Why SaaS Escrow is Essential for Legal Professionals to Protect their Clients

 

Cloud computing has transformed the business world, with many businesses today moving from on-premise software to cloud-based software-as-a-service (SaaS) solutions. As noted by Gartner, “By 2028, cloud computing will shift from being a technology disruptor to becoming a necessity component for maintaining business competitiveness.”

In the U.S., cloud adoption has grown significantly. According to grandviewresearch.com, “The U.S. cloud computing market size was valued at USD 216.91 billion in 2023 and is projected to grow at a compound annual growth rate (CAGR) of 20.3% from 2024 to 2030.” This trend reflects the increasing reliance on cloud services across various industries. However, questions among legal professionals in the US and Canada persist around whether software escrow solutions are necessary in this cloud-dominated era.

At Escrow London, we connect with many IP, technology and commercial legal professionals as part of the escrow engagement and provisions we deploy. When broadening our reach with the legal community, we discovered that many attorneys viewed software escrow as obsolete with the shift from on-premise software to cloud-based SaaS solutions, as clients are no longer directly managing the software. Their assumption was that, since SaaS operates in the cloud, traditional software escrow mechanisms are less effective or that the associated risks are significantly reduced. Additionally, with frequent updates of SaaS products, there is belief that maintaining SaaS escrow can become challenging, with concerns that clients will struggle to redeploy the software themselves to ensure business continuity. This perspective is highlighted in the following quote.

“We assumed clients wouldn’t need software escrow as they have moved away from on-prem software. We weren’t sure how software escrow mechanisms could be applied to SaaS solutions to mitigate risks for our clients.”

While SaaS adoption provides clear benefits – such as scalability, speed to market and less operational management for clients – it also introduces a unique set of risks and greater reliance on the vendors. Contrary to the previously mentioned assumptions about software escrow, the reality is in fact quite different. With additional reliance on their software vendors, SaaS increases end-user exposure. Not only for developing the functionality of the software, previously deployed on the client’s own data centre servers, but also for the uptime, availability and management of the supporting cloud infrastructure environment services and their data too.

This model makes SaaS escrow  crucial for protecting clients’ interests, especially when considering supply chain and vendor failure risks such as insolvency. This is a real risk which financial regulators worldwide, such as the Federal Deposit Insurance Corporation (FDIC) and Federal Reserve Interagency (FRI) in USA, Office of the Superintendent of Financial Institutions of Canada (OFSI), Prudential Regulatory Authority (PRA) in the UK, Australian Prudential Regulatory Authority (APRA), European Banking Authority (EBA) across EU and Reserve Bank of India (RBI), have tightened regulations to include provisions for software escrow and/or measures addressing supplier insolvency to appropriately manage third-party solution risks. Under their respective, most recent guidelines and compliance ruling, financial institutions are now responsible for assessing and mitigating supply chain risks such as planning and testing stressed exits, which SaaS escrow can assist with.

Understanding SaaS Escrow

Similar to software escrow, also known as source code escrow, where critical software source code is stored with an independent third party, SaaS escrow follows a similar approach, where critical software assets can be stored with a software escrow agent for release and use under certain conditions. While SaaS escrow may be used for the source code of a SaaS solution, SaaS escrow arrangements also include additional materials for tangible outcomes in a release event as source code alone might not be enough to recover a full SaaS solution. These agreements typically also include deployment scripts, containers, snapshots and databases which are essential for maintaining or fully recovering a software solution. These materials can then be used to rebuild and deploy a complete replica usually within AWS, Microsoft Azure or Google Cloud. Or in certain cases, SaaS escrow may also incorporate access to the existing production cloud environment, including the data hosted within a SaaS application enabling companies to utilise the existing service and have access to assets to maintain it appropriately.

Client data is a critical factor in SaaS escrow, offering businesses protection by ensuring a backup copy of their data is available, or by providing access through the production account, in the event of supplier failure or other potential incidents with the SaaS provider. Without the historic or client data itself, many SaaS applications will be useless.

To support customers who either don’t have the skills or desire to run their own systems, there are options available for the software escrow agent to minimise service disruptions and take over the operational management, redeployment, and/or management of the solution in the event of supplier failure where clients may not .

For a further explanation of SaaS escrow, take a look at our recent blog which explores the key differences of software escrow and SaaS escrow.

SaaS Escrow Benefits

1) Business continuity for critical SaaS solutions – Investing in a SaaS escrow solution helps with business continuity and mitigating against risks associated with modern cloud service delivery methods and the growing responsibility of service providers. The cost of SaaS escrow is usually a very small percentage of the overall cost of an investment in the SaaS technology.

2) Providing access to up to date assets and client data – A SaaS escrow agreement will only provide tangible value if the deposited assets include all materials required to recover or maintain the solution as well as being up-to-date and accurate. Investing in a SaaS escrow vendor who can introduce automated deposits as standard as well as verify the deposits will give your clients peace of mind that they have safe and regular back-ups of the application code and crucially their data where required.

3) Verification Testing – as mentioned above, investing in a SaaS escrow vendor who can introduce automated deposits as standard will provide added benefits particularly with the frequency of changes and development releases for modern software. However clients will require periodic verification testing by the SaaS escrow vendor to ensure the latest deposit materials and releases are tested for completeness, they are deployable and useable in the event of vendor failure.

5) Dispute Resolution – SaaS escrow agreements typically include provisions for dispute resolution, ensuring a fair process for your clients and the software provider if conflicts arise.

6) Comply to Regulations – U.S. regulatory agencies, like the OCC, FDIC, and Federal Reserve, updated third-party risk management guidelines last June. These include recommendations for software escrow agreements, ensuring access to source code to cover risks with specific situation such as vendor insolvency. A SaaS escrow agreement helps businesses adhere with these regulations and best practises.

Why the Need for SaaS Escrow is Growing

The misconception that software escrow is outdated, stems from the idea that cloud-based services are naturally secure and always available. However, the numerous high-profile IT outages and increased bankruptcies, due to tough market conditions and reduced access to funding globally, have proven that no vendor is secure. Businesses cannot afford to be left without a contingency plan when these disruptions occur.

SaaS escrow meets the needs of today’s cloud-based world. It ensures businesses have access to up-to-date source code, data, necessary documentation and access credentials to continue operations, even if the SaaS vendor can no longer provide service.

SaaS is here to stay and with it comes the need for new strategies to mitigate risks. For U.S. and Canadian businesses, ensuring business continuity and regulatory compliance through SaaS escrow is no longer optional—it’s essential. While some attorneys may believe software escrow is a thing of the past, the reality is that it has evolved to meet the demands of the cloud-driven, SaaS-centric world we operate in today.

By leveraging SaaS escrow, businesses can protect their critical applications, data and continuity in an increasingly unpredictable landscape. Now is the time for legal professionals to recognise its value and ensure their clients have the right protections in place.


##

About Escrow London
Escrow London is a global software and SaaS escrow company with offices in Sydney, Australia and London, UK. Our North American division called The Escrow Company, is based in Atlanta, US.

We have invested considerable resources into innovation to reinvent software escrow for a SaaS world. Escrow London provides a range of SaaS continuity escrow solutions suitable for AWS, Microsoft Azure and Google Cloud hosted SaaS applications. We support a wide range of clients includes major law firms, banks, central banks, insurance companies, technology companies and government organisations.

To find out more about Escrow London and our software escrow and SaaS continuity escrow solutions, also visit our YouTube channel.