SaaS Escrow within AWS contract considerations

As enterprise companies including major international banks are adopting cloud applications as their preferred technology platform, we are seeing a huge increase in demand for SaaS escrow agreements.

Protecting applications and data within a SaaS environment creates a large amount of challenges that need to be addressed by companies looking to implement SaaS solutions.

The Scope of SaaS Escrow Agreements

In order for Escrow London to draft a comprehensive SaaS escrow solution, we have to create a scope including the expectations of the beneficiary and the capabilities of the SaaS vendor. Options suggested may include:

  • Replication: A complete replicated AWS environment and databases – essentially a hot Disaster Recovery (DR) site that would provide complete continuity in the event of a release event.
  • Source Code via Git: Automated deposit directly from the SaaS vendor’s Git (GitHub, GitLab, Bitbucket, Azure TFS etc).
  • Docker Images: Automated deposits of docker containers to a storage repository maintained by Escrow London.
  • Database Files: Automated deposit of the database backup. This encrypted copy of the database (SQL, Postgres, MySQL, Oracle) may be replicated to an S3 account managed by Escrow London or our proprietary data centre.
  • Vendor Financial Monitoring: This is a value added service to ensure that the SaaS vendor is paying AWS on time. In the event that the SaaS vendor fails to pay an invoice, the Beneficiary will receive an alert to indicate there may be a financial problem. Under certain arrangements, Escrow London can step in and continue to pay AWS to ensure continuity of service.

aws billing

When we commence discussions with SaaS vendors and their clients, our initial aim is to determine the desired expectations from the beneficiary side. For some clients, i.e. an airline looking to protect their SaaS hosted booking system, this may mean a completely live, replicated environment within AWS hosted by Escrow London that may be switched over with immediate effect should a release condition occur. For other clients, a verified copy of the source code and their current database/s may be enough based on their own risk analysis.

Databases introduce another challenge. In many SaaS environments, client data resides on a multi-tenanted database instance. In such situations, we work with the developer to determine a secure methodology to extract the beneficiary data to a single database which is then encrypted before being deposited. From our experience, the most common databases used by SaaS vendors are SQL, MySQL, Postgres SQL, MongoDB and Oracle (to a lesser extent).

Once the scope of the service has been identified, a SaaS escrow template agreement is provided. This agreement covers every aspect of the SaaS escrow process and details the obligations of each party. The sections usually include:

  • Deposit of Materials: This section clearly defines the obligation of the SaaS vendor to:
    • Deposit the source code, databases, application files and documentation.
    • Assign Escrow London as a recipient of all financial and billing information from AWS and to assign relevant billing permissions within the AWS platform.
    • Engage with Escrow London to deploy a replicated SaaS environment on an AWS account hosted by Escrow London.
    • Provide the names and contact details of personnel that maintain the knowledge of the SaaS development and structure.
  • Storage and Security: This section details the obligation of Escrow London to securely store and manage the deposit materials.
  • Events of Default: This section outlines what is considered an event of default under the agreement that may result in the release of the escrow deposit or trigger the continuity solution. This section is typically negotiated by both parties to a level that provides comfort before the agreement is finalised.
    • Material failure to support the SaaS environment. The SaaS vendor is always provided a fixed period to rectify any material failures before this clause can be invoked.
    • The SaaS vendor enters insolvency or bankruptcy according to relevant laws.
    • The SaaS vendor ceases active operations of its business or service defined within the SaaS license agreement.
    • The SaaS vendor assigns their intellectual property to a third party who does not offer the beneficiary a similar level of protection covered under the SaaS escrow agreement.
    • Financial event of default is applicable for SaaS escrow arrangements that include Vendor Financial Monitoring. This clause may be invoked in a situation where the SaaS vendor fails to pay AWS and does not cure such a payment failure within a predefined number of days.
  • Release of Deposit Materials: This section clearly defines the process in which the beneficiary may apply to Escrow London for the release of the escrow deposit and to activate the replicated AWS services. The clauses provide the opportunity for the SaaS vendor to dispute the event of default cited by the beneficiary and to seek resolution according to a defined dispute resolution process. The default arbitration will be assigned by Escrow London in England. The location of the arbitration may be assigned to a different jurisdiction during the agreement negotiation phase.

A sample of an Escrow London SaaS agreement with vendor financial monitoring may be downloaded from here. SaaS Escrow agreements that include AWS replication require a bespoke approach. Please contact us for more information.

Escrow London provides a range of options and bespoke agreements providing complete business continuity protection within AWS (and other online platforms such as Microsoft Azure and Google Cloud).

For more information visit our website at www.escrowlondon.co.uk

 

public cloud