Where has my Supply Chain Data Gone? – The Importance of Software Escrow Agreements for Vendor Managed SaaS based SRM / SPM / Supply Chain Apps
In this article we look at how the drive in outsourcing Supply Chain Systems has raised awarness on the importance of Software Escrow Agreements for SaaS based Supply Chain Apps.
Scenario: Day 1: You try and access your Vendor Managed Supply Chain application and it is not available. Day 2: You find out the vendor has gone out of business. Day 6: You enact the escrow release. Day 14: You have the escrow files but still cant compile the escrow code easily. Day 27: you have finally gotten the application partially running again on new servers but not yet live. Day 28 you realize that your data is 3 months out of date and don’t have the backups for missing data. Day 32 You ask the Third Party Hosting provider used by the Vendor for past Backups. Day 35: The Hosting provider refuses to release the backups as the Vendor owes them an outstanding balance for last 3 months of over $300,000. What do you do? Day 50 You have decided to pay the money to get the data. Day 62, up and running but Total Disruptive Cost to your Supply Chain circa $1.2million dollars direct cost, plus huge business impact.
Just a scenario but what if that was your Supply Chain in that scenario
With the growth of SaaS, more and more companies are placing their Supply Chain Operations in the hands of the Supply Chain System vendors. In this article I will be covering best practices for ensuring that should your vendor who is hosting your Supply Chain go out of business that you have in place a software escrow agreement to protect and recover this investment in your Supply Chain.
If you are running your Supply Chain Systems on a vendor managed SaaS basis then you are probably doing so on a user Licensed basis, where the Vendor is managing or has outsourced the hosting of that service. In this situation the Vendor is giving you access to the object code (the executable computer programs and supporting data) that are required for the Supply Chain software to run correctly in the cloud, or in some cases on premise within your own data center. But the vendor will typically not give you free access to the source code and detailed technical documentation for that software. They view that code/documentation as proprietary and confidential.
However there are circumstances when you reasonably want access to the source code and documentation e.g. if the vendor goes out of business or for any other reason can not fulfill an obligation to provide the source code items.
A common solution is for the software vendor to place the source code in the hands of a specialist third-party – this is commonly known as “Software Escrow Service”. The Escrow business retains the source code and releases it to you under circumstances pre-agreed in an escrow agreement which both you and the software vendor sign. The software vendor knows you do not get access to the source code without good reason. You know you get access to the source code should you really need to. The timing of the deposits of by the Vendor to the escrow service can be Monthly, Quarterly, Yearly. This differs in each agreement and is usually linked to the frequency of software updates by the vendor. The deposit is usually achieved by email of zip file, FTP, or by send a CD/ DVD to the escrow service, usually defined by the filesize of source code.
In this article we will look at the some of the best practices for Software Escrow Agreements. Firstly lets look at what’s put in escrow, ie the Software release, and how it is defined.
1. Defining Software Releases
The key thing here is to tie the scope of what is put in escrow to the contents of what you use for each release of software by the vendor. The scope here is relatively easy to define if you receive discreet releases e.g. computer media or zip files over the Internet and installation instructions with each software release. Here the scope is what you physically receive with each release. Either way, you need to correlate the source code with the object code you start using with each release of the software.
As vendors often upgrade their software at a frequency not inline with your escrow deposit frequency, you need to take into account partial releases. For example if you receive “dot” releases or patches, you need to know that you always have in escrow what amounts to a complete cumulative release.
You should end up agreeing what constitutes each “full release” with the software vendor. It is a good idea if what is put in escrow is the full release plus the matching source code items. That way, you can quickly reconcile both software source and executables if you ever need to use the escrow contents in a hurry.
While a full release will include all the code, database, configurations to get the software up and running again in your own environment, quite often this does not include the actual years of data you have gathered so be sure and have a way of accessing your data backups, as you will need to restore these after the release is up and running. You would be surprised how many companies feel that they are protected by having the release code in escrow but find out later they don’t have access to the data.
2. Vendor questions you should ask to better protect yourself.
Whether you do have, or don’t yet have escrow in place then you should discuss the following questions with the vendor:
When are items put into escrow ?
The escrow business typically confirms to both you and the software vendor when it receives new items to put into escrow. The software vendor should commit to a schedule here e.g. escrow contents updated .. within X hours/days of a major software release or change of development environment, within Y hours/days of a minor release…
Are there any items in the release for which there is no source code in escrow ?
The vendor may bundle into the release source or object code they do not own outright. You need to know if what is in escrow covers that as well. Some items in the release may be readily available (open source or already licensed to you directly). You need to know what those items are.
Are all the items in escrow free for us to use per the escrow agreement ?
If there are 3rd-party source/objects in escrow, the suppliers of those may think their use is limited to the software vendor only. For example, the source/objects are licensed. If you directly use the items, it could be viewed as unlicensed/unauthorized use.
Can we extract the release from escrow and compare to what we currently use ?
If you can periodically get the release contents – excluding source code – from escrow and compare to the contents of the release you are currently running, this provides a good sanity check that the release held in escrow is complete and up-to-date. Whether the source code in escrow matches the release in escrow is a different issue.
Can we sample the source code held in escrow ?
The escrow business may know little about software technology. They are unable to look at lines of source code and know what it is they are looking at. If you want to have a look at some of the source code, you have to agree with the software vendor how that happens. This may involve using a new third-party e.g. an independent IT consultant. For example, the escrow company provides a list of computer files it holds. The IT consultant – in agreement with the software vendor – picks 10%-20% of the computer files to review. The IT consultant then reports back to both you and the software vendor.
What do we need to use the source code we get from escrow ?
There is not much point in getting the source code from escrow if you don’t know what to do with it. For example the software vendor may have a development environment (compilers and other development tools, multiple computers for development and testing etc.) that your business will find difficult to replicate. You need some clues upfront as to what you need to do if you receive the source code from escrow – particularly if the vendor is unable or unwilling to help you at a later date.
How do we verify the technical usability of what is held in escrow ?
The escrow business may offer a service here – from a basic inspection of escrow contents to full verification of escrow contents. You may want to agree with the vendor separate steps for confirming the usability of what is held in escrow.
Has the Vendor used any Third Party Plug-ins?
Often vendors use third party plug-ins In their software. So not having those identified / access to can cause problems. Ask your vendor about any such product features that require third party plug-ins and the licensing arrangement.
Can we modify the source code we get from escrow ?
Apart from recompiling the source code, you may want to extend it – for example to add features that the vendor is no longer willing or able to provide.
How often are backups done, where are backups stored ?
The question of backups should also be addressed because if your escrow agreement is only quarterly then you could be out up to 12 full weeks of data. So even when you get your code from escrow release up and running. You may still be short 3 months of data. How costly and disruptive would that be to your supply chain operations. My recommendation here is discuss this with your vendor and get yourself someway of accessing backups.
Does the Vendor Outsource the Hosting of the service to a Cloud / Hosting provider?
What happens if the Vendor has not paid that 3rd party, will you still have the same access to your data. Will you have to pay the Vendors full outstanding bill with the third party just to get your data. Ask your vendor for the contractual terms of this arrangement with respect to a closedown scenario,
What are the current Configuration of Servers needed to Host the application?
You also need to ask the vendor what the current server specs and configs are in order to rebuild. You should also know where you can host this application in the event of Vendor going out of business.
Is there any restriction on our employing your personnel ?
If your relationship with the software vendor breaks down completely, you may need help to use the contents of what you retrieve from escrow. One option is to recruit someone from the vendor to join your business. You need to know if that option is limited in any way.
One major further question “What triggers release of full escrow contents to us ?” So lets have a look at those conditions.
3. Escrow Release Conditions
These are the conditions under which a “full release” of everything held in escrow to you as the software user is triggered. These will definitely be included in the escrow agreement, but they are so important that they deserve to be covered independently in this guide.
Some possible trigger conditions are:
Bankruptcy of vendor.
The bankruptcy process is clearly defined in every jurisdiction. Note that some jurisdictions allow a “protection from creditors” stage such as Chapter 11 in the United States. The vendor may be in this state for several months or years while they reorganize and seek to emerge from bankruptcy. Existing contractual obligations may also be waived under this arrangement.
In short, you need to look at the bankruptcy statutes in the country of incorporation of the vendor. This may be neither your country of incorporation nor the country of jurisdiction of the escrow agreement.
Vendor ceases trading.
A “cease trading” or “cease operating” condition can be very difficult to define. Several factors could be used in evidence:
1) Vacates premises: In other words, the vendor has no remaining physical office space. The only way to contact the vendor is via the Internet or a shared registered office.
2) Loses personnel: A group of key personnel could suddenly leave the vendor. Or the vendor loses all employees and the remaining executives (directors, company secretary etc.) have no substantial further role in running the business.
3) Becomes difficult to contact: The vendor stops responding adequately to your emails, letters and phone calls.
Vendor breaches terms of a license or support agreement.
This can be fairly easy to define, although most software vendors will have a problem with a blanket inclusion. This is not unreasonable. They could be concerned that you use a relatively minor breach of an agreement (e.g. their response to your calls to their helpdesk falls temporarily below an agreed service level) to “steal” their source code.
Change of ownership or structure at the vendor.
The vendor could be acquired by another organization that you would prefer not to do business with e.g. a key competitor to your business or another software vendor with whom you have prior bad experience. Or the vendor reorganizes such that their domicile moves to a jurisdiction with which you would rather not be associated. It is difficult to know in advance which new controlling party/structure is likely to give you concern. The vendor is unlikely to accept a blanket clause that triggers escrow release for any change in their organization which you simply “do not like”.
Vendor discontinues software / software enhancement.
The vendor can continue trading, but allocates no/few resources to the resolution of problems with the software and it’s ongoing development. This is not unusual. Most software reaches “end-of-life” and goes into minimal maintenance mode. The vendor may switch resources to a new-generation product that they expect you to license separately.
In summary if your vendor is hosting your supply chain data on application that you are licensing from them you should definitely have a software escrow agreement in place. They are not costly, and usually cost around in the low thousands of dollars. This is a low cost compared to the huge costs you would face in trying to rebuild your supply chain operations should the supplier go out of business.
If you do have the applications you license from your vendor covered under escrow then I hope the article was useful in making sure you have everything you need to reconstruct your system in the event of a condition triggering escrow release.
I welcome any comments, or experiences good or bad, that would help us all plan for better escrow management of Vendor Hosted Supply Chain Applications.
Also keep any eye out for the other adhoc articles I post on SRM, SPM, e-Procurement, and Data Management. See List below.
|Article Statistics since published:||Share this article by email or Social media:|
View a list of all our SRM / SPM / P2P Best Practice Articles on the OutPerform Best Practices Blog
About : Daryl Fullerton
Daryl is a Supplier Performance and Relationship Management Specialist at Outperform SRM. He provides guidance and consultancy on the design, development and Implementation of various Supplier Performance & Relationship Management Systems for Global Oil & Gas Operators and Service Companies across Upstream, Midstream and Downstream Sectors.
Specialism’s include Supplier Performance & Relationship Management, Supplier Risk Management, Supplier Enablement, Operational Risk Management, Contract Compliance Management, Scorecards, KPI’s, P2P Process Automation, PIDX Standards, and Management Information & Reporting Systems.
A keen promoter and believer of the importance and focus on his ‘partnering to solve approach‘ in improving Operator / Supplier Relations in 2015 Daryl was awarded the honor of “Supply Chain Pros to Know” in recognition of the leading supply chain professionals and experts worldwide.
About : OutPerform SRM
OutPerform SRM is a management consulting firm that helps leading Oil & Gas businesses establish value added solutions for effective Supplier Relationship Management (SRM). We help our clients reduce inefficiencies, reduce costs, and make lasting improvements within their Supplier Relationship Management (SRM), Supplier Performance Management (SPM), and many more important business critical Supply Chain Initiatives . Through our hands on experience with Major Oil and Gas Operators over the last 17 years we’ve now built a firm uniquely equipped to this task across all Major Category Lines.
Our Experts have Experience of working with a wide range of internal and external stakeholders with the ability to build relationship and influence outcomes. Our Experience of supplier performance management includes detailed knowledge of processes and frameworks including commercial performance management of contracts and knowledge of supplier risk management techniques.
For a Free 20 minute (no obligation) discussion call click here to email us and we will contact you to arrange a suitable date and time for a brief tele call to discuss best practices in SPM & SRM.
Alternatively simply complete the below details and area of interest and we will send the relevant information to you by email :