Do You Know What's In Your Escrow

In negotiating license agreements for critical software applications, savvy companies will wisely demand that the source code be maintained in an escrow account. They do this to protect against the possibility of the software vendor going out of business or otherwise failing to support the technology. Elements of the escrow contract include: frequent updates of deposit materials; fair release conditions; and limited use of source code as a release occurs. Everything is in order. A few years later, unfortunately, the software development firm is acquired and the new owner doesn't honor the service contract. But when the deposited materials arrive, they are incomplete or useless. What went wrong? And how could this have been prevented?

Most of the time, licensees accept little more than a visual check of escrow deposits, which requires the depositor to supply a list (Exhibit B) of the contents with the escrow materials. Iron Mountain compares that list with the labels on the deposited media and then notes any differences. By supplying this list to the licensee, Iron Mountain alerts the licensee to any missing items. Iron Mountain provides this level of service with every deposit, but more thorough verification procedures are available.

For licensees who want a basic verification check, Iron Mountain documents a detailed description of the computer environments needed to compile the source code. This includes identifying the hardware, operating system, utilities and any other information needed to support the software. All of this information is gathered in a phone meeting with the vendor and then compared with the Exhibit B submitted with the materials. Because Iron Mountain copies the licensee on the Exhibit B, a licensee could conduct its verification at this level. Iron Mountain's basic verification services, though, eliminate the licensee's need to scrutinize and evaluate the details of each Exhibit B.

While this level of verification is appropriate for some escrow contracts, greater levels can and should be performed to ensure source code escrow deposits are, indeed, complete.

Level III Verification
Iron Mountain, the world's leading software escrow agent firm, offers the most thorough escrow deposit verification services available in the industry. Level III Verification, Iron Mountain's most definitive test of escrow deposits, includes the following steps:

• Determines whether the computer media can be read by the host computer, assuring the licensee that the media is not blank.
• Produces a directory listing of files and programs on the media.
• Sends a report to the licensee that identifies the name of each file.
• Completely documents required libraries, third-party software, firmware support systems and media packaging.
• Verifies that compilation of the source code is possible by producing an object code version of the software based on the materials in the escrow deposit.
• If requested, we can deliver the created software to the licensee in object code form to allow technical personnel to perform acceptance tests and to compare the software against what is already in use.

Who Needs Verification?
This level of verification leaves no doubt about the usefulness of the source code kept in escrow. While this adds cost to the escrow, this high level of service is applicable if the user is licensing mission-critical software or if the technology is being resold. Also, technology companies may need Level III Verification if they rely on deposited materials to support and maintain products sold to their customer base.

All of these types of companies bear the highest level of risk in a licensing arrangement and have the greatest need to ensure that the software could be quickly supported if necessary.

New Jersey Transit Authority, which recently licensed new technology to upgrade its fare- and data-collecting system, decided it needed Iron Mountain to perform a Level III Verification on the source code placed in escrow.

Verification Gives Transit Authority Confidence
"We initially relied on the manufacturer to set up the escrow account," said Robert Fitzgerald, technical specialist for the transportation authority."To determine the validity of the account, we decided, as a safeguard, to audit the account."

He said the transit authority depends on the newly licensed technology to collect information and generate reports on fare revenue, passenger destinations, bus activity, route usage and other data. It also has been integrated with the transit authority's garage and fare register computer systems. Almost every department will rely on the software, including transportation planning, maintenance, and claims.

"This technology is critical to the proper and orderly functioning of the bus system, Fitzgerald said. If the software were to go down, and the vendor was not around to service it, we would need the source code to continue operations. And, down the line, when we expand on the system, we would need access to it in the absence of technical support from the software owner."

Results from the New Jersey Transit Authority's Level III Verification are pending final Iron Mountain review.

In addition to demanding careful and diligent verifications of the initial deposit, licensees should pay close attention to reports they will periodically receive from Iron Mountain. When major software releases occur, verifications may again be conducted as deemed necessary by the licensee. But the originally verified technology should remain in the account forever, ensuring that an accurate baseline version is protected.