Technical and Organisational Measures (TOMs)
Quick Links:
- Introduction
- Security Foundation
- Organisational Measures
- Technical Measures
- Supplier and Third-Party Security
- Data Protection and Confidentiality
- Secure by Design
- Continuous Improvement
- Summary
1. Introduction
Escrow365 provides a fully online, self-service source code escrow platform that allows software vendors and their customers to establish and manage escrow agreements digitally.
Through the Escrow365 platform customers can:
- Conclude escrow agreements online
- Securely upload and update source code deposits
- Manage escrow agreements through a self-service portal
- Initiate and manage release procedures electronically
The Escrow365 service is designed as a secure digital escrow environment, combining streamlined user workflows with enterprise-grade security controls. This document describes the Technical and Organisational Measures (TOMs) implemented by Escrow365 to protect deposited escrow materials and the platform through which the service is delivered.
2. Security Foundation
Escrow365 operates under a certified Information Security Management System (ISMS) based on the international standard ISO/IEC 27001:2022.
Certification details:
- Standard: ISO/IEC 27001:2022
- Certification body: DEKRA
- Certification effective date: 14 October 2025
- Certification validity: 14 October 2028
The certified scope includes:
- Online provision of technology escrow services
- Digital onboarding and agreement execution
- Receiving, storing and managing escrow deposits such as source code
- Updating and releasing escrow materials
- Supporting operational and administrative processes
The ISMS governs the people, processes, technology and infrastructure supporting the Escrow365 service.
3. Organisational Measures
3.1 Information Security Governance
Escrow365 maintains a structured Information Security Management System (ISMS) supported by documented policies and procedures.
Core governance documentation includes:
- Information Security Policy
- Risk Management Framework
- Access Control Policy
- Incident Response Procedures
- Business Continuity Plan
- Supplier Security Management Policy
These policies are:
- Approved by management
- Periodically reviewed and updated
- Communicated internally
- Mandatory for relevant personnel
Risk assessments are conducted regularly and whenever significant operational or technical changes occur.
3.2 Roles and Responsibilities
Security responsibilities are clearly defined within the organisation.
Measures include:
- Defined information security roles
- Segregation of duties
- Designated security management responsibility
- Management oversight and governance
Security responsibilities are embedded within operational processes including escrow onboarding, deposit management and release procedures.
3.3 Personnel Security
Escrow365 implements personnel security measures designed to protect confidential escrow material.
Measures include:
- Background screening where legally permitted
- Confidentiality and non-disclosure obligations
- Security awareness and training programmes
- Defined security responsibilities during and after employment
Where remote working is permitted, it is governed by defined security policies and controls.
3.4 Incident Management
Escrow365 maintains a structured information security incident management process.
This process includes:
- Detection and monitoring of security events
- Incident classification and assessment
- Containment and remediation actions
- Documentation and evidence preservation
- Post-incident evaluation and improvement
Security incidents are recorded and managed in accordance with ISO 27001 requirements.
3.5 Business Continuity
Escrow365 maintains business continuity and disaster recovery capabilities to protect the availability and integrity of escrow material.
Measures include:
- Documented business continuity plans
- ICT continuity arrangements
- Backup and restoration procedures
- Periodic testing of recovery capabilities
These measures are designed to ensure that escrow materials remain protected and accessible even in the event of operational disruptions.
4. Technical Measures
Escrow365 implements technical security controls designed to protect:
- Confidentiality of deposited source code
- Integrity of escrow materials
- Availability of the escrow platform
- Controlled release of deposits under contractual conditions
4.1 Secure Online Access
Access to the Escrow365 platform is secured through modern web security standards.
Controls include:
- Encrypted connections using TLS
- Secure authentication mechanisms
- Role-based access control (RBAC)
- Session management protections
- Protection against unauthorized access attempts
Access is granted based on the principle of least privilege.
4.2 Identity and Access Management
Escrow365 maintains a controlled identity and access management process.
Measures include:
- Managed identity lifecycle (provisioning, modification and deactivation)
- Periodic access reviews
- Restricted privileged access rights
- Segregation between operational and administrative roles
Authentication credentials and access information are securely managed.
4.3 Secure Upload and Storage of Source Code
Source code deposits are handled through secure digital workflows within the Escrow365 platform.
Deposits:
- Are uploaded through encrypted connections
- Are stored within controlled environments
- Are protected against unauthorized access and alteration
- Are accessible only to authorised personnel where operationally required
Release of escrow material occurs only under contractually defined release conditions and follows documented internal procedures.
4.4 Encryption and Cryptography
Escrow365 uses cryptographic protections to safeguard escrow materials and platform communications.
Measures include:
- Encryption of data in transit
- Encryption of stored data where appropriate
- Controlled cryptographic key management
- Documented rules governing the use of cryptography
4.5 Infrastructure and Network Security
The infrastructure supporting the Escrow365 platform is protected through layered security controls.
These include:
- Network segmentation
- Firewall protection
- Secure configuration management
- Vulnerability management and patching
- Malware protection
- Continuous system monitoring
Infrastructure is maintained in accordance with documented security standards.
4.6 Logging and Monitoring
Escrow365 maintains monitoring and logging capabilities to support security oversight and incident detection.
Measures include:
- Logging of relevant user and system activities
- Monitoring of applications, systems and networks
- Protection of logs against unauthorized modification
- Investigation procedures for suspicious behaviour
Logs are retained and reviewed according to defined procedures.
4.7 Backup and Recovery
Escrow365 maintains backup and recovery controls designed to protect the integrity and availability of escrow materials.
These include:
- Automated backup processes
- Secure backup storage
- Periodic restoration testing
- Protection against data loss or corruption
4.8 Secure Development and Change Management
The Escrow365 platform is developed and maintained according to secure development practices.
Measures include:
- Secure development lifecycle (SDLC) principles
- Separation of development, testing and production environments
- Documented change management procedures
- Security testing prior to deployment
- Secure coding practices
5. Supplier and Third-Party Security
Escrow365 manages supplier and third-party security risks through formal controls.
These include:
- Security requirements in supplier agreements
- Security risk assessments prior to onboarding
- Periodic supplier reviews
- Controls governing the use of cloud and hosting services
Supplier security is managed in accordance with ISO 27001 requirements.
6. Data Protection and Confidentiality
Escrow365 implements measures designed to protect confidential information and personal data.
These include:
- Information classification procedures
- Access restrictions to sensitive data
- Secure data transfer mechanisms
- Secure deletion of data when no longer required
- Compliance with applicable data protection legislation
Protection of confidential source code and escrow materials is a fundamental principle of the Escrow365 service.
7. Secure by Design
The Escrow365 platform is designed as a digital-first escrow service, with security embedded into both the platform architecture and operational processes.
Key design principles include:
- Digital onboarding and agreement execution
- Secure online deposit management
- Controlled escrow release workflows
- Self-service access for customers
- Integrated security controls within the platform
8. Continuous Improvement
Escrow365 maintains a programme of continuous improvement for its information security framework.
Activities include:
- Periodic internal audits
- Independent external audits
- Ongoing risk assessments
- Management reviews
- Continuous improvement of controls and procedures
The ISMS is actively maintained to address evolving risks and security requirements.
9. Summary
Escrow365 provides:
✔ Fully online source code escrow
✔ Secure digital onboarding and agreement management
✔ Self-service deposit and update workflows
✔ Controlled contractual release procedures
✔ ISO/IEC 27001:2022 certified information security framework
✔ Implementation of ISO/IEC 27002:2022 controls
✔ Enterprise-grade governance behind a streamlined digital platform
These TOMs were most recently revised on October 28, 2025.