Software Escrow: Secure storage of source code

What is Software Escrow?

In software escrow (also known as source code escrow), the source code, i.e. the human-readable part of the software, is deposited with a neutral and trustworthy escrow centre and stored there securely and discreetly. Access to the code is only permitted under contractually defined conditions - for example, in the event of non-compliance with maintenance obligations, insolvency of the software supplier or permanent discontinuation of the software ('decommissioning').

Source code escrow is a tool for software licencees and companies to protect themselves against the risks of dependence on the software supplier. This is particularly important where the software used is critical to the business.

If a software supplier ceases to provide its services, for example due to insolvency, cessation of business or breach of contract, the use of the software may be significantly impaired. This can result in operational restrictions and significant financial loss to the organisation.

Legally compliant deposit of the source code as part of a digital escrow solution ensures that the code is released to the licensing organisation in the event that the defined 'release criteria' are met. This allows the company to take independent action to continue to use and maintain the software, ensuring business continuity.

The advantage for software vendors is that they can protect their customers without having to disclose the source code and thus their intellectual property. This promotes a stable business relationship and balances the interests of both parties. The solution provides both security and stability for the licensee and protection of the licensor's intellectual property rights.

What is Digital Escrow?

Source code escrow is a subset of digital escrow. Other forms of escrow include:

• IP Escrow: Protects intellectual property (IP) and ensures that know-how, source code and other valuable information is securely deposited.
• Key escrow: Used to securely store (cryptographic) keys or credentials to ensure access to sensitive information.
• Data Escrow: Enables the storage of large volumes of structured and unstructured data to ensure its integrity and availability in the event of system failures.
• AI Escrow: Provides secure storage of neural networks and other AI models to ensure their use and traceability.

When is software escrow useful?

The most important case that software escrow is designed to protect against is the insolvency of the software vendor. This is because the insolvency administrator has the right under certain circumstances to refuse to fulfil the software maintenance agreement or to continue the licence agreement in accordance with section 103 (1) of the Insolvency Code (InsO).

The software escrow agreement must therefore ensure that

• on the one hand, that the source code is kept out of the insolvency estate (avoidance of being part of the estate) and
• on the other hand, that the rights to use the software remain insolvency-proof for the customer after the source code has been handed over by the escrow agent.

Software escrow is also relevant in the following typical release cases

• Non-performance or breach of contract: For example, failure to meet maintenance or support obligations under the licence agreement.
• Expiration: The end of a specified period, or the occurrence of a condition such as the software reaching 'end of life' (or its announcement).
• Cessation of Business: The licensor ceases trading, for whatever reason (e.g. insolvency, going out of business).
• Brain Drain: The loss of the Licensor's key IT personnel which jeopardises the continuity of software maintenance.
• Change of control: Acquisition of the licensor by a competitor of the licensee, leading to potential conflicts of interest.
• Buyout' according to sales or licensing targets: Achieving pre-defined sales or licensing volumes that justify the purchase or release of the source code.

How does Software Escrow work?

Software escrow is typically divided into three main phases to ensure that both legal and technical requirements are met:

1. Drafting the escrow agreement

The first step is to draw up a legally compliant escrow agreement that spells out all the important terms and conditions. These include

• Escrow obligations: Determining what material (e.g. source code, documentation) is to be deposited, when and in what form.
• Release criteria: Defining the conditions under which the deposited material will be released.
• Licence and rights of use: Agreement on what rights the licensee will have to the source code in the event of release.

Particular care is taken to ensure that all components - deposit obligations, release criteria and usage rights - are legally and substantively consistent.

2. Compilation and transfer of deposit material

The second step is the formal transfer of the material to be deposited. This typically includes

• The current source code of the software.
• Developer documentation enabling the development and maintenance of the software.
• Other relevant digital assets associated with the software.

3. On-chain storage and updates

In the third step, the digital asset is tokenised and stored on a decentralised blockchain solution, ensuring integrity and traceability.

Regular updates

Customers have the option to submit regular updates containing the latest version of the source code and documentation. From the first update, two versions of the material are stored by default. Older versions can also be stored on request. The older material will be deleted in accordance with data protection regulations without special instructions.

Tokenisation

The source code, developer documentation and deposit contracts are secured on the blockchain in the form of tokens and provided with a hash - a kind of digital fingerprint - that prevents tampering. This creates a digital original.

Authorised parties can check the transaction hash at any time using a blockchain explorer to verify the authenticity and integrity of the materials stored. This process ensures transparency and traceability on an 'I see the data you see' basis.

Optional verification service

Upon request, the depository will provide an incoming verification or a more comprehensive full source code verification to ensure that the deposited material is complete, functional and ready for use. These services are optional and subject to additional charges.

What is blockchain-based source code escrow?

Blockchain-based source code escrow means that the source code is tokenised and linked to a blockchain via a hash reference. This approach creates a digital original that is not only tamper-proof, but also verifiable at any time. Changes to the source code are documented using cryptographic hashes, so any modification remains fully traceable.

This method offers maximum transparency and security, as the original state of the source code is unalterably stored by blockchain technology. At the same time, the authenticity and integrity of the stored code can be proven.

Challenges of Blockchain in Source Code Depositing

One of the main challenges of storing source code on a blockchain is its limited scalability for large datasets. Blockchains are primarily designed to efficiently process transactions and small amounts of data. Storing extensive digital content such as source code leads to high costs and technical inefficiencies.

Solution: Combining Blockchain and IPFS

To address the issue of storage scalability, our solution integrates blockchain technology with an advanced version of the InterPlanetary File System (IPFS).

IPFS for Decentralized Storage

IPFS is a decentralized storage system that distributes files across a network of nodes. This makes it particularly suitable for applications requiring high efficiency, scalability, and decentralization, such as storing source code, large datasets, or digital archives.

Privacy Through "Tokengated Entry"

Traditionally, IPFS is a public protocol, meaning stored data is globally accessible. Our solution enhances this approach by enabling private access through a token-gated system combined with a data vault. This ensures that stored data remains in a protected environment, safeguarded from unauthorized access.

Our innovative technical approach ensures that the source code remains entirely private. Only authorized users, authenticated through the data vault, can access it.

This solution combines the benefits of IPFS technology with maximum privacy and control, making it ideal for applications where confidentiality and security are paramount.

Blockchain for integrity and traceability

To guarantee the authenticity and integrity of the deposited source code, a cryptographic hash of the code is stored on the public Ethereum blockchain. This immutable entry is supplemented with metadata documenting the transaction. This ensures the integrity of the code while maintaining traceability without exposing the source code.

The hash transaction can be transparently verified using Etherscan, a blockchain explorer. This adds an extra layer of transparency and security.

Advantages of Blockchain decentralization

Decentralization offers several key advantages over centralized solutions:

1. Higher Fault Tolerance: A decentralized network has no single point of failure, reducing the risk of attacks or technical failures. Data is stored redundantly across multiple locations, ensuring availability even if some storage nodes go offline.
2. Tamper Resistance: Cryptographic mechanisms and distributed storage prevent unauthorized alterations, increasing trust in data integrity and providing legal certainty.
3. Data Sovereignty: Users retain full control over their data and can verify its authenticity directly on the blockchain ("I see the data you see").

How does Blockchain-based source code depositing work?

1. Creating the data vault (NFT)

The process starts with setting up a specially developed data vault that serves as a secure, token-based storage area. This vault is registered as a Non-Fungible Token (NFT), assigning it a unique digital identity and ensuring a tamper-proof link to the user. Access to the vault is secured through a token-gating mechanism, allowing only authorized users to retrieve its contents. The NFT acts as a cryptographic key, ensuring exclusive access to the rightful owner.

With this architecture, deposited digital assets remain entirely private and protected. Neither the data vault nor its stored contents are publicly accessible, ensuring maximum confidentiality and exclusive data access.

2. Generating and storing the hash on the Ethereum Blockchain

A cryptographic hash of the deposited source code is then generated. A hash is a mathematical function that transforms the source code into a unique, fixed-length string, serving as its "digital fingerprint." Any alteration to the code results in a completely different hash. This provides an immutable proof of the code's existence and state at a specific time without revealing its content. The generated hash is stored on the public Ethereum blockchain.

Ethereum's decentralized and immutable structure makes it an ideal platform for documenting data integrity. Storing the hash on the Ethereum blockchain serves several key purposes:

• Proof of Immutability: Any subsequent modification to the source code would produce a different hash, making tampering evident.
• Legal Evidence: The hash provides undeniable proof of the code's existence and state at a specific point in time. Anyone can verify its authenticity without accessing the actual source code.
• Interoperability: As a widely recognized blockchain, Ethereum allows for cross-platform verification.

Because only the hash—not the actual source code—is stored on the blockchain, the code remains entirely private within the IPFS network, ensuring both transparency and confidentiality.

3. Storing metadata on public IPFS storage

After setting up the data vault and creating the blockchain hash, metadata is stored on a public IPFS storage layer. This step documents the transaction and ensures the authenticity of the deposited digital assets. The metadata includes essential transaction details such as:

• The cryptographic hash of the deposited source code, serving as a unique identifier.
• Timestamps and transaction details for traceability and verification.

These metadata entries are publicly accessible but do not reveal any information about the actual source code. This approach balances transparency with data confidentiality.

4. Secure depositing of the source code

Finally, the source code is stored in a modified, token-gated IPFS system. This ensures that the code remains protected and accessible only to authorized users.

What are the advantages of this legal-tech solution combining IPFS and Blockchain?

Permanent verifiability and trustworthiness

Our solution leverages the Ethereum blockchain to store hashes of the source code, creating an immutable and long-term verification chain. This is particularly valuable for source code escrow contracts, allowing businesses to present legally binding proof of code authenticity in disputes. The technology acts as a "digital notary," documenting the entire lifecycle of the deposited code.

Tamper-proof documentation

The combination of IPFS and blockchain ensures that the deposited code remains unchanged in its original form. Unlike traditional cloud solutions where files can be overwritten or deleted, this solution guarantees tamper-proof storage. A digital original is preserved, and customers receive digital ownership when escrow release criteria are met. This is a crucial advantage for escrow requirements where proof of the original state is essential.

Confidentiality compliance

Our solution employs a private, token-gated network, ensuring that only authorized parties can access the source code. This controlled access is a key feature of the escrow process, as source code often contains trade secrets and business-critical information. Data remains secure and is released only under predefined escrow contract conditions.

Scalability and flexibility for future updates

The decentralized nature of this solution enables seamless storage of future code modifications and updates within the same network, linked to the Ethereum blockchain. This allows escrow agents to easily access updates, and businesses can deposit new versions or patches without restarting the escrow process.

Cost efficiency via integrated pinning service

Pinning in IPFS ensures that data remains permanently stored in the network. Unlike conventional IPFS solutions requiring third-party pinning services, our solution includes an integrated pinning mechanism, eliminating additional costs while ensuring long-term availability.

Decentralized redundancy and high availability

By distributing data across multiple nodes in the IPFS network, our solution offers high availability and resilience. The source code is not dependent on a single server or provider, ensuring continued accessibility even if individual nodes fail.

Trustworthy documentation through Blockchain transparency

Ethereum blockchain entries are publicly visible, fostering trust among involved parties. Each transaction is immutably documented, ensuring the integrity of the escrow process while maintaining privacy.

User-friendly management and access

Our solution features an intuitive user interface for seamless escrow data management. Businesses and escrow agents can securely and efficiently access stored data, reducing administrative effort and enhancing efficiency.

Future-ready Web3 integration

Native integration with blockchain and IPFS enables additional Web3 functionalities, such as smart contracts and automated notifications. For instance, a smart contract could automatically release source code upon meeting predefined contractual conditions, further streamlining the escrow process.