Components of the escrow arrangement for SaaS

Whatever arrangement you need, it consists of three parts: escrow agreement, verification & deposit.

Overleg Escrow Regelingen

1. The escrow agreement (legal).

The escrow agreement is the legal document in which you record all agreements made.

We release the materials in our custody (the repository) to the beneficiary or foundation if the software vendor can no longer ensure the continuity of the software application. Then any arrangements for temporary continuation of services that may have been agreed with the service provider take effect. We release the materials under strict conditions and based on verifiable facts that must be consistent with the grounds for continuation from the escrow agreement.

Thus:

  • the escrow agreement protects the continuity of the beneficiary
  • the strict control of the predetermined grounds for continuation also protect the continuity of the supplier

2. The technical verification (control)

We check the material given on deposit so that software vendors and users can be sure that the material is complete and working properly. We call that Technical Verification Service (TVS). We perform these at four levels (TVS Levels), depending on the situation and supplier and user requirements.

TVS Level I - Integrity verification.

This basic verification is standard in our services; we perform it on every submission of material. It is basic verification, including checking for material integrity. It provides assurance that the material deposited is, among other things, virus-free, accessible and of the expected type.

TVS Level 2 - Material audit

This is basic verification, including an audit on the material given on deposit.

  • One way we verify is through spot checks (spot checks) on the material.
  • We check that specific agreements regarding the material have been met.
  • We determine if libraries or files are present.

TVS Level 3 - complete verification.

With a complete verification, it can be shown that the material deposited meets the stated continuity purposes of the escrow arrangement. An escrow for SaaS has different interpretations of complete verification, depending entirely on the construction of the escrow for SaaS arrangement where the main objective is always to verify that the deposited material meets the stated continuity objectives. Thus, verification can focus on such things as the technical continuation of the application and hosting environment, re-deploying the application in another environment, rebuilding the application, up to and including a fallback similar to disaster recovery. A complete verification can be compared to a fire drill – our verification consultant simulates the steps that are also taken in an escrow situation.

The scope of the complete verification is discussed in advance with the parties involved and recorded in a project plan. In this way, it is clear to all parties what tests are being conducted and what the expected results should be. Generally, therefore, full verification of SaaS involves customisation and may include;

  • Is there access to the necessary servers and application environment?
  • Is there sufficient information and documentation in place to continue the SaaS service?
  • Have sufficient (management) rights been provided to continue the SaaS service?
  • Can the application environment be rebuilt or deployed elsewhere?
  • Is it possible to switch to the application fallback environment?
  • Does the source code compile based in part on the information contained in the repository?
  • Is there access to the necessary data?

    TVS-level 3 is performed at Escrow Alliance’s software lab or if necessary or desirable at the software vendor’s location.

TVS Level 4 - Customized verification.

Customised verification is possible, consider:

  • Testing components of the software
  • check how the software compares in a complex environment
  • specific controls applicable to your situation

3. The depot (secure storage).

The deposit (escrow deposit) consists of materials needed to ensure continuity if the supplier goes out of business. Therefore, the material must contain everything to ensure the desired continuity.

Consider:

  • Source code
  • Executables
  • Application
  • Virtualised machines (VMs)
  • Containers, such as Docker Container, for example, for rapid deployment of applications in your own environment
  • Data
  • (Access) data hosting/cloud services
  • Documentation redesign SaaS environment


Thus, in escrow for SaaS, the material does not consist only of source code. In some cases, source code does not even play a role.

How can you submit?

We like to make submitting material as easy, efficient and manageable as possible. Therefore, we look at the options available to the software vendor.

Submissions can be made, for example, via:

  • secure ftp
  • various source code management systems such as GitLab, GitHub, Bitbucket
  • Cloud environments
  • a mix of delivery methods

Dual storage

Escrow Alliance offers standard dual material storage. That is, we keep a copy of the deposit in two geographically separate locations. 

Storage takes place in the Netherlands and can:

  • physically, in specially equipped data vaults
  • electronically, on well-secured servers
  • both physical and electronic

 

The vaults are ISO 9001 and ISO 27001 certified, as is Escrow Alliance itself. Only authorised and screened personnel have access to the vaults.


What if Escrow Alliance falls away?

In the escrow agreement, we make it standard that the deposits will be returned to the supplier or go to a newly designated escrow agent if Escrow Alliance unexpectedly goes out of business. To fulfill this promise, the Continuity and Guarantee Escrow Alliance (SCWEA) Foundation manages the vaults. The foundation has the right to return materials in that case.

What is the most suitable solution
for your situation?

Find out about the possibilities, we are happy to think along with you.