What is source code escrow?
Source code escrow is a tri-party arrangement where a software vendor deposits source code with an independent escrow agent (e.g., Iron Mountain, NCC Group, Codekeeper), with release conditions that protect the customer (licensee) if the vendor becomes unable to support the software. Escrow agreements typically release the source code to the customer upon defined triggers — vendor bankruptcy, material breach of support obligations, cessation of business — letting the customer maintain the software independently. Escrow is the standard customer protection for mission-critical enterprise software licensed under “binary only” terms.
Release trigger events (typical)
- Vendor bankruptcy or insolvency: liquidation, Chapter 11, equivalent jurisdictional proceedings.
- Cessation of business / discontinuation: formal exit from market, product end-of-life.
- Material breach: failure to provide contracted support, maintenance, security patches for extended period.
- Acquisition triggers: change of control where successor entity discontinues support.
- Customer-defined triggers: tailored to deal context (regulatory mandate change, key person departure).
Deposit content beyond source code
- Source code: full version-controlled codebase.
- Build instructions: compilation environment, dependencies, build scripts.
- Documentation: architecture, deployment, configuration documentation.
- Third-party licenses: OSS bill of materials, commercial library entitlements.
- Update cadence: typically quarterly or per major release.
Escrow verification
- Basic verification: escrow agent confirms deposit completeness.
- File-list verification: agent confirms specific files match deposit schedule.
- Compile verification: agent compiles source code in clean environment to verify buildability.
- Functional verification: compiled output meets functional tests — highest assurance level.
Türk enterprise ve yazılım vendor’lar için
Türk büyük kurumsal müşteriler (bankalar, telekom, devlet kuruluşları) Türk veya uluslararası SaaS/yazılım sağlayıcılarından lisans aldıklarında özellikle kritik sistemler için (core banking, billing, ERP) source code escrow standart talep eder. Türk vendor’lar tarafında uluslararası escrow ajan kullanımı (Iron Mountain, NCC Group) yaygın; Türk yerel escrow seçeneği (TÜBİTAK BİLGEM gibi) sınırlı. Türk hukukunda escrow sözleşmesi sözleşme özgürlüğü kapsamında geçerlidir (TBK Madde 26); release trigger’larının özel detayları (özellikle iflas tetikleyici Türk İcra İflas Kanunu eşgüdümünde) müzakere edilir. KVKK ve veri yerelleştirme gereksinimleri kaynak kod deposunun konumunu etkileyebilir.
Do: negotiate compile verification (not just file-list); update deposit at least quarterly or per release; document exact license grant scope upon release.
Don’t: assume escrow alone is sufficient — without OSS BOM, build instructions, and documented dependencies, released code may be unusable.