The concept of software escrow initially emerged in the 1980s. During this time, the widespread use of software was growing at a rapid rate. In response, software escrow solutions were designed and brought in to address proactively the risks associated with using third-party software suppliers. These solutions provided a means for business continuity in situations where software vendors went out of business or could not provide adequate support.
Whilst the overarching purpose of software escrow has remained the same since then, many aspects have seen tremendous change. Traditionally, software escrow was limited to single licensee arrangements for safeguarding on-premises software. However, the evolution of the industry means escrow can now be implemented for a much wider range of purposes and arrangements. Types of escrow agreements now include:
- single license
- multi-licensee
- SaaS
- hardware
- technology
- distributor Agreement
As technology and various industries continue to advance, it’s very likely that the needs and preferences that escrow solutions cater to will continue to become increasingly specific.
How do Software Escrow Agreements Work?
The first step when setting up a software escrow is an in-depth discussion between an escrow provider and a client. The aim of this is to determine whether software escrow is applicable to the client’s needs, if so, the type of agreement that is required and to establish trigger conditions, also known as release conditions. These are the agreed conditions which when met will lead to an escrow provider carrying out a software escrow release event.
The legal framework of software escrow typically comprises of five components:
The Agreement
A tri-party legal agreement between a software vendor, an escrow agent, and a software application’s end-user. The agreement clearly outlines the criteria that needs to be met for a source code release event to occur.
Release Conditions
These are specific conditions that are pre-determined in an escrow agreement. When these conditions are met, an escrow agent is authorised to release the materials held under escrow to the software licensee (i.e., the end-user). Examples of release conditions that would facilitate a release event include vendor bankruptcy, vendor insolvency, and a vendor not providing adequate maintenance and/or support.
Source Code Validation
Once a client deposits their source code to an escrow provider, it is evaluated to ensure that it is accurate, up to date, and can be redeployed if required.
Intellectual Property Rights
The intellectual property rights of all parties involved in the arrangement need to be clearly defined as this determines source code ownership and the end user’s rights upon release.
Compliance
Many client projects require the implementation of a software escrow solution. Additionally, many emerging laws involve regulations that can be satisfied through utilising software escrow, such as the Digital Operational Resilience Act (DORA) which is set to be enforced in the EU Finance Sector in January 2025.
Ultimately, software escrow can form the foundation of an effective risk mitigation and business continuity plan. It is a tool that enables organisations to face, address, and overcome unforeseen challenges with confidence and peace of mind. A software escrow release event involves an end-user receiving the materials, documentation, and guidance required to resume the operation of a software application following a disruption event. This mitigates against a range of risks, such as financial loss, damaged stakeholder relationships, and reputational damage. The absence of a software escrow solution during a time of crisis poses the risk of an organisation’s business operations coming to a standstill. Additionally, in situations where an organisation has already experienced some degree of damage following a crisis event, software escrow can be used as an effective disaster recovery tool.
The escrow space is now at a point where agreements can be customised to cater to the bespoke needs and specifications of clients.
The Use of Software Escrow in Legal Practice
As in many other industries, software forms the backbone for critical organisational operations within the legal industry. Whilst software escrow has established itself as a tool that many legal professionals recommend to clients, it’s not always a tool that they use internally.
The use of software escrow by lawyers themselves ensures that the best interests of stakeholders are placed at the forefront. This includes any stakeholder that is in some way impacted by the critical applications used by lawyers. The implementation of software escrow equips legal professionals with the ability to have uninterrupted access to these applications, regardless of any disruption that occurs. A major duty of legal professionals is the safeguarding of clients, which is a responsibility that is personified through a comprehensive risk mitigation strategy.
Ultimately, software escrow provides a proactive means for legal professionals to manage unforeseen challenges in an organised and convenient way.
The nature of the legal industry, and the role of security within it, would undoubtedly benefit from being more robust and operationally resilient, especially in the face of disruption. Escrow is one way to bolster those efforts.
The Current and Future Impact of AI on Software Escrow
The AI revolution has undoubtedly impacted the software escrow landscape and will continue to shape its future. For example the deployment of machine learning algorithms, enhances the capability to identify and mitigate potential security threats, ensuring that our clients’ assets are safeguarded. AI and machine learning technologies can also help identify vulnerabilities in code more quickly.
AI has will help with operational efficiencies, from automating routine processes to facilitating more accurate verification of software assets, while predictive analytics will help escrow agents anticipate and navigate the increasingly complex landscape of software compliance and regulation.
More fundamentally, what are the implications of trying to capture an AI algorithm or LLM in a software escrow agreement?
It’s often overlooked that an AI algorithm is fundamentally composed of code, originally created by humans. Regardless of its complexity, it remains an application running on compute resources—whether on a large scale, as seen with OpenAI’s ChatGPT models, or on a smaller scale, deployed locally or privately for specific use cases. In both scenarios, the large language models rely on code executed by an operating system, which can, in turn, be included in a software escrow agreement.
Regarding large language models, a key concern is often the data associated with the machine learning or AI algorithm. Training these models typically involves the utilisation of large, vast datasets. This data may comprise of publicly available information from the internet, which brings its own set of implications, as well as private data repositories, such as an organisation’s extensive collection of files and documents. These datasets are essential, as they provide the algorithm with the knowledge to generate responses and recognise patterns. For example, in facial recognition, the model compares CCTV images to those stored on a server to identify matches.
Ultimately, when it comes to a software escrow agreement, both the code and the underlying data are crucial to ensure the application is effectively protected and functional.
These intersections of AI with software escrow services are set to shape a new era of innovation and security, resulting in an ongoing evolution of the escrow space.
Mark Ryan is the Head of Escrow & Continuity at SES Secure, a provider of Software Escrow Solutions who have worked with clients across the globe for over 25 years. Mark has over two decades of experience in the Software Escrow sector working alongside legal professionals as a solutions advisor and guest speaker.
Tom Sweet is the Head of Technology at SES Secure. Tom leads SES Secure’s in-house team of technical experts who address the technical elements of all client projects. Tom has over 10 years of experience in the Software Escrow sector. Tom is also responsible for SES Secure’s approach to AI technologies.
