SaaS escrows are very different to software escrows. Whilst still a legitimate concern in your risk register, how can you manage the risk?
This article explains in business terms the how and why of escrows as they relate to software and more specifically Software as a Service (Saas).
Please note I am not a lawyer. I studied one semester of law as part of my masters. The findings here are those of a lot of reading, asking and answering questions.
If you spot anything you disagree with or you have a better way, please let me know.
Having been asked to explain and clarify escrows on a number of occasions this article hopes to help you understand what escrows are and do for you.
- Business risk and mitigating it
- Building a SaaS escrow
- Putting it together
[read more=”Read more” less=”Read less”]
Business risk and mitigating it
Modern business relies on Information Technology (IT) for many things.
As part of relying on technology it’s prudent for a business to ask, what if it fails?
These “what ifs” represent risk. How do you stop the what ifs? If you can’t stop a what if, then how do you lessen the impact of it?
Data security is constantly aware of the risks and so keeps a log of all the what ifs in a “risk register“.
This register represents every what if and what to do about it.
Over time business can grow or business can fail. The question of, what if our IT supplier’s business fails is a significant question.
Some business you think are so big they’ll never fail, but they can be bought out or have a catastrophe which stops them operating.
- Nortel : 2009 billions of Nortel equipment ended up with no manufacturer.
What will your business do if they’re no longer available and you’ve built your business around that technology?
Going out of business
So there are a few different scenarios of going out of business to consider.
- Parent companies goes out of business : how do you update / adapt your solutions? who updates / adapts / supports you?
- The software goes out of date / end of life : manufacturers don’t keep supporting / updating old software forever. Microsoft are famous for this.
- There is planned obsolescence: This is far more difficult to deal with. By the next update your software will stop working! Be very watchful for this.
So we add a line to our risk register: Our software supplier goes out of business?
Now comes the daunting challenge of how do I mitigate / make that not a risk!
Your options may be limited but here are some mitigation approaches.
- Investigate competitors who deliver a similar but equally capable solution
- Write your own software in house
- Invest in the software business to make sure you know exactly whats going on
- Put in place an escrow (SaaS escrows or software escrows)
So this introduces the concept of an escrow, what is it?
An escrow is defined as
Something of value, such as a deed, stock, money, or written instrument, that is put into the custody of a third person by its owner, a grantor, an obligor, or a promisor, to be retained until the occurrence of a contingency or performance of a condition.
So the condition for all these discussions is “software company goes out of business / can no longer update or support the software”
We’re going to need a third party which is usually a lawyer or similarly trustworthy source.
Now we need to give them something and this is where it gets interesting and complicated.
A software escrow is actually very simple in concept.
- Engage a lawyer to create an escrow between supplier and client
- Take a copy of the source code of the software and burn it to DVD or similar storage mechanism.
- Put that DVD in a sealed envelop and hand it to a lawyer.
As per our conditions, if the business is unable to update / maintain the software, the client gets the DVD of the source code from the lawyer to look after it themselves.
Essentially all the client needs is that DVD and they can rebuild, develop and fix everything.
There are massive challenges in infrastructure, server software and underlying version management but generally not much changes.
People hear “Software as a Service” and think, it’s software, the same game. Unfortunately it’s not that simple.
SaaS is a form of outsourcing, not just software but multiple integrated services as well.
SaaS escrows have four key elements.
- Firstly software, same as the software escrow
- Also data, as the solution is hosted, the supplier offers to look after the data
- Next is infrastructure, as the aaS part of the title means, the solution is built to work in a specific setup
- Finally, we need manuals and documentation not just to put the solution together but how to run, maintain and deliver the server. The company manual!
The third item doesn’t apply to just software, as once you have the DVD, the infrastructure is the client’s problem to work out.
Yet if the software doesn’t work on one server, there’s a host of documentation required as well.
So there are four components, not just one to SaaS escrows. The next consideration is time.
Snapshots vs. real-time
The software escrow is a snapshot of the software at a particular time. Working in something called builds, the code tends to be complied and has distinct versioning.
Data goes into the solution but the underlying software never changes.
SaaS platforms can use builds but can also update on an almost daily basis. Bugs, fixes, updates and changes can happen hundreds of times a week as the platform evolves.
So a once off snapshot doesn’t work as companies adapt to these changes on an ongoing basis.
A live / real-time approach for having a copy of the software is need. This means in real time copying the software any time any change is made.
This is one of the primary challenges of SaaS escrows.
Ok, so we have the software part down, it’s going to be a real time copy. Now we need to sort out the data.
Yes we can take backups but that data can mount up. Is there a nightly process to keep full copies of all your data away from the supplier?
Database structures are intellectual property. Most suppliers will provide backups after they’ve been translated to a format you can digest.
When you ever try to move all your data from one system to another you’ll realise the mapping exercise is exceptionally difficult to do.
If you’re taking over a solution that translation process is a waste and not much use in terms of risk. Too many translations mean things can go wrong.
Instead you need the data in a format and layout that’s compatible with the software.
This is the second real time copying but now of the data and a structure that matches the software.
High availability and encryption of data at rest
Next in your risk register is making sure a SaaS supplier is highly available.
If you’re installing updates on the server, you don’t want to have to restart the server and disable the service while it restarts.
So that means two servers. One to stay on while the other reboots. You’re going to need a load balancer to be able to swap between servers as this happens.
Encryption needs to be installed and operated on these servers, which means keys and technical expertise.
Mirroring the live setup so that you get exactly what you currently get service wise means your infrastructure shopping list will probably read
- Industry strength firewall
- High availability load balancer
- Two web servers
- Database servers by two
The shopping list is not cheap in order to fulfill SaaS escrows and mitigate the fundamental risk.
Keys to the kingdom
So even if the lawyer turns around and hands you the software and the data, you go and buy all the hosting and hardware, you now have another problem. How does it all sit together?
This is where the operations manual is vital. SaaS escrows includes complete manuals on how to build SaaS businesses.
A document which details the options, choices, specifications and reasoning of the developers, so another developer can pick up and operate the solution.
What’s the point in getting the plans to a car engine if you can’t do anything to fabricate or repair parts?
More to the point, do you really want to take over a SaaS software business?
The point is to mitigate risk and keep operations going in the event of the supplier going out of business.
Having all the elements does not mean operations will continue. You need to know how to make it work.
As your supplier performs updates, the manual must update as well. The third real time update consideration.
Putting it together
What a SaaS escrow entails
SaaS escrows need suppliers to have a live mirror of your current operating environment under the watch of a lawyer.
Like insurance, it’s a choice.
Not only does your supplier place the SaaS solution with the laywer, they must maintain it as well.
Most SaaS suppliers will also split their operating costs across multiple clients.
A server might support hundreds of clients, yet if you need a solution for your escrow then the cost is just for you and not shared.
This makes the cost many times higher than the original service you’re paying for.
You still need to mitigate the risk of the supplier going out of business what can you do?
Mitigating the risk
This is a serious and legitimate question to ask and warrants review and consideration.
As Thomas Glennon frequently reminds management “risk within our means” is the best you can hope for.
The supplier will usually have had to address this question with clients before, so ask them what worked for other clients.
Some suppliers ignore the risk
- We’re so big it’ll never happen. This leaves you in a tough spot and you make your choice and accept the risk.
- If it happens, tough! Considering options would be a good idea here.
However some suppliers try to give you mitigation
- Hand over solution: This is where one of the supplying partners to the supplier agrees to take over. As a result the partners mitigate their risk of their potentially unpaid bills.
- Client takeover: A current client takes over the business and continue to supply the solution for all clients.
Some suppliers can offer dedicated infrastructure solutions which operationally cost more but could be handed over to you by the lawyer, bills and all in the event of going out of business.
Usually these options will have a much higher ongoing running cost as you need to have dedicated infrastructure just for your solution. The supplier will also have to have a business model which supports this capability. It still doesn’t address the operations manual but would give you a strong starting point.
You still have the other options previously mentioned
- Investigate competitors who deliver a similar but equally capable solution. You will need to develop a disaster plan in order to be able to move to them.
- Write your own software in house. You also accept the risks and challenges that go with this.
- Invest in the software business to make sure you know exactly whats going on. This is only possible if the supplier is willing to consider offers.
Getting a costing for an escrow is going to be astronomically high in comparison with current delivery costs.
In my experience these costs are far higher than the risk can warrant mitigating.
Conflating software escrows and SaaS escrows is not possible but understandably confusing.
As mentioned I’m not a lawyer but I have been through these discussions more than once.
I have sat in discussions as supplier and client.