Ask HN: Huge enterprise customer wants to see our source code

513 points by throwawaysource ↗ HN
We are a small 5-person enterprise software startup, operating in the data analytics/ML space. We are working on starting a proof-of-concept with a huge potential customer ($50+bn in revenue). We recently identified our first use case, and are ready to get into contract negotiations.

But then they got back to us with an odd request: they want to see our source code (likely upon completion of the PoC). Given that our core IP is our models and algorithms, we are reluctant to agree. Their justification is: "we want to see how your algorithms made their decisions."

We know that they have lots of resources and are building up internal data science team. And yet it was pointed out to me that their goal might not necessarily be to outright steal our IP, but rather to cover their bases. But we are still worried they might be "inspired" by the parts they see and get their internal teams to replicate across other sites or use cases. And we don't have the resources to litigate, nor any way of knowing they do this.

My questions: 1) Has anybody run into a request like this? How would you respond? 2) How likely do you think their goal is to genuinely "see what happens under the hood" as opposed to replicate in the future? 3) Are there any legal protections we can put in place to prevent them from not just copy-pasting our code, but also from "learning from it" or so?

292 comments

[ 0.19 ms ] story [ 291 ms ] thread
Options:

1. Ask for a giant pile of money for the privilege.

2. Come up with visualization that answers their question without giving them access to source code. Presumably "how do we know we can trust results" is a common problem.

3. Walk away.

And a possible 1a: Tell them you'll be happy to give them your source code, and everything else to boot, if they'll buy your company.

This way you get to jump straight to your exit, and can maybe also structure the deal so that you and your employees get jobs at the BigCo (if you want them). Feel free to set the selling price as high as you like -- they would want the deal more than you would, so you have a lot of leverage in the negotiation.

And if they balk? Hey, they asked for terms to see the source code, you gave them terms! It's not your fault if they don't like them :-D

Good answer. No, they don't get to see your source code without buying the rights to it. Otherwise you're going to end up in trade secret litigation after they steal something.
maybe what they want is just white box explanation on your models?
This is all it is. I ask for explanations every week from vendors.

And everyone here is going on about them wanting to buy the company or acquire licenses to the code. It's just bizarre.

This is a complete no-no. There really is no justification for this whatsoever.

What does "cover their bases" mean?

As them to explain what they are trying to achieve and find other ways to assuage their concerns.

The only legitimate thing is to have something in case you fail and they have "banked" on you. There is a legit way to solve that. basically if they want that tell them they should pay for an Escrow service - that will hold your code and they would receive it if you ever cease to exist. But it's important that they would need to pay those fees (they are significant.)

That should make them back down.

It's entirely unreasonable for them to demand access to source code.

I work for an enterprise company and we demand the source code for machine learning models from vendors all the time. This isn't like asking for the code to Excel. It's a model derived from our data that has likely no use for anyone but us and is highly susceptible to misunderstandings of the data. We absolutely need to verify your work.

Models are the output of the process. It's like going to graphic designer for work and them not giving you the PSD file. It's just not acceptable.

> You clearly have no idea what you're talking about.

I have no idea what I'm talking about in this specific niche either... but does it normally go over well when you start a conversation that way?

I don't think people who start conversations like that are able to effectively gauge other human's reactions, they're kinda inter-related lol.
I have removed the comment.

It's just frustrating that this poor startup is going to make a monumentally bad decision based on people in here who have no zero clue what they are talking about.

The parent comments author has this in the profile:

>about: CEO at http://www.3scale.net

I'd venture to say there is at least some qualification to answer here. </sarcasm>

(comment deleted)
By this logic the said designer should also get Photoshop source code from Adobe.
I think you make an interesting point, ml models and algorithms are two different things.

I also think it's reasonable to ask for a model so you can test and validate it yourself.

It's entirely unreasonable for them to demand access to source code.

The government and large corporations apparently disagree, or Microsoft wouldn't have their Shared Source Initiative. And for any nay-sayers in the crowd, that should be all that need be known: Microsoft thinks it's okay, and they have a lot more to lose than you do.

The only legitimate thing is to have something in case you fail and they have "banked" on you.

Which might be the exact thing they're trying to avoid. If your "machine learning" algorithm amounts to a bunch of nested if statements, they'd probably rather not "bank on you" in the first place.

Microsoft also has enough legal resources to assure recompense for any license or ip violations...
Bringing up Microsoft is neither here nor there.

Microsoft made the decision to create Shared Source Initiative only after they were very successful and only after a very, VERY detailed cost vs. benefit analysis.

Furthermore, they are handsomely paid for it (e.g in order to be eligible, you need to pay for at least 10k Windows licenses as per https://www.microsoft.com/en-us/sharedsource/enterprise-sour...) and it's ultimately up to Microsoft to grant/deny access.

And since we're talking about Microsoft, in the early days they were infamous for pumping competition for technical information under the guise of due diligence and then crushing said competition by developing competing products.

The person who asked the question is clearly not at the "successful monopoly" stage as Microsoft but more in the "there are legitimate concerns someone might steal our core ip" stage.

well I presume that MS does not provide access to code to direct competitors. Which is OP’s concern- client is building ML team and so on and they ask access to code.

National agencies such as FBI are not threat to MS to become competitor, unlike OP’s client.

Answer: No.

No one gets the secret sauce. They pay for your results.

And in the ML space we laugh at you and goto the next vendor.

Because we paid for that model, it belongs to us. Just like how if I pay for an illustration I expect the PSDs.

> Because we paid for that model, it belongs to us. Just like how if I pay for an illustration I expect the PSDs.

What? They want "the PSD" before buying.

I have not run into issues like this, but I would at least make an attempt to meet them in the middle. NDA's and the such are not something I would be confident in, particularly given that this customer can throw a lot more money and effort into legal.

Regarding meeting them in the middle, I would put together a presentation that describes how your algorithm works at a high level. I'd do your best to split the balance between being transparent and focused on the customer, and not divulging what you consider to be differentiating parts of your implementation.

If you get push back for the above, I think you're dealing with either brain rape, or some pretty unprofessional contacts in your customer's organization. If it's the latter, you should do your best to navigate around those contacts.

If they are trying not to end up in the situation where you go out of business and they are screwed, offer them to escrow the code for a certain amount of money. If you go out of business, they get the code. If you do not, they don't
Even source code escrow should be resisted. "Out of Business" is not always clear and if you are trying to get acquired your value drops dramatically if major customers have your source.
True, the code escrow needs to be written correctly. Done correctly it only kicks in if the code goes unsupported. You can be acquired so long as the company buying you continues to support it at a "reasonable price". If they don't support the code for a "reasonable price" they didn't buy you for the code anyway so it won't matter. If they do support it, then the escrow doesn't come into play.
I had a customer ask (we have an escrow clause), "What's to stop us not paying your bills (for support and licensing) until you go out of business and then getting the source code?"

We pointed to (one of many) conditions that said that escrow would be only released to customers who were in good standing with us -before- the escrow event (and that wasn't transferable, as in they couldn't settle accounts with trustees, acquirers or the like - similar to 'not being able to buy retroactive insurance').

Ask your attorney.
I guess reasonable people can disagree. It's a business risk calculation not a point of law.
If you think "out of business" can't be defined adequately, it's a point of law. That's what lawyers get paid to do for you.
If the out of business scenario includes the possibility of acquisition or asset sale, code escrow is a significant factor lessening the value of assets or killing the deal entirely. Stated differently, it's not what a buyer wants to find in due diligence.

The $50+bn company might even be the potential buyer, but under code escrow they just get it for free (less whatever was negotiated up front.)

Rubbish.

Structure it as 1 year, 2 year, 10 year whatever the hell deal you want. If you are a $50BN company ( you aren't ) you simply fire that customer.

Typically these are worded as part of support & maintenance and is triggered by failure to meet that obligation. Acquisition, merger, spin-out, JV or bankruptcy would not trigger it provided support is maintained. Also, the force majeure clause typically allows some reasonable timeline to reinstate support before it is triggered.

I would think the positive of a large client greatly outweighs the liability of the code escrow.

Nope, never let them see it. Those algorithms are key to your success.

Unless they are buying your company and are doing due diligence.

I ran a SAAS company for 8 years, going from zero to double-digit million rev per year.

The answer is a clear no. They can PAY YOU to make custom plots/charts/reporting or run queries if they want to understand what it does better. There is almost always a way to achieve any business goal without requiring source code.

The only case I can think of source code needing formal verification by a third party is if you're targeting drones to kill people or government jailing people. That doesn't sound like a commercial company in any event.

Have you actually dealt with enterprise sales? Source code is a fairly typical request, and there are software escrow and audit companies specifically set up to address concerns.

Microsoft, for example, gives source code access to paying enterprises and governments under the Shared Source Initiative specifically for security vetting and other auditing purposes.

OP: Consult a lawyer who specializes in these matters.

I've seen my company ask countless time for source code and your financials. If your financials are iffy, you might not even get past the RFP process.
I agree, although if the company asking is not engaging with an aforementioned auditing company (Mitre is the one I've dealt with the most), then that would be a red flag to me.
Exactly, software escrow is for this type of need. Your legal team should know how to handle.
> Have you actually dealt with enterprise sales? Source code is a fairly typical request

Not the parent, but I have done deals like this and I feel the need to counter your sentiment.

Sure, 3rd party security review, escrow, etc etc is normal.

However, this is a massive red flag for me:

>Their justification is: "we want to see how your algorithms made their decisions."

I mean this is straight out of an episode of "Silicon Valley". The OP's entire product value is in "how your algorithms made their decisions" and this is not something you want to expose to anyone unless perhaps they are about to acquire your company.

Yes, including accounts > $1M.
you could also give them source code but on printed paper so they don't outright steal the source, and also make them sign an NDA for a free with a much larger fee if they break it.
Isn't security a potential concern? If they're selling analytics software ostensibly they have access to a lot of the customer's data.
> How would you respond?

In these situations it's best to ask yourself a simple question: what would Coca-cola do if they asked to see the formula.

Bad analogy. Better one is:

If you hired a photographer would you expect the RAW files ?

I would.

No, it would be "would you expect the camera settings"
Sure, access to the source is acceptable if they're offering to buy you out.
Well, having worked for a small software startup that did just that, I can tell you what we did.

We agreed to letting them audit the code with conditions.

1. The audit happened on our computers with someone from our team in control (me). I locked the computer when I wasn't physically there to watch what they did. 2. We removed the most sensitive part of the code and told them what it did. We kept the method signature. 3. All of the source code remained on my laptop and my laptop was never attached to their network. 4. We could tell them that we would not answer any question they asked. 5. They paid for expenses and time. It lead to a decent sized contract.

It lasted about 2 days for a medium sized Java application. They asked one or two questions I wasn't allowed to answer and took it well when I told them so.

I am not a lawyer but you can also ask for a non-compete and or a non-disclosure from their individual employees that will conduct the review. Get your lawyer on that before you do it.

It is up to you or your company to decide what to do. No one can tell you if it a good or bad decision for you. At least for me and my company, it worked out. As far as I know the auditing company never developed a competitor and was a customer of my company for a long time to come.

You mean to say that you reserved the right to not answer certain questions or that you refused any questions?
We reserved the right to not answer certain questions. I answered most of their questions, only 1 or 2 were in areas where I wasn't suppose to give them answers.
I've done this too. The question is usually a matter of compliance more than anything else. They want to check the licenses of any included packages, makes sure there's no encryption stuff that can't leave the USA, etc.

Doing what OP described is great: it lets their folks do the audit with no risk of you loosing "ownership". It shows you are both a good partner and value what you do.

License compliance is incredibly important and unfortunately overlooked by many smaller firms. The potential liability to a GPL or other violation is just not worth it.

Anecdote: We have released code under the Apache 2 License (our biggest project by far is https://github.com/sheetjs/js-xlsx) and we've been roped into negotiations because some companies tried to take shortcuts by copying our code without proper attribution.

What exactly is the potential liability for a GPL violation?

I've gone 12 rounds with IP lawyers over these theoretical violations (static vs dynamic links). But I found it odd that I could never find a single case of significant liability due to infringement. The nature of damages is unclear and the landscape of counter-parties (with an incentive to sue) is amorphous. It seemed like worst-case, a proven infringer just had to re-write the offending module and make a $10k donation to an open source foundation. I've never knowingly infringed GPL and am not advocating that anyone should; it's just as I said, I found the legal community's focus on this area out of step with their otherwise well-measured calculations of risk and reward.

Usually, when doing due diligence, anything that might conceivably be a lawsuit or ongoing lawsuits results in a lower price or funds in escrow or similar agreements.

So, even if there never was a big payoff, the mere potential is a big red flag for the due diligence team (and leverage for negotiations as well). They can add indemnification clauses on contracts (they won't do that for a small company like the OP I guess).

> I found the legal community's focus on this area out of step with their otherwise well-measured calculations of risk and reward.

That seems true with pretty much any legal area. But, it's not their job to calculate risk, it's their job to tell you what is legal. It's management's job to decide if they want to take the risk or take the legal advice.

I think it's 100% their job to calculate risks and inform about legal customs/expected outcomes around something in question.
You're going to be pedaling that idea for a long time before you convince lawyers that it's in their interest to generalize on expected outcomes.
I have no idea what lawyers actually think but the fears I hear about generally don't come from lawyers. The most common fear I think is "we'll be forced to release our closed code!" But no, my intuition is that even with willful violation of something licensed under e.g. the AGPL which is supposed to force such a thing on a SaaS company, the worst case is something like: the company is hit with the maximum penalty for copyright infringement and will have to shell out a few hundred thousand dollars and someone goes to jail for a few years, and the company has to immediately stop distributing/serving products with the software on them until the software is either legally licensed, legally distributed, or replaced.
Jail for copyright violation? I guess people who've distributed pirated goods, like movies or music, have gone to jail, but I've never heard of it happening to a software developer. Fines are plausible, but I'm having a hard time imagining a scenario that leads to jail time.
Developers have gone to jail for stealing code from financial companies.

See: https://en.wikipedia.org/wiki/Sergey_Aleynikov

Most GPL projects however don't have expensive, hateful, blood seeking lawyers behind them.

That is completely different. You don't go to jail for a license violation.
I remember in some situations that copyright infringement is cheaper than license violation. The former you can argue ignorance and pay a a fine the later you've knowing acknowledge what you've done is a violation of another person license but continued your behavior.
Honest question:

Is a license violation not equivalent to unlicensed use of code?

I mean, if you don't meet the terms of a license, you're not eligible to use the code under that license. That means you have no license to the code, and therefore are in breach of copyright, no?

How is that different from just using someone else's code outright - you're breaching copyright and you're not licensed, no?

Well, the difference in that case is that it isn't license violation at all. This case is a trade secret violation. Since Goldman Sachs never released the source code, it is by definition a trade secret which Sergey Aleynikov was not allowed to release or utilize outside of his job at Goldman Sachs.

If Goldman Sachs ever officially released the software it could be a copyright or license violation but this isn't the case.

Aleynikov was charged with stealing trade secrets, which does not apply to GPL software.
The plausible situation is no criminal case, just a civil case, and probably settling for what amounts to a fine / delayed purchase, e.g. the "$10k donation" alluded to. But the worst case possibility, even if very unlikely, should include jail time (somehow -- I too don't know exactly how that would work out or who exactly would go to jail, manager or dev).
Just curious here... It's a license violation, then, not a copyright (law) violation. So isn't it more like breach of contract, i.e. a civil matter between parties, rather than a criminal case? And one does not go to jail for civil cases, do they?
GPL is a license to use copyrighted code, not a contract. If you violate the terms, your license is revoked. If you then continue to distribute the code in question without a license, then you may be liable for copyright infringement.

The first consequence of this is that only the copyright holder has standing to sue you, not anyone else who thinks they have a right to your code because you violated the GPL terms. They’re just wrong.

The second consequence is that the only remedies for copyright infringement are an injunction and damages related to the copyrighted code. So a court could force you to stop distributing the copyrighted code, requiring you to either (1) remove the GPL code from your product and use a substitute, or (2) pay for a commercial license from the owner. But you would not be forced to release your proprietary code under a GPL license.

Regarding jail for civil cases, no. In the US, we eliminated debtors’ prisons many years ago.

Not trying to troll here... The biggest violation might simply be the size of the attorney bills related to using GPL licensed dependencies in your code. There's simply no great way that I've found to get attorneys to give you a checklist of how to comply with licenses that aren't on a short list of reasonably well understood licenses. Saying "no GPL" is easier in many cases for practical reasons that kind of stink. To say it differently, how much time would you like to dedicate to getting GPL blessed when doing so is competing with all of your other priorities?
Fair point but doesn't this run directly counter to the trend of startups leveraging an increasing amount of open source code?
In my experience, having a good ratio of responsible, experienced developers on the team (one of those may do it, for a small startup) is often enough to keep an eye on it, and a lot of startups get quite far while avoiding the most risky (for them) licenses. If this is reasonably gated while starting a project, or whenever you want to add new dependencies, it's well possible to stay on course.
They are just that: theoretical violations and even they are touted just by the FSF: no one else agrees that linking against source code taints your own code.
It really depends what you mean by "linking" and what you mean by "taints".

Linking GPL code to incompatible code is against the license terms and since you can't copy/distribute the code without a license you violate copyright if you distribute that code. Nobody, not even the FSF, believes that this means that your code must be under the GPL at that point -- it's just the remedy that the GPL explicitly allows. Other remedies are usually possible from the copyright holder (usually just "stop infringing our copyright"), or imposed by a court.

IANAL, but the act of a user linking GPL code to incompatible code without distribution is not copyright infringement IFAICT. I believe the FSF also agrees with that. In fact the GPL specifically states that you may run the code for any purpose. This leaves a kind of grey area where you could write code that can link to GPL code, but that you leave the end user to do the final linking. In the extreme these are the so-called "binary blobs" in things like the Linux kernel. My understanding is that the FSF thinks that these are an infringement but that other people disagree. I don't think it's ever been tested in court.

Edit: I should point out that the reasoning for it being an infringement is that by intentionally writing code that can link to the GPL code, you are creating a derived work of the GPL code. Whether this argument holds water is anybody's guess and I would love to see it tested in court.

> Linking GPL code to incompatible code is against the license terms and since you can't copy/distribute the code without a license you violate copyright if you distribute that code. Nobody, not even the FSF, believes that this means that your code must be under the GPL at that point

Except as I understand it, this is the position pushed by WordPress and other GPL CMS's (Drupal?).

They say that because a theme or a plugin uses WordPress's functions and these are GPL licensed, then you're 'linking' with it and your PHP code has to be GPL licensed too.

To me this is crazy, but no one has challenged it yet.

There are 2 issues here and it's important to keep them separate.

1: If you are in violation of the license, must you put your code under the GPL? The answer is definitely no. If you are in violation of the GPL you may license your code under the GPL to become compliant (though in V2 and below you also have to be forgiven by the copyright holder(s)). This is an option that you have in addition to the options you have for any other copyright infringement (i.e. going to court). You never have to relicense your code. It's just a way to avoid court. There are definitely people who misunderstand this point, but I don't think you'll find anybody in an official capacity at the FSF who doesn't agree with the above.

2: If you write code that complies with an API in an GPL project, do you need a license? Like I said near the bottom of my other post, that's the grey area. Some people will say yes and some will say no. The idea is that complying with the API necessarily means that you are creating a derived work and are therefore infringing copyright if you don't have a license.

Like you, I initially found this idea to be very strange. However, the Oracle vs. Google court case lends considerable credence to it. In that case Google was found to have infringed on Oracle's copyright by implementing a published API. The judge ruled that it was fair use, though. I suspect (IANAL, remember) that if this was ever ruled upon you would probably get a similar judgement. The situation is fairly different, though, so you never know.

Now, the reason you don't find people challenging this stuff is (I think) mainly because the copyright holders are clear how they stand on the issue. I don't know anything about it, but I'll take your word that this applies to WordPress plugins/themes. You can just go against their wishes, but it's kind of a jerk move. Will anybody sue you if you do it? Will you win a court case? Maybe, maybe not, but you will certainly upset a lot of people so why do it? With the Linux kernel and binary blobs, it's all good as long as you stick with certain APIs. People do it knowing that nobody is going to sue them. NVidia steps over the boundaries, gets yelled at by Linus, but still nobody sues them.

I mean, you can also look at the really weird interpretation of the AGPL that projects like Mongo DB have. Their attitude is way more liberal than the license seems to state (to the point where I frequently wonder if they have actually read the license). But who is going to complain? It's their code -- they can do what they like. They don't have to sue anybody if they don't want to.

> otherwise well-measured calculations of risk and reward

Where do you work that attorneys generally make well-measured calculations of risk? And are you hiring?

Cease and desist selling your core product until you replace the GPL bits, or else make your core produt open source.
For companies interested in addressing licensing concerns before they balloon into real problems, FOSSA builds a platform which analyzes code and automates license disclosures and legal boilerplate: https://fossa.io/

Full disclosure: founder is a friend and all around great person.

I don't own a company, but I'd like to try this out myself. Is there any possibility of having a "personal" trial mode instead of having to enter a company name?
From team FOSSA here, you can put in anything for the company name -- or leave it blank!
I don't understand how license compliance matters here. Why does the big customer care about whether the seller has violated licenses? The seller would be the one in trouble, not the customer.
If the seller is in violation of one or more licenses, they might get sued and be forced to discontinue or significantly alter their product. If the big customer depends heavily on the product and cannot easily replace it, they are also screwed in this scenario, even if they aren't in violation of any laws.
(comment deleted)
License compliance is easily verified using 3rd party services like Black Duck.

You basically install a scanner on your machine, feed your sources into it, it hashes them line by line and sends hashes to the mothership for analysis. It then spits out the report that file X, line Y matches something in the open source package Z. At least that's how it worked a decade ago, when we had to do a pre-acquisition source code audit.

License compliance is not verified in closed source stuff, period.

When was the last time some user of Windows verified whether Microsoft Windows contains some piece of code that Microsoft shouldn't be redistributing?

> The question is usually a matter of compliance more than anything else.

What would Microsoft say if a customer said "we need to see the source code for Windows, Outlook, Exchange and Office applications before we use them, just as a matter of license compliance"?

One thing I would note is that the individual employee might not be authorized to sign a legal document, such as "a non-compete and or a non-disclosure". My company informs us told to actively refuse to sign any legal documents (even at visitor check-in) -- we have a Legal team for that. All documents should be signed by Legal before I step on site.
Out of curiosity, are you barred from installing software on company computers, because you're either explicitly or implicitly accepting an EULA?
There is a list of pre-approved apps, and a method to request approval if it is not on the list. Also, there is a list of approved licenses for open source software.
This is a common thing in many larger corporations. Some even lock down machines quite a lot. I have seen multiple cases where this lead to laptops for dev work which weren't connected to the company's network.
My company will scan our computers every once in a while. I've gotten alerts about having software I have installed that I should not - both cases we had an enterprise license and I was using a trial. I didnt want to go through a burdensome request process to try something.
There is also a very fine difference in the exact wording. You might even have the choice to decide the location where the physical copy of the code is located (E.g. your office, not theirs / on the north pole) and they actually might never actually bother to show up. Does the source code even need to be humanly readable or are the actually more happy with a schematic diagram?
For many reasons, always choose your office as the location. Even if they're paying expenses, it makes your employees available for other things that may come up at your site. All the security benefits are obvious, but lastly... from a sales standpoint, it allows you to treat them like a welcomed guest and win them over on your turf.

Either way, get the review done fast. As they say, time kills all deals.

Slightly tangential, but working for a small software company (<20 employees) who writes Line Of Business code for very large enterprise customers in the health care industry, we at times offer source code licenses, but at the very least (and this was my original point), our license as a vendor also includes source code escrow in the event of our collapse. We haven't really had anyone request a pre-sale source code review.
> our license as a vendor also includes source code escrow in the event of our collapse

Wow, I've never heard of this before - it sounds great!

Do you advertise this on your website, or is it just buried in the terms and conditions? I was just wondering how you might get across this info without worrying potential customers with the mere mention of collapse?

You don't advertise it. You say nothing until a customer expresses concern about your long term survival then you say "Oh yeah this comes up from time to time and the solution is code escrow, we've done it for customer Y and X so we know the drill".
Given the nature of the product we sell (where implementations are in the six-seven digit range, with sometimes over a year of prep work), it tends to come up in discussion most times, and I think may even be in our boilerplate contract (which is signed by both parties, it's not 'order online, enter credit card' purchasing).
Even big vendors do source code escrow for very big contracts (e.g. government).
In our case it has always been something our large clients request and expect as part of any project we work on, rather than something we advertise as a feature of working with us.

Most companies will dictate that you use an escrow provider from their "preferred suppliers" list.

Any suggestions for that “preferred suppliers” list?
If there is a preferred suppliers list in operation, you don't pick those suppliers your client does. And it will often be relatively local, at least country local, companies in my experience, presumably for legal jurisdiction reasons.

So what our clients dictate is probably irrelevant to your needs.

Thanks. I misunderstood. I thought you had a list of preferred escrow services.
Seconding the “source code in escrow” solution as a mitigation about concerns of working with a startup. IMO enterprise customers happy to pay for it and it usually never gets asked about again
How does "code escrow" work in practice? Are you actively syncing to a private Git repo?

Or is it more a case of, if we're collapsing, we'll put this in place?

Correct there's some (not necessarily daily or weekly) amount of sync frequency that you negotiate.
> Or is it more a case of, if we're collapsing, we'll put this in place?

No-one would trust that. If you are collapsing you aren't going to care enough, or the people who do/did both care and know what to include (source, build toolchain setup, documentation) have already gone.

It is surprising, given how important it could be, how little the clients bother to check that escrow updates are happening - so even if the contract says otherwise it could often come down to this!

> Are you actively syncing to a private Git repo?

Some do that, but in my experience it is more common to provide a snapshot (a full copy of the relevant parts of your repo(s) with supporting documents), with a new snapshot uploaded with each major or minor release. Sometimes it isn't released based but instead the client dictates escrow is updated "at least once per year or X months" which to my mind shows that part of the contract was written by a legal/admin person without a lot of technical experience.

Haha, was thinking that wouldn't be too trusted alright! Scheduled syncing makes sense. Cheers for the replies, have never heard of the concept of code escrow before, seems like a neat solution
one thing about non-compete and non-disclosures is that if you are a small shop going up against big shops it can be costly for you to try to enforce it against a larger corp. not impossible but not cheap and without any guarantee of success.
Reply back with “is this an acquisition offer?”
Never worked for an enterprise company before I take it.

Because nobody when they are dealing with a vendor is thinking about how to acquire them. They just want your product.

I want to plus one everyone saying no. All of their reasons make sense to me.

In addition, I'd love to help your confidence with getting used to the idea that saying no is ok. I remember being in this situation many times and feeling like if we said no we'd lose the client and maybe go out of business.

But truly, clients often ask for things that aren't very important to them and they will not mind being told that the answer is no.

The mistake you can make here is to blow up your no answer into a big deal.

The term I was given for how you should respond is "the principle of the simple explanation." People are totally ready to believe you, so just say no in the simplest way possible.

In the middle of some other response just include a line like:

"Re: source code access. No, our source code is proprietary and we don't share it."

Or even more simply "No, we don't share access to our source code."

This. The request may be a big deal to you, but it isn't necessarily a big deal to the client. Don't go big on the ultimatums and alternative plans until they indicate that it is a deal-breaker for them.
Your no answers reminds me of an experiment I read about where they determined people were more likely to accept a request if you included pretty much any justification, even when totally self evident.

E.g people are more likely to cut in line at the copier if you say 'can I cut in line, because I need to make a copy'. Even with an inane excuse like that (everyone else there also needs to make a copy) people are more likely to accept.

So your first example is likely the better one, even though the reason given is basically void of explanatory content.

To be honest I might be at the copy machine to make a copy but I might not actually need to make it then and there. I might be able to re-print it, or do it later. When someone tells me he needs to do that then I think maybe it's more urgent than mine. I wonder if there are subtleties like this that explain these in reality.
But that is the case for almost anything. Exceedingly few things are things you need to do right then, right there, or even at all.

For some it is more important, and they won't yield, but some proportion will doing something because the cost of doing it is low enough that there's no reason not to.

In that case giving a reason creates a cost in persisting in that you need to consciously think through whether or not it's worth arguing over, and if so what to respond. And sometimes that is enough that you'll just shift your focus to something else and not bother.

I have no doubt the effectiveness will vary greatly depending on type of action, and that it will vary greatly depending on other factors tied to why people wanted to carry out a given action in the first case, of course, but I also think people ask for or do a lot of things where they have not really made a conscious decision that they need it, just decided on a whim that there's no reason not to ask.

Especially with group dynamics involved, it might have been as simple as someone asking a question in a meeting ("do we need the source?" for example) and someone deciding "might as well ask for it, just in case", with nobody actually caring enough to defend it i you stand up to the demand. In that case the need is low enough that even a totally inane excuse for saying no might stand up even if it on the surface looks like a big, important question.

Everyone in here is generally giving you the right advice.

If you want someone to help specifically advise, guide you through the process, and potentially represent you in negotiations, feel free to get in touch and I can probably help.

By way of background, I primarily work with investors who are selling middle-market software companies to larger companies (over 80 or so personally and oversaw another 80 or so, over the last 3 years). I have a lot of insight and experience into contract negotiation from both sides of the table here. I've also worked for/with the big enterprise software players (SAP, Oracle, Microsoft, etc).

I like your “everyone here is here ally giving you the right advice”. At the same time there is lots of contradictory advice.

To me it’s clear that there are lots of possible scenarios with lots of possible “right” decisions. Without more info, i doubt anyone can give better advice than what’s on this forum.

Certainly a professional should be able to give better advice but only after they get more info on the specifics.

Good luck!

1) Yes. I would say "no". 2) Not very. 3) Yes, but they are not likely to be effective or easy to enforce.

If they want to look at it badly enough they can buy it.

They stated their intent was "to see how your algorithms made decisions" that sounds like its your secret sauce. They didn't ask for escrow of source code should you go bankrupt.

Have your people interacting with them be confident enough to tactfully state they will walk away from the PoC if that is a condition.

Coca-cola hasn't revealed theirs, why should you?

Ask more questions about if they are seeing things in the analytics results that don't look correct... that might be their concern if they are basing business decisions on your software.

> They stated their intent was "to see how your algorithms made decisions" that sounds like its your secret sauce.

It's not the secret sauce though. The models are the output.

The secret sauce is the engine that builds it and companies aren't asking for the source for that.

Are you rolling out your product as a SaaS offering, or is this something you're planning to license to people to run on-premises? If the latter, I expect that you'll get lots of requests for source, either for inspection or for escrow.

Personally, I wouldn't be scared of BigCo ripping you off. For the most part, large companies care a lot about staying on the right side of their contracts, and also it's generally really hard for a large company to out-innovate a startup. So I would be pretty surprised to see them steal your source (assuming you put in place an appropriate NDA etc.). EDIT: I'd be even more surprised to see them try to compete; the worst likely case is that they steal the source and stop paying you, not that they steal the source and get into the data analytics / ML business themselves.

However, I think that in the ML world, this "what the hell is the algorithm doing" question is a really common one, and it'd be super-worthwhile to invest in some sort of tooling to peel back the cover of the algorithm a bit. Validation of appropriate responses against future data is a real quagmire right now, to the point that some people are using ML to help find a solution, but then trying to re-implement the logic more traditionally once the ML algorithms figure out what to design for. I think there's something there, at least for a good subset of use cases.

Also, it's common for a large enterprise to require some sort of source code escrow if they do a big deal with a startup. Sounds like this is different than what they're asking for, since the source in escrow won't be available to them until the escrow conditions are triggered. Again, I wouldn't be concerned about signing escrow agreements, but I would make it a negotiation point, rather than a standard term.

Can you elaborate a little on this? The reason I ask is that my experience has been different. I have seen a lot of requests for code escrow (source is released to big company if and only if small company goes out of business) when a large company was dependent on a third-party product, but I have almost never seen a request to review source code (the one exception being selling into classified government environments where security considerations required a source code review).
I wouldn't say it's been the norm in my experience, but I've definitely been on the receiving end of requests for source (both when working at a large enterprise and at a startup). In my experience, this is much more common when selling something that will run on-prem or in process, however.
I work a a large corp and we occasionally run our own POCs or engage externally to learn about significant aspects of a technology or process. Sometimes learning about what matters can make us better at selecting good vendors.

We are generally not in the business of the services our vendors provide and don’t have the staff, expertise, incentives or instructional fortitude to compete.

That said, I’d never ask for a vendors source code (especially on a POC) unless I felt like an escrow situation was warranted if they went out of business.

If I were you I’d ask for

1. Something like a non-compete or exclusivity agreement. They will not replicate the functionality internally or work with another vendor.

2. A lot of money to see the source code. If they are trying to learn from what you have, then you are providing them with a material benefit you should be compensated for. Offer to throw in consulting services if their objective is to learn.

Bottom line, cover the risk that they steal your magic or otherwise benefit without you being compensated.

If my memory serves me right, This is exactly how Microsoft stole Apple's code in the early days
I'm not sure it does.

Apple borrowed ideas from Xerox. Microsoft were given source code for Mac in order to keep producing Office for it. Both Apple and Microsoft have copied UX elements off of each other.

But I don't recall Microsoft stealing Apple's code. Maybe copying some GUI elements at most...

(comment deleted)
If their justification is "we want to see how your algorithm made its decision", you should perhaps have your model output more stats and infos about that.

As a user of data tools myself, I am generally suspicious of any black box model, and would like to understand the model well before using it. For instant if your model is a deep neural network, I'd like to know the structure of the network and the activation of the layers when I run my data through it.

If they're really interested about the guts of the model they will agree to a solution like that. Having the source code will certainly not help them understand this as it is highly unlikely that anyone will dig into this.

Note that asking for the source code is fairly common practice in finance cause people generally distrust black boxes (at a firm I worked for they specifically chose MySQL over some other tools because they had the ability of looking through the code if they needed to).

There is actually no point for them to look at your code...

You can agree to something where if you go bust, then you'll give them the source code.

That is the very problem with ML, it comes up with answers but provides no insight as to how. For example, you teach a vision ML to detect balls of various colours in pictures, then give it pictures of battleships - it might see the bubbles in the wake as balls, but won't tell you there is a great big hulking grey thing in the picture.

Escrow arrangements are common to protect clients from software vendors going bust.

1) Yes - We said no because the source code is an embodiment of our trade secrets and the basis of our company but we'd be happy to answer your questions.

2) Likely they aren't trying to "steal" you IP. They stated their goal as them want to see how your algorithms made their decisions. So just answer as best as you can without giving away your trade secrets.

3) Yes, there is a way to do this with legal protection. Which would be to follow a clean room process. However, this is pretty expensive for a small company to do. So I wouldn't offer it.

I've had customers ask to see certain parts of the source, and we've never done it – it has also never been a dealbreaker. If it is, I'd be very suspicious of that deal.
Gut answer is No.

Honestly, they are no experts, or they wouldn't need you, so them reading and interpreting your code is a patently ridiculous request.

However, there is a huge opportunity here, based on the fact this is new ground for you and them. If they are truly worrying about justifying later the decisions to be made, then you CAN agree to design a report based on whatever your engine is doing, that shows addditional useful data (i.e., not just the correct decision in each situation, but the likelihood of it being correct or expected return). Invent a middle-ground solution.

Then make them agree TO PAY FOR THIS REPORT AS PART OF THE CONTRACT.

By the way, there is a saying in negotiating that you may want to repeat to yourself a couple times: "If you're not willing to say 'no', then you are not really negotiating."
Most of the people in this thread clearly don't understand the situation as Analytics/ML is quite different to normal IT.

1) The company is not going to acquire you nor will they sue you.

2) They absolutely want to replicate what you've done. It's not so that they can build their own startup and compete with you. It's because they genuinely want to understand how you got the results. Companies are increasingly basing their decisions on ML models and it's not acceptable for them to just "trust your black box". Especially since your model could be based off a misunderstanding of the data.

3) If you decide to say no then chances are they will walk away. Especially in the ML space companies are not going to let their core intellectual property be locked away in someone else's vault. They will simply not work with you.

4) The best way to handle this is simply to get them to sign a NDA or something equivalent that protects you in the case that a rogue employee decides to build a startup him/herself.

I am someone who works in ML for an enterprise company. For god sake give them the code and be grateful they are even doing a PoC with you.

Best answer here. I am in the exact same situation BUT I actually share the code from the get go because of the need to understand decisions (and GDPR is going to make that even more important). If the OP company is doing something that is not possible elsewhere then fine but if they are just allowing them to goto market faster then the effort to re-engineer and get working (particularly in the AI/ML space) is pretty time consuming. EDIT: I think that the time of proprietary algorithms as MOATS are an old way. Things are moving SO fast now that your business is going to be outdated with the next release of Tensorflow or whatever is over the horizon.
This is a massively important point (if you're selling to the EU) - as part of GDPR companies need to have a way to audit the decision making process if a decision is being made by a computer.
What happens if they have their own scientists take a look at the model and decide to replicate it internally without paying a cent?

Knowing the sorts of decisions that were made around what types of algorithms and features to use (obvious after a cursory examination of the code) would give them a huge leg-up in developing a similar model.

Ask them what their real needs are. Odds are they really want one of the two following. Protection in case you go out of business; Protection in case you have a legal violation (ie you use GPL code and they link to you - suddenly their code is GPL).

If it is the first, code escrow is very common. You should probably set this up as a gesture of goodwill even if they don't ask for it.

If it is the second, there are tools that you can run to ensure you don't (you should anyway - though the tools tend to be "enterprise software" and thus expensive for what they do). Once you are sure you are free from that type of them a lawyer can draw up legal indemnification documents.

If it is anything else, this is done - for an additional fee. 20 years ago a company sold us an OS, as I recall the price for source code was $100,000 on top of all other costs. My company refused to pay even though it would have saved far more money if we had been able to understand what the code was doing, and thus been able to integrate our code better.

I'm not sure what legal requirements were in place, but you should defiantly have a lawyer who knows this area of law create the agreement. Not just any lawyer, one with experience is worth paying for - find the lawyer first and pay him $200 to give a high end estimate of his costs to draw up the agreement - this is your minimum price for seeing the code. (which is to say you expect to make nothing after the lawyer is paid unless a second customer also wants source code)

Unlike most I wouldn't reject it. However it should be an additional expense, and it should be covered by some strong legal language.