Cloud escrow versus CloudSecure: continuity that holds up
For the continuity of business-critical software you want no false sense of security. Many traditional cloud and continuity escrow arrangements claim continuity, but run aground on the legal and operational reality. Conflict of interest in the verification, GDPR risks from data replication and the uncertain status on bankruptcy are the weak spots.
CloudSecure® addresses these points at the root. Not a temporary bridge, but a legal and technical structure that keeps the entire cloud service running, even if the supplier falls away.
What is cloud escrow?
Cloud escrow, also called continuity escrow, is an arrangement that safeguards the continuity of a cloud service or SaaS application if the supplier falls away, through bankruptcy or the cessation of the service. Where source code escrow focuses on the source code, cloud escrow concerns the full service: code, configuration and the dependencies on the cloud platform. How that continuity is secured, legally and technically, varies greatly per provider. That is precisely where the difference lies between such a traditional arrangement and CloudSecure by Softcrow.
What CloudSecure does differently
- Continuity on bankruptcy: the legal structure stands apart from the bankruptcy settlement; the service keeps running as long as beneficiaries pay their licence.
- Independent IT audit: an IT auditor affiliated with NOREA, not the escrow agent itself.
- Data minimisation: the production data does not leave the supplier’s platform (GDPR).
- EU sovereignty: hosted entirely within the EU, free from the CLOUD and USA PATRIOT Act.
- Zero-knowledge: all deposited information is client-side encrypted. Softcrow does not hold the key.
Comparison at a glance
| Category | Aspect | Traditional cloud escrow | CloudSecure |
|---|---|---|---|
| Governance and control | Verification and IT audit | Conflict of interest The escrow agent often acts as auditor of its own deposit, which undermines the independence of the assessment. | Strict separation An independent IT auditor affiliated with NOREA delivers a report of findings. |
| Verification process | Internal check Carried out by the agent itself, on the readable deposit information. | Independent supervision The supplier builds the environment according to a description supplied in advance, under the supervision of the independent auditor. | |
| Legal and operational | Status on bankruptcy | Uncertain The trustee decides whether the cloud environment is shut down, regardless of subscription fees paid in advance. | Watertight The legal structure stands apart from the bankruptcy settlement; the environment keeps running as long as beneficiaries pay their licence. |
| Continuity mechanism | Temporary bridge Deposited account keys and a sum of money keep the environment running for a short time. | Structural continuation The existing cloud environment stays operational, without direct dependence on the bankruptcy settlement. | |
| Data location and privacy (GDPR) | Data replication Sensitive production data is continuously synchronised to the escrow agent, an extra GDPR risk. | Data minimisation The production data does not leave the supplier’s platform; no data transfer to or storage with third parties. | |
| Implementation and management | Replication or integration | Extra IT burden A replication or integration link must be built and continuously maintained, with associated costs and points of failure. | No link needed Nothing to replicate or integrate; the existing environment keeps running as it is. |
| Legislation and sovereignty | Jurisdiction and sovereignty | US jurisdiction Often hosted on US cloud platforms, so the data falls under the CLOUD Act and USA PATRIOT Act. | EU-sovereign Hosted entirely within the EU, free from the CLOUD and USA PATRIOT Act. |
| Security and architecture | Access to the deposit | Readable access Through integrations or account keys, the agent has independent access to the intellectual property. | No access (zero-knowledge) The source code is client-side encrypted (E2EE); Softcrow holds no key and has no access to the contents. |
| Role and trust | Role as Trusted Third Party | Combined roles The agent combines management, storage and verification in one party and has access to all deposit information. | Neutral third party Softcrow never has access to the contents of a deposit. |
Frequently asked questions
What is the difference between traditional cloud escrow and CloudSecure?
With traditional cloud escrow, account keys and a sum of money are often deposited to keep the environment running temporarily, and the escrow agent regularly acts as auditor itself. CloudSecure uses a legal structure that stands apart from the bankruptcy settlement, an independent IT auditor affiliated with NOREA, data minimisation whereby the production data does not leave the supplier’s platform, EU sovereignty (free from the CLOUD and USA PATRIOT Act) and zero-knowledge storage in which Softcrow holds no key.
What does a SaaS Escrow cover?
A SaaS Escrow safeguards both the source code and the customer data: the supplier delivers a source code deposit and a data deposit, so that the beneficiary has access to both on release. A SaaS Escrow does not keep the live cloud service running by itself; that is what CloudSecure is for, which keeps the full service operational through a legal structure. More about SaaS Escrow.
What happens to the cloud service if the supplier goes bankrupt?
With CloudSecure, the intellectual property, the hosting contracts and the user licences are placed in separate legal entities. The legal structure stands apart from the bankruptcy settlement, so that the existing cloud environment stays operational as long as beneficiaries pay their licence.
Does Softcrow have access to the source code or data?
No. The source code is delivered client-side encrypted (E2EE) and Softcrow does not hold the key, so Softcrow has no access to the contents (zero-knowledge). The production data stays with the supplier and is not replicated to Softcrow.
Read more frequently asked questions on our FAQ page.
Wondering whether CloudSecure fits your cloud service? We are happy to think along with you about the legal and technical setup.