With over 20 years; experience in digital and technology law, specialist Paul Berwin explains the limits and challenges of a SaaS solution.
I may have been busy working for technology companies since the world wide web were a lad, but first my iteration was nothing to do with the web, but with the installation of software.
More specifically, a small software company, with a great and really useful product, had been asked by its first or second customer for an escrow agreement. Because the vendor was a startup business – as they weren’t called at that time – the customer, an international law firm, wanted to know that if the start-up shut down, they would be able to get at the source code of the software to maintain it.
Becoming a source of expertise
The first thing I had to learn was what source code was; and the second was to find out what escrow was. This then got me engaged with the National Computing Centre in Manchester, a government body at the time – now, the privatised NCC Group, with an international reach and still, for me, the default choice of escrow agent. Not cheap, but with an expert service, thoroughly evolved and a trusted procedure and set of agreements.
So the start-up grew up, and was acquired, and its acquirer was acquired, to be, now, part of a global company. The source code for that product, much evolved and regularly updated, remains in escrow with NCC. They’re still clients, which is great. It isn’t, though, just the start-up which grew up – so did the world wide web.
Software has become, more and more, delivered as a service, spreading the cost of the service and saving on infrastructure, the concept of escrow faces different challenges. If the software is installed on your premises, then if you have the skills, access to the software might enable you to maintain it. It might, it might not – it depends on the code deposit and the customer’s resources; but if the software is installed somewhere else, and – at least as importantly – your data running on the software is somewhere else, then access only to the source code really won’t help. This is the SaaS challenge to escrow.
The SaaS Challenge
Recently we did some work with a vendor where the source code was deposited with NCC, but we had to find a “private” solution to achieve continuity by having in place a “continuity partner” who understood the software and was put on retainer to step in, keeping the lights on with the hosting provider if the developer failed. Our writing this up in Computers & Law Oct-Nov 2017 led to an invitation to visit NCC’s offices in Manchester. NCC’s initial response to SaaS (Software as a Service) was to put in place a process where it received an alert if a payment to a software hosting company didn’t get paid, so it could run its backup version of the software, obtain a copy of the data, and keep the lights on that way. Initially, the continuing difficulty was that that NCC didn’t have access to or the ability to run the data before the failure occurred, without which the software might be of limited value. If the hosting provision was switched off without the amber light of a payment failure, access to the data could be lost. There is now a safety net behind that with hosts, such as AWS, who have specific payment terms which mean they have to leave the service on for a minimum of 30 days after non-payment. This should provide sufficient time to get the system up and running and can be emulated via the relevant verification services.
NCC acknowledge the issue, and are working on a number of solutions, and in particular in running mirror applications with the major hosting providers. This does, though, involved considerable expense, and because the software providers will often not be in a position to fund that, the customers have to be willing to pay all the SaaS escrow costs. If there is more than one potential provider, then this will put the small, less well-resourced supplier at a disadvantage. Regulated customers such as banks may be inclined to go to the longer established providers rather than new FinTech innovators, because those regulated corporates have to satisfy their regulators of their resilience. With the larger providers, they may feel if they have the assurance of size, longevity and capital in a supplier, they can forego the protection of escrow. By doing so, they are pushed into a more conservative technology direction, and perhaps a more expensive one.
NCC know this – hence their invitation to me to meet them – and escrow is an important part of their service set. Being able to provide a level of assurance to allow innovators to source customers, in fields such as FinTech or HealthTech, is not only an important encouragement to innovation, but a necessary maintenance of NCC’s market.
Escrow matters; it provides the guarantee which enabled corporates to choose challenger suppliers. Even with the private agreement solution we developed in one case, escrow was still a component. For ourselves, we are big champions of the challengers, the independents. We will continue to work with NCC and others to develop solutions which will assist and not hold back these businesses. These are the lifeblood of tech industry and its dynamism, and are essential to its future.
Paul Berwin is a Commercial and Digital Law Specialist at Berwins Solicitors. He is an Accredited Member of the Society for Computers and Law and a commentator on digital law.