Software escrow contents
This section considers mostly technical factors you should consider when looking at what the software vendor actually supplies to the escrow business. The objective here is simple - usability. In other words if you get the software source code out of escrow, can you actually do what you expect with it ?.
Software run-time dependencies
No software stands completely alone. At the very least it requires an operating system (O/S) on which to run. The line between "application" and "operating system / support" software is increasingly blurred - software applications invoke lower-level functions/services in various ways. The vendor may also have used (with or without a formal license) software components from another vendor that they transparently bundle in to the software they deliver to you.
Defining software releases
The key thing here is to tie the scope of what is put in escrow to the contents of what you use for each release of software by the vendor. The scope here is relatively easy to define if you receive discreet releases e.g. computer media or zip files over the Internet and installation instructions with each software release. Here the scope is what you physically receive with each release. You may not receive physical releases if you, for example, use the software on an outsourced or externally-hosted basis (e.g. software as a service). Either way, you need to correlate the source code with the object code you start using with each release of the software. You need to take into account partial releases. For example if you receive "dot" releases or patches, you need to know that you always have in escrow what amounts to a complete cumulative release.
Release contents - agree with the vendor
You should end up agreeing what constitutes each "full release" with the software vendor. It is a good idea if what is put in escrow is the full release plus the matching source code items. That way, you can quickly reconcile both software source and executables if you ever need to use the escrow contents in a hurry.
Then you should discuss the following questions with the vendor:
1) When are items put into escrow ? The escrow business typically confirms to both you and the software vendor when it receives new items to put into escrow. The software vendor should commit to a schedule here e.g. escrow contents updated .. within X hours/days of a major software release or change of development environment, within Y hours/days of a minor release...
2) Are there any items in the release for which there is no source code in escrow ? The vendor may bundle into the release source or object code they do not own outright. You need to know if what is in escrow covers that as well. Some items in the release may be readily available (open source or already licensed to you directly). You need to know what those items are.
3) Are all the items in escrow free for us to use per the escrow agreement ? If there are 3rd-party source/objects in escrow, the suppliers of those may think their use is limited to the software vendor only. For example, the source/objects are licensed. If you directly use the items, it could be viewed as unlicensed/unauthorized use.
4) Can we extract the release from escrow and compare to what we currently use ? If you can periodically get the release contents - excluding source code - from escrow and compare to the contents of the release you are currently running, this provides a good sanity check that the release held in escrow is complete and uptodate. Whether the source code in escrow matches the release in escrow is a different issue.
5) Can we sample the source code held in escrow ? The escrow business may know little about software technology. They are unable to look at lines of source code and know what it is they are looking at. If you want to have a look at some of the source code, you have to agree with the software vendor how that happens. This may involve using a new third-party e.g. an independent IT consultant. For example, the escrow company provides a list of computer files it holds. The IT consultant - in agreement with the software vendor - picks 10%-20% of the computer files to review. The IT consultant then reports back to both you and the software vendor.
6) What do we need to use the source code we get from escrow ? There is not much point in getting the source code from escrow if you don’t know what to do with it. For example the software vendor may have a development environment (compilers and other development tools, multiple computers for development and testing etc.) that your business will find difficult to replicate. You need some clues upfront as to what you need to do if you receive the source code from escrow - particularly if the vendor is unable or unwilling to help you at a later date.
7) How do we verify the technical usability of what is held in escrow ? The escrow business may offer a service here - from a basic inspection of escrow contents to full verification of escrow contents. See the preceding section of this Web site. You may want to agree with the vendor separate steps for confirming the usability of what is held in escrow.
8) Can we modify the source code we get from escrow ? Apart from recompiling the source code, you may want to extend it - for example to add features that the vendor is no longer willing or able to provide.
9) Is there any restriction on our employing your personnel ? If your relationship with the software vendor breaks down completely, you may need help to use the contents of what you retrieve from escrow. One option is to recruit someone from the vendor to join your business. You need to know if that option is limited in any way.
One major further question "What triggers release of full escrow contents to us ?" is addressed in the next section.