Software escrow: securely deposit your source code with on:mint, our legal-tech solution

What is software escrow?

With software escrow (also called source code escrow or code deposit), the source code — the human-readable part of a software application — is deposited with a neutral, trusted escrow provider, where it is held securely, confidentially, and on a fiduciary basis. Access to the code is granted only under contractually defined conditions — for example, if the software vendor fails to meet its maintenance obligations, files for insolvency, or permanently shuts the software down ("decommissioning").

Source code deposit is a well-established tool that lets software licensees and enterprises hedge against the risks of vendor dependency. This matters most when the software in question plays a business-critical role.

If a software vendor stops delivering — whether because of insolvency, going out of business, or breach of contract — your ability to keep using the software can take a serious hit. The result: operational disruption and significant financial damage.

A legally sound source code deposit, secured through a digital escrow solution, ensures that the code is released to the licensee whenever a contractually defined "release trigger" is met. With the code in hand, the company can take over maintenance and continued development on its own and keep the business running without interruption.

For software vendors, the upside is just as clear: you can give your customers peace of mind without exposing your source code — or your intellectual property. That builds stable, long-term customer relationships and creates a balanced arrangement for both sides. The licensee gets security and continuity; the licensor's IP stays protected.

What is digital escrow?

Source code deposit is one piece of the broader digital escrow space. Other forms of deposit we offer include:

IP Escrow: Protects trade secrets and other intellectual property beyond traditional software. Eligible materials include sensitive technical and operational information such as machine data, design and engineering data (e.g., circuit board schematics), bills of materials, supply chain documentation, and chemical recipes and ingredient lists. It also covers technical specifications and configuration data for manufacturing equipment components, including their setup and operating parameters.

Key Escrow: Securely deposits sensitive access credentials — passwords, cryptographic keys, general access data (e.g., for production cloud environments), and cryptographic hash values.

Data Escrow: Enables secure storage of large data sets to preserve their integrity and availability even if systems fail. Both structured and unstructured data can be deposited, including input and output data or data sets used as the basis for statistical analysis. Common use cases sit in the IoT and IIoT space — for example, machine-generated data from M2M communication.

AI Escrow: Provides secure deposit of the core components of AI systems. This covers the algorithms and model architectures of untrained AI models or neural networks, along with the associated training and fine-tuning data sets. Depending on the use case, you can also deposit selected operational data — for example, curated live data or large vector databases used in retrieval-augmented generation (RAG) applications. The result: the data and model assets that are critical to running and reproducing your AI systems are secured for the long haul.

When does software escrow make sense?

The biggest risk software escrow is designed to address is vendor insolvency. Under Section 103(1) of the German Insolvency Code (InsO), the insolvency administrator has the right, under certain conditions, to reject the software maintenance contract or refuse to continue the license agreement.

That's why the escrow agent has to make sure of two things:

1. The source code stays out of the bankruptcy estate (it must not be classified as part of the insolvent vendor's assets), and
2. The licensee's usage rights to the software remain bankruptcy-remote after the escrow agent releases the source code (i.e., the rights transfer holds up legally).

Software escrow also matters in these typical release scenarios ("release triggers"):

• Non-performance or breach of contract: For example, when the licensor fails to meet its maintenance or support obligations under the license agreement.
• Time-based triggers: A defined period expires, or a condition is met — for example, the software reaches end of life or is announced for end of life.
• Discontinuation of business: The licensor ceases operations, regardless of the cause (e.g., insolvency, voluntary wind-down).
• Brain drain: Loss of key engineering staff at the licensor that puts the continuity of software maintenance at risk.
• Change of control: The licensor is acquired by a competitor of the licensee, creating potential conflicts of interest.
• Buyout based on revenue or licensing milestones: Predefined revenue figures or license volumes are reached, triggering acquisition or release of the source code.

How the deposit process works in three steps

A software deposit typically breaks down into three main phases, designed to satisfy both legal and technical requirements:

1. Drafting the escrow agreement

The first step is putting together a legally sound escrow agreement that nails down all the key terms. That includes:

• Deposit obligations: What materials get deposited (e.g., source code, documentation), when, and in what form.
• Release conditions: The exact circumstances under which the deposited materials are released.
• License and usage rights: What rights the licensee gets to the source code in a release event.

We pay particular attention to making sure all of these elements — deposit obligations, release conditions, and usage rights — line up legally and substantively.

2. Compiling and transferring the deposit materials

Step two is the formal handover of the deposit materials. In practice, a complete deposit typically includes:

• Complete source code: The current source code of the application in its final version.
• Build environment and dependencies: All scripts and configuration files required for build, compilation, and deployment — Makefiles, package.json, Dockerfiles, requirements.txt, and the like.
• Technical documentation: Developer documentation describing system architecture, key interfaces, plus installation and setup instructions.
• Data model and infrastructure information: Database schemas, migration scripts, and any configuration data needed to initialize and operate the system.
• Third-party component inventory: A structured overview of all third-party libraries and frameworks in use (Software Bill of Materials, or SBOM), including their license information.

Optionally, you can also deposit test artifacts, verification documentation, or additional technical documentation if these are useful for reproducibility, QA, or a future system handover.

3. On-chain deposit and updates

In step three, the digital asset is confidentially deposited with on:mint and anchored in tamper-evident form on a decentralized blockchain infrastructure. This guarantees the integrity of the deposited content and ensures long-term traceability through immutable documentation.

Real-time escrow: updates via GitHub/GitLab repository integration

To keep the operational overhead on engineering teams as low as possible, on:mint offers a GitHub and GitLab integration that slots cleanly into your existing development and release workflows. Through this integration, updates can be pushed automatically from your repository into the escrow vault. The deposit process gets significantly more efficient and reliable in several ways:

Automation instead of manual handoff. Repository integration removes the need to manually export and upload source code. Updates can be pushed automatically into the escrow vault on defined events — commits, releases, or any other trigger you configure.

Complete versions instead of incremental diffs. Git typically stores only the differences ("diffs") between versions internally. In an escrow context, on:mint deposits complete versions of each code state. That way, every deposited version can be reconstructed independently.

Stronger protection against incomplete deposits. Automated transfer of complete versions reduces the risk that individual development snapshots are missed or only partially deposited. The escrow vault reliably reflects the relevant state of your software at any given time.

Cryptographic integrity guarantees

The deposited source code, its developer documentation, and the relevant escrow agreements are cryptographically secured and uniquely identified through hash values. Each hash acts as a digital fingerprint of the file and makes it possible to verify the integrity of the deposited materials at any time.

The hash values are also anchored on blockchain infrastructure. That creates an immutable timestamp documenting which version of the deposited materials existed at a specific point in time. Any later modification of the files would produce a different hash value — and would be immediately detectable.

Authorized parties can verify the transaction hash through any public blockchain explorer at any time and independently confirm the authenticity and integrity of the deposited materials. The result is a high level of transparency and traceability based on the principle of "I see the data you see."

Anchor your digital assets securely and confidentially in our digital vault with on:mint, and lock in their integrity with blockchain-based verification.

Challenges of using blockchain for source code deposit

Storing source code directly on a blockchain runs into a fundamental scalability problem. Blockchains are built primarily to process transactions and small payloads efficiently. Storing large digital content like source code directly on-chain quickly gets expensive and technically inefficient.

The fix: combining blockchain with IPFS

To solve the storage scaling problem, our solution combines a blockchain with an enhanced version of the InterPlanetary File System (IPFS).

IPFS for decentralized storage

IPFS (the InterPlanetary File System) is a decentralized storage system that distributes files across a network of computers (called nodes). That makes IPFS especially well suited for use cases that demand efficiency, scalability, and decentralization all at once — like storing source code, large data sets, or digital archives.

Privacy through token-gated access

IPFS is traditionally a public protocol, meaning the data stored on it is accessible to anyone, anywhere. Our solution takes the model further by enabling private use through token-gated access combined with a Data Vault. The result: your data sits in a protected environment, effectively shielded from unauthorized access.

on:mint's technical approach guarantees that your source code stays fully private. Access is reserved exclusively for authorized users, who are securely authenticated through the Data Vault.

The solution combines the strengths of IPFS technology with the highest standards of privacy and control — an ideal fit for use cases where confidentiality and security are non-negotiable.

Blockchain explorer

To guarantee the authenticity and integrity of the deposited source code, a cryptographic hash of the code is stored on the public Polygon blockchain. This confirms the code's integrity and ensures full traceability — without ever exposing the source code itself.

The hash transaction can be viewed and independently verified through on:mint's blockchain explorer. The result is a verifiable, tamper-proof record of the deposit that holds up at any time and stands as proof of integrity and deposit even when shown to third parties.

Why decentralized storage architecture matters

Decentralization brings real advantages over centralized alternatives:

Higher resilience. A decentralized network has no single point of failure to attack or break. Data is stored simultaneously across multiple locations, so it stays available even if individual storage nodes go down — which means continuous, long-term availability.

Tamper protection. Cryptographic mechanisms combined with storage across distributed network nodes make it practically impossible to alter the data after the fact. That builds trust in data integrity and provides a high level of legal certainty.

Data sovereignty. Users keep full control over their data and can view it as digital originals directly on the blockchain ("I see the data you see"). All on:mint servers are EU-hosted — no third-country data transfers.

What makes this legal-tech stack — IPFS plus blockchain — special?

Long-term provability and trust

Our solution uses the Ethereum blockchain to store hashes of the source code, creating an immutable, long-term chain of evidence. For source code escrow agreements, that's especially valuable: it lets companies present court-grade documentation of the code in a dispute. The technology functions as a digital notary, documenting the entire chain of custody for the deposit and providing an unbroken evidentiary record.

Immutable, tamper-proof documentation

The combination of IPFS and blockchain guarantees that the deposited code stays unchanged from its original state. Unlike traditional cloud solutions, where versions can be overwritten or deleted, our solution offers tamper-proof storage. A digital original is deposited, and customers receive "digital ownership" of the deposited asset once the release conditions are met. For escrow scenarios — where the original state of the code has to be provable — that's a decisive advantage.

Compliance with confidentiality requirements

Our solution runs on a private, token-gated network that ensures only authorized parties can access the source code. Access control is a core feature of the escrow process, since the code often contains business-critical information and trade secrets. Data is stored securely and released only when the conditions defined in the escrow agreement are met.

Scalability and flexibility for what comes next

The on:mint architecture lets you deposit new versions, updates, or patches at any time — no need to set up the escrow process from scratch. Direct integration with GitHub and GitLab repositories means relevant code states can flow automatically from your repository into the escrow vault. Deposits slot seamlessly into your existing development and release workflows. Every version is cryptographically secured and anchored to the Polygon blockchain via hash values, creating tamper-proof, audit-ready documentation of every deposit.

Cost efficiency through built-in pinning service

In IPFS terminology, "pinning" means keeping data permanently stored on the IPFS network. Unlike other IPFS solutions, where companies have to pay for separate pinning services to keep their data available, our solution comes with pinning built in. That means your deposited source code stays permanently accessible at no extra cost.

Decentralized redundancy and high availability

By distributing data across multiple nodes (the servers, computers, and devices that store the data) on the IPFS network, our solution is highly resilient. Your source code doesn't depend on any single server or vendor — it stays accessible even when individual nodes go offline. That increases the reliability of the escrow service and reduces the risk of data loss.

Trust through blockchain transparency

The blockchain that stores the hash of the code is publicly viewable. That builds confidence among the parties: every transaction is documented immutably, and the integrity of the escrow arrangement remains traceable. At the same time, the underlying data stays private — so our solution combines the best of public transparency and private confidentiality.

Tenant setup and efficient administration

The on:mint platform offers an intuitive interface for companies and escrow agents to manage deposited materials efficiently. Each customer gets their own isolated space (a tenant) where deposits are organized and reviewed in a structured way. The interface also includes deadline management features and an analytics dashboard that gives you visibility into deposit status, versions, and relevant activity. Authorized parties can review and verify the current state of the deposited source code at any time. To keep the escrow process neutral, all modification rights to the deposited materials are revoked once a deposit is finalized. That ensures the deposited state stays unchanged and serves as the binding reference if a release event occurs.

Our source code deposit services

Legal and contractual services

Custom digital escrow agreements. Through clear rules around deposit and release conditions — and tight alignment with the underlying license and usage rights — we give our customers legally protected access to the source code whenever the contractually defined conditions are met. The result is a bankruptcy-remote grant of usage rights.

Legally sound deposit. For deposited materials to stay out of the software vendor's bankruptcy estate in an insolvency event, the source code has to be legally segregated from the licensor's asset pool. This is typically done by transferring the deposited materials to an independent escrow agent, who holds the code on a fiduciary basis. That ensures the deposited source code remains available to the entitled parties when a release event occurs. Notarial custody can be added as an option. In that case, we work with notaries who use on:mint to record the cryptographic hash of the deposited digital asset as proof of deposit in a notarial deed and certify it. This combination of fiduciary custody, cryptographic integrity, and optional notarial documentation provides an exceptionally high level of legal certainty for the deposit of digital assets. The notary can assert a right of possession against the insolvency administrator's right of disposition.

Technical services for secure deposit through on:mint

Data Vault as a digital safe. The source code is secured in a token-based Data Vault, accessible only to authorized parties. Tokenization gives you fine-grained control: you decide whether your code is visible to third parties — and which parts.

Decentralized storage on a modified IPFS fork. The tokenized source code is stored on a gated IPFS fork that combines private access controls with the tamper-proof documentation of public blockchains. The result is the highest level of security and confidentiality.

Long-term provability through blockchain hashes. For every code version, a hash is stored on the blockchain that serves as a digital fingerprint and proves the integrity of the code. Your code's original state stays provable indefinitely.

Maintenance and updates of deposited materials

Regular updates and versioning. Customers can submit annual updates to deposited materials, including the latest version of their source code. By default, two versions are stored; older versions can be retained on request.

Secure deletion of outdated data. Outdated versions are deleted in line with data protection requirements unless instructed otherwise. That ensures only current, relevant versions are kept on file.