Information Security · Technology

What are the ins & outs of a Technology Escrow Service?

Jimmy Tinio Telecom & IT Entrepreneur/Businessman

October 12th, 2016

I am interested in offering my clients a third party source code depository service (Technology Escrow) but i still have little idea how this is being done. Any help is very much appreciated.

1) What infrastructure is required?
2) Is this depository server done online or offline, like a bank vault?
3) What are the important technical components of the service contract?
4) How is this service priced?
5) Any other information i should know.

Thank you

JP Harvey Helping Secure Businesses via Virtual Information Security Teams

October 13th, 2016

Hi Jimmy,

We've not had a client who did this for many years and don't have all the answers, but here goes:

1. Typically it requires a secure infrastructure that is access controlled and audited
2. Usually offline, in a secure facility
3. Not sure about this one
4. Not sure about this one
5. Probably a lot!

Anyone serious about escrow is likely to use a service Iron Mountain, who already have the secure facilities to house offline digital and paper records. On the other end of the spectrum an online account with a third party custodian would be much cheaper and faster but offer less assurances.

We had an enterprise SaaS client who offered it to their clients, and it was with a similar service to Iron Mountain. It was more than just the code, it was the code, the client data, as well as instructions for rebuilding the infrastructure and getting the application set up in an on-premise environment.

If you're looking to set up the service yourself think about the level of assurance the clients need before anything else and design for that. An online repository may be fine, or maybe you need a safety deposit box where you can put the storage medium. Building your own environmentally controlled facility with guards and cameras is likely to be out of the question. You'd probably also want to think carefully about operational security around who has access to the data, and contingency plans for what happens if you as the third party goes out of business or faces some other catastrophe.

An incomplete answer but hope that helps