Vaultinum / Blog / Software Escrow: how Vaultinum protects the confidentiality of your source code

Software Escrow: how Vaultinum protects the confidentiality of your source code

Reading time: 5 min

Last Updated on 30 April 2026
Depositing your source code with a third party raises a legitimate question: how does this trusted third party ensure that this asset remains confidential, inaccessible and intact? For a software publisher, the code represents years of development. It is the very heart of its value. For a beneficiary, access to the code provides a guarantee of continuity in the use of software critical to their operations. Vaultinum has built its escrow system around a dual requirement for security and governance. Encryption upon receipt, strict separation of roles, conditional access procedures, and certifications covering the entire organisation: each mechanism addresses an identified risk. This article details, layer by layer, the system that protects the deposits entrusted to Vaultinum.
Source code escrow: how Vaultinum protects the confidentiality of your deposits
Table of contents
Why source code security is at the heart of an escrow
Vaultinum: a trusted third party based on recognised standards
Certifications covering the organisation, not just the infrastructure
Security built in layers
Balanced protection for both the supplier and the beneficiary

Key points to remember

  • The source code is encrypted upon upload and is never stored in unencrypted form.
  • The decryption keys are kept separate from the technical systems, in a physical safe.
  • The beneficiary’s access to the repository is conditional, defined by contract, and must be justified, verified and tracked.
  • Vaultinum is ISO 27001 certified across its entire organisation, not just for hosting.
  • Data is hosted in Switzerland, under a protective legal framework.
  • The system simultaneously protects the interests of both the provider and the beneficiary.

Why source code security is at the heart of an escrow

A source code escrow is based on a simple principle: an independent third party holds a publisher’s code and makes it available to a beneficiary if conditions predefined in the contract are met, such as supplier default, cessation of maintenance, or breach of contract. This mechanism safeguards the beneficiary’s business continuity while regulating access to the supplier’s intellectual property.

However, this principle only works if the third party offers concrete guarantees. A publisher who entrusts its source code to an escrow agent must be able to verify that this code will not be viewed, disclosed or accessed without legitimate cause. For its part, the beneficiary must be assured that the deposit will indeed be available when it is needed. The robustness of the security mechanism therefore determines the trust of both parties.

Vaultinum: a trusted third party based on recognised standards

The role of a software escrow agent is not limited to storing code. It involves guaranteeing the integrity of the deposit, the neutrality of its storage, and strict compliance with access conditions. This role requires a framework that is legal, organisational and technical in nature.

Vaultinum acts as a trusted third party with a framework that goes beyond simply hosting the code. The company combines a recognised regulatory status, certifications covering its internal processes and security mechanisms applied at every stage of the deposit lifecycle.

For suppliers, this means their code is protected by a system in which every component is auditable. For beneficiaries, this guarantees that the deposit can be returned under the contractually agreed terms.

Certifications covering the organisation, not just the infrastructure

Vaultinum’s security framework is based on recognised standards, covering both the technical infrastructure and the processes governing repository management.

The ISO 27001 certification guarantees a security framework applied across all operations. At Vaultinum, this covers not only servers but also internal processes, access management and the handling of deposits.

For the provider, this means that code confidentiality relies not only on technology, but also on strict internal rules governing access. This reduces the risk of unauthorised access, including internally.

In addition, all deposits made on the Vaultinum platform are timestamped via a service provider accredited by ANSSI, in compliance with the eIDAS Regulation. This timestamping serves to prove the date of deposit, originality, and to guarantee that its content has not been altered, integrity.

In practical terms, the provider is assured that the deposited code cannot be altered without a trace, whilst the recipient is guaranteed to retrieve exactly the version deposited if the conditions for retrieval are met.

Learn more about our Software Escrow Agreement

Security built in layers

Beyond certifications, the protection of the repository relies on concrete operational mechanisms. Each addresses a specific risk and forms part of an architecture designed to ensure that no one, including those within Vaultinum, can access the contents of a repository on their own.

Encryption and no clear-text storage

The most immediate risk for deposited source code is that it could be read by an unauthorised third party.

To prevent this, Vaultinum applies hybrid encryption as soon as the deposit is received. The files are rendered unreadable, and the key required to decrypt them is stored separately.

In practical terms, two elements are required to access the code: the data and the key. Without this key, the files remain unreadable, even if the systems are accessed.

Once the deposit is complete, it is sealed with a dedicated key, kept in a physical safe by the legal department, and inaccessible to technical teams.

The repository is then replicated across two separate data centres to ensure its availability in the event of an incident.

At no point is the source code accessible in plain text within the systems. It can only be decrypted as part of a formal disclosure procedure.

Separation of roles and restriction of internal access

Concentrating access rights within a single team poses a risk, even at a certified service provider. Vaultinum applies a strict separation of responsibilities: the infrastructure, legal and technical teams each operate at a distinct stage of the process, with none having full access to the repository.

The infrastructure department ensures the retrieval and secure storage of the encrypted repository. The legal department keeps the decryption key in a physical safe. The technical team is only involved in the decryption process and making the repository accessible, as part of a formal procedure.

This structure prevents any unilateral access, including internally, and significantly reduces the risk of unauthorised access.

Conditional and tracking access procedure

Access to the escrow repository can never be granted on a discretionary basis. It is subject to the meeting of contractually defined conditions: proven failure on the part of the supplier, a maintenance shutdown, or any other event specified in the escrow agreement.

All requests are subject to identity verification and legal validation. The process is then initiated in accordance with a regulated procedure, involving several members of staff at various successive stages, from the retrieval of the encrypted repository by the infrastructure team to its return following decryption.

The data is made available to the beneficiary via a secure server, with time-limited access. All operations are logged.

The supplier is thus assured that their code will only be released under the stipulated conditions, whilst the beneficiary is assured that the procedure can be applied if these conditions are met.

Balanced protection for both the supplier and the beneficiary

Source code escrow is only valuable if it protects both parties. The supplier needs to know that their code will not be accessed or disclosed except in the circumstances specified. The beneficiary needs to know that the deposit is genuine, intact and accessible when the time comes.

It is also important to note that access to the code under an escrow arrangement does not constitute a transfer of intellectual property: the rights remain with the supplier, even when the deposit is made accessible to the beneficiary.

Vaultinum meets these dual requirements through a system where technical security, encryption and separation of duties, regulatory compliance, ISO 27001, and data localisation, hosting in Switzerland, reinforce one another. Hosting in Switzerland, in particular, offers a stable legal framework and enhanced data protection, which is a key criterion for companies subject to compliance requirements.

This structured framework transforms software escrow into a genuine software risk management tool: verifiable, enforceable and tailored to the requirements of today’s B2B relationships. It provides a clear response to beneficiaries’ expectations, whilst guaranteeing suppliers that their assets remain protected at every stage.

Disclaimer

The opinions, presentations, figures and estimates set forth on the website including in the blog are for informational purposes only and should not be construed as legal advice. For legal advice you should contact a legal professional in your jurisdiction.

The use of any content on this website, including in this blog, for any commercial purposes, including resale, is prohibited, unless permission is first obtained from Vaultinum. Request for permission should state the purpose and the extent of the reproduction. For non-commercial purposes, all material in this publication may be freely quoted or reprinted, but acknowledgement is required, together with a link to this website.

About the author, Marine Yborra
  • Marine Yborra

    Marine is our Marketing Director. She is a branding and brand activation specialist with international experience in BtoB and BtoC.

Other articles recommended for you