Software escrow – deposit procedure
It is absolutely logical that software producers have reservations about any manipulations with their source codes, including depositing them. Given our many years’ experience with software development, we very much understand their approach. Companies spend even several dozens of years building their know-how so they need to guard it very well. Therefore, we focused on maximum protection against revealing source codes when designing our fully electronical procedure. We have come up with an extra safety software escrow which guarantees protection of the code on an above-standard level due to principles of asymmetric cryptography
As a result, the archive with source codes can be deciphered only by the software user – the licensee. Our procedure then makes sure that the user does not gain access to the archive before the conditions for access are met.
Check individual phases of the complex software escrow services we offer.
1. Consultation of contractual relations
Both the software producer and user enter into agreements that define conditions for implementing,
delivering, and subsequent administering the application (general contract for work, implementing contract – an obligation to provide services, SLA etc). In the initial phase of the procedure our lawyer provides consultations on already existing agreements and adds a suitable software escrow agreement. This agreement then provides the user with access to the source codes and other software tools necessary for using the software in case the conditions for access agreed on in the agreement are met.
Second important step is to create an inventory which describes all the software necessary to properly maintain and run the current version of the application. It is the producer who is responsible for creating the inventory while the user approves of individual items. The complete inventory approved of by both the parties is then submitted to DEPONEST and it usually contains following items:
- name of the software;
- version of the application;
- release date of the version;
- brief description of its functionality;
- source codes, libraries of third parties, procedure for creating the software;
- description of development environment – development tools, DB connection, configuration;
- current technical documentation;
- current project documentation shared with the client – business and function specifications;
- any other items specific for the given application (access keys and passwords).
The material in deposit is complete only if it contains all the software necessary for running, administering and maintaining the application. Creating and approving of a quality inventory is the main building block of software escrow.
Next phase of the deposit procedure is the most important step in terms of securing investments in software. The basic verification serves for checking if the deposited digital material corresponds to the inventory agreed on previously and if the source codes, including necessary software, are compatible with the specific type of programmed software. We are able to carry out this verification without reading the contents of the source codes which is the protected verification called – extra safety software escrow.
Using the service “extra safety software escrow” eliminates the risks of revealing the source codes.
With the help of specialized software the user generates several keys; a public key designed to encipher the data needs to be sent to the software producer while a private key for deciphering is to be kept at a safe place. This tool uses an asymmetric RSA algorithm in combination with a powerful symmetric cipher. DEPONEST checks if all the files agreed on and defined in the inventory are present with no need to be able to read the contents of those files.
4. Technical verification
Technical verification of source codes is in fact about checking whether it is possible to create from the received source codes a full information system in the same version which is currently running in client’s production. The source codes are compiled by our IT specialists for a specific type of software. The aim is to make the program run and to carry out a short smoke test (based on the type of application). It is only this procedure – or a very similar one – that can guarantee that the source codes can be used whenever needed. If there is no technical verification the user has to make do with a lower-level verification and with a declaration of the software vendor who is responsible for preparing the source codes to be deposited.
It is obvious that carrying out the technical verification is not compatible with using the extra safety software escrow, as DEPONEST needs to be able to read the source codes. This is why in such a case we focus on securing them by contract.
5. Releasing the archive
On the user’s request DEPONEST checks if the conditions for releasing the archive from the deposit are met. If so, the user receives a ciphered packet which needs to be deciphered by the private key. The source codes and all related development equipment may be provided to some other software supplier and the user may continue using the software.