We are a small 5-person enterprise software startup, operating in the data analytics/ML space. We are working on starting a proof-of-concept with a huge potential customer ($50+bn in revenue). We recently identified our first use case, and are ready to get into contract negotiations.
But then they got back to us with an odd request: they want to see our source code (likely upon completion of the PoC). Given that our core IP is our models and algorithms, we are reluctant to agree. Their justification is: "we want to see how your algorithms made their decisions."
We know that they have lots of resources and are building up internal data science team. And yet it was pointed out to me that their goal might not necessarily be to outright steal our IP, but rather to cover their bases. But we are still worried they might be "inspired" by the parts they see and get their internal teams to replicate across other sites or use cases. And we don't have the resources to litigate, nor any way of knowing they do this.
My questions: 1) Has anybody run into a request like this? How would you respond? 2) How likely do you think their goal is to genuinely "see what happens under the hood" as opposed to replicate in the future? 3) Are there any legal protections we can put in place to prevent them from not just copy-pasting our code, but also from "learning from it" or so?
Well, having worked for a small software startup that did just that, I can tell you what we did.
We agreed to letting them audit the code with conditions.
1. The audit happened on our computers with someone from our team in control (me). I locked the computer when I wasn't physically there to watch what they did. 2. We removed the most sensitive part of the code and told them what it did. We kept the method signature. 3. All of the source code remained on my laptop and my laptop was never attached to their network. 4. We could tell them that we would not answer any question they asked. 5. They paid for expenses and time. It lead to a decent sized contract.
It lasted about 2 days for a medium sized Java application. They asked one or two questions I wasn't allowed to answer and took it well when I told them so.
I am not a lawyer but you can also ask for a non-compete and or a non-disclosure from their individual employees that will conduct the review. Get your lawyer on that before you do it.
It is up to you or your company to decide what to do. No one can tell you if it a good or bad decision for you. At least for me and my company, it worked out. As far as I know the auditing company never developed a competitor and was a customer of my company for a long time to come.
I think this is a signal that you're probably underpriced by a factor of 2X to 10X.
So this is a sales objection. With regards to that justification, I'd want to know a) who in the business is generating it and b) what they expect to feed your answer into.
Is this just somebody who wanted to sound smart in a meeting? Then they don't need your source code; they need ~5 nice PowerPoint slides and you're done. I'd be polite but firm in this case.
Is this e.g. a risk management officer? Then OK, that is a totally reasonable ask. It's going to cost you $20k and some legal wrangling regarding non-disclosure and non-competes, but we will give up to 2 team members of yours up to one business day of access to our code in a clean room on our hardware, under supervision by a technical leader, with appropriate rules of engagement regarding questions.
Is this a business unit head sniffing for new things to build? Then I will not automatically eject out of this conversation, but my price just had another zero added to it, at least.
I'll offer a different pov from many other comments.
I work for a fortune 50 basically doing web server stuff. Right now our security team would like to run some startups code synchronously as a module in our web server.
Their code could easily cost us millions off dollars (if the outage was small). I need to make sure their sdk is free of race conditions, and has proper timeouts and throttling and has proper metrics.
If your product can interrupt billions of dollars in revenue, I'm going to need some assurances and "we're really careful" doesn't count.
Of course they are free to say "no", and we can go our separate ways.
Because we're public we can't always tell vendors how much money they've cost us so when they accidentally point their prod to Dev and cost us millions of dollars all we can do is try and get a credit on this months bill.
I've services described a pretty specific use case, but there are other more generic possibilities. It's great that you have magic data science sauce for scoring customers, but when I get sued for racial profiling "I didn't know they used race as a factor" might not save my ass in court.
It's funny seeing this. I work in one of those big corporates and maybe I can share a little about how they work. From what I've seen this could be completely normal or a huge red flag.
We recently looked at partnering with an analytics company for a credit scoring solution. The idea was to use their SaaS and have a contract in place regarding use, pricing, up-time etc (Corporates will want that). When we kicked off the procurement process internally an army of people got involved. Their was a project manager, a number of lawyers. I believe their were audit and compliance people their too. They ended up creating a project just to figure out what needed to be figured out. Here's where it get's helpful. We couldn't even share what we needed to know with the SaaS team or product owner because that could compromise the investigation. In this case, the corporate's concerns were genuine, numerous and required rigorous answers.
In another case I watched an exec try to figure out how a KYC solution provider has achieved the level of accuracy in identifying ad-hoc documents in the hope of solving the problem with internal resources.
If I were you I would not send them your code. Rather say would not be closed to them asking questions and you answering by showing code as long as it's not the secret-sauce.
Just know that for our scoring problem we actually had to see how the decision was being made because we're subject to a ton of legislation around that.
I ran a SAAS company for 8 years, going from zero to double-digit million rev per year.
The answer is a clear no. They can PAY YOU to make custom plots/charts/reporting or run queries if they want to understand what it does better. There is almost always a way to achieve any business goal without requiring source code.
The only case I can think of source code needing formal verification by a third party is if you're targeting drones to kill people or government jailing people. That doesn't sound like a commercial company in any event.
I have run into requests like these twice.
First time the big gorilla company liked our product and they wanted it for a core process of their business. They knew we were a small startup and they wanted to be sure we were doing things properly. So they asked us for a full audit of the code by a third party company. This external company was a big consultancy and auditing company and they run something like a 'due diligence' process on us and our code. Extremely professional and clear. They never had access to the full source code, only access to pieces they requested and 'only for their eyes' during a short period of time and always supervised by us. Since we wanted to close the deal, everybody worked hard to pass this test. Later on, we signed a source code escrow agreement.
Several years later, I was a working partner for a different company and same situation with a big Telco company. Since I had the experience I was involved in the deal, but this time this company did not want to play fair and it was clear that they wanted to copy the 'magic' of our solution. Their R&D division asked for the source code and they wanted it all the time they needed to study it by themselves. It was crystal clear from the early beginning they wanted to copy us, so we did not sign the deal. Then they tried to hire the core members of our development team for their R&D division.
So the lesson here is any company can screw you if they want and you don't protect yourself. You have to take risks when you are a small company, but your code and core team are sacred. I think most companies prefer to be nice guys rather than being a gang of bastards, but it's good to be cautious.
Find a good lawyer, or better get a good advisor on your board in your company to assess you on how to deal with this kind of negotiations. And never say 'no'; say 'yes, but we would like to do it under our conditions'.
This is just politics.
Find a way to say "yes", which satisfies their need to hear you say "yes", but your "yes" conditions mean they need to spend money (which they won't want to do), and further conditions, even if they do, as other commenters have suggested, make the process dysfunctional.
Watch our politicians in government handle any issue. They are masters of saying "yes" and delivering "no", which makes people feel like they got "yes".
This is a complete no-no. There really is no justification for this whatsoever.
What does "cover their bases" mean?
As them to explain what they are trying to achieve and find other ways to assuage their concerns.
The only legitimate thing is to have something in case you fail and they have "banked" on you. There is a legit way to solve that. basically if they want that tell them they should pay for an Escrow service - that will hold your code and they would receive it if you ever cease to exist. But it's important that they would need to pay those fees (they are significant.)
That should make them back down.
It's entirely unreasonable for them to demand access to source code.
I want to plus one everyone saying no. All of their reasons make sense to me.
In addition, I'd love to help your confidence with getting used to the idea that saying no is ok. I remember being in this situation many times and feeling like if we said no we'd lose the client and maybe go out of business.
But truly, clients often ask for things that aren't very important to them and they will not mind being told that the answer is no.
The mistake you can make here is to blow up your no answer into a big deal.
The term I was given for how you should respond is "the principle of the simple explanation." People are totally ready to believe you, so just say no in the simplest way possible.
In the middle of some other response just include a line like:
"Re: source code access. No, our source code is proprietary and we don't share it."
Or even more simply "No, we don't share access to our source code."
If they are trying not to end up in the situation where you go out of business and they are screwed, offer them to escrow the code for a certain amount of money. If you go out of business, they get the code. If you do not, they don't
Hi i'm founder of https://bitbank.nz a trading prediction and stats platform that uses machine learning to predict cryptocurrency price, seems very similar to problems we have been facing.
After a quick call with a massive customer and walking them through our forecasting strategy and code we saw an abrupt end of communication after that!
Brain rape like something straight out of a silicon valley TV show https://www.youtube.com/watch?v=JlwwVuSUUfc
After giving away our secret sauce they simply cut all communication and one can only assume they are implementing their own version of what we have now...
If they are such a huge customer they should be prepared to pay like everyone else should be if you can prove from your predictions/charts that your algorithms performance is solid.
Give them a short free trial but be careful not to give them too much for free.
We now only offer a 1 day free trial and the value should be obvious after that, start with a crazy price and slowly drip feed discounts, product features and trial extensions like you would market to a normal customer, if they are going to do invest time doing any custom integration with your apis ect then why cant they invest money upfront too?
Its easy as a scientist to not make a strong sales standpoint but your worth more than you think!
This is a simple case of "Big clients expect to own their little consultants,"
What do you do if they ask for customizations? What do you do if they request features that are not on your roadmap? What do you do if they ask for a large discount?
How you decide those cases determines how much your business is like a startup moving fast and not negotiating over source code disclosure and how much your business is like an enterprise consultancy that prices out each request for one off work by their clients. There's no right answer. But clarity about how a particular client affects your business model and whether or not that client is worth having right now is important. Are there other potential customers who are easier to service?
It is not clear from the question whether this request is part of ongoing contract negotiations or presented as a prelude to negotiation. If the former, put a price on it. If the latter, it smells a bit like a "no" in the form of a "maybe" or window shopping without much intent or someone higher up with purchasing authority putting on the brakes. Figure out an expected value of the client by assigning probabilities to various size contracts closing at different points in time.
No way in hell would I show my code if that was my gold. But if you don't get the business otherwise, you have a choice to make. In my experience, people and corps are bastards and will say anything to get what they want. Don't be a sucker, be wise.
Provide a counter offer. If they want to see your code, counter with "we will show our code when you provide a 10 year contract with X dollars per month/year". Then I would do it.
They are covering their ass, so cover yours. People and businesses who are strong, respect others that are strong.
All my clients will rip me off if I let them. ALL OF THEM. They can't help it. If you asked your cable company "can I have free cable for a year?" And they said "yes", wouldn't you take it? That is what is happening to you. They are testing you.
If you are desperate and foolish, they get your code for free. If you are brave and wise, they get a good partner.
Take a leap of wisdom.
Most of the people in this thread clearly don't understand the situation as Analytics/ML is quite different to normal IT.
1) The company is not going to acquire you nor will they sue you.
2) They absolutely want to replicate what you've done. It's not so that they can build their own startup and compete with you. It's because they genuinely want to understand how you got the results. Companies are increasingly basing their decisions on ML models and it's not acceptable for them to just "trust your black box". Especially since your model could be based off a misunderstanding of the data.
3) If you decide to say no then chances are they will walk away. Especially in the ML space companies are not going to let their core intellectual property be locked away in someone else's vault. They will simply not work with you.
4) The best way to handle this is simply to get them to sign a NDA or something equivalent that protects you in the case that a rogue employee decides to build a startup him/herself.
I am someone who works in ML for an enterprise company. For god sake give them the code and be grateful they are even doing a PoC with you.
Everyone in here is generally giving you the right advice.
If you want someone to help specifically advise, guide you through the process, and potentially represent you in negotiations, feel free to get in touch and I can probably help.
By way of background, I primarily work with investors who are selling middle-market software companies to larger companies (over 80 or so personally and oversaw another 80 or so, over the last 3 years). I have a lot of insight and experience into contract negotiation from both sides of the table here. I've also worked for/with the big enterprise software players (SAP, Oracle, Microsoft, etc).
If their justification is "we want to see how your algorithm made its decision", you should perhaps have your model output more stats and infos about that.
As a user of data tools myself, I am generally suspicious of any black box model, and would like to understand the model well before using it. For instant if your model is a deep neural network, I'd like to know the structure of the network and the activation of the layers when I run my data through it.
If they're really interested about the guts of the model they will agree to a solution like that. Having the source code will certainly not help them understand this as it is highly unlikely that anyone will dig into this.
Note that asking for the source code is fairly common practice in finance cause people generally distrust black boxes (at a firm I worked for they specifically chose MySQL over some other tools because they had the ability of looking through the code if they needed to).
There is actually no point for them to look at your code...
You can agree to something where if you go bust, then you'll give them the source code.
1. Ask for a giant pile of money for the privilege.
2. Come up with visualization that answers their question without giving them access to source code. Presumably "how do we know we can trust results" is a common problem.
3. Walk away.
my .02 from having been CTO at a SaaS analytics company for a long time: "we want to see how your algorithms made their decisions."
that's great product feedback. and a problem you need to solve. You shouldn't solve it by handing out your source code.
I've read most of the comments here and I think many of them are off track.
You need to take this approach when dealing with a large potential customer : let's not get into the weeds of what you are asking for, but rather tell me what the underlying need is. That might, for example be : "we'll rely on your code to secure our customers' sensitive data and so we need to take steps to ensure you are practicing industry best processes for security". That need could be addressed by having a third party review your code and processes, protecting your IP.
In your case they said :
"we want to see how your algorithms made their decisions."
For me this would be a "Hello no", perhaps put more politely. You're building a product that has value embodied in those algorithms. The customer is paying you for that service. Therefore you should take absolutely no steps to tell them how it works. There is only downside.
I used to work for a smallish (<50 headcount) company that sold high-value software with a LOT of secret sauce in it (image processing algorithms) mostly to telco, wireless, and MSOs. The primary reason those folks wanted the source code was as insurance that if, as a smallish company, you went out of business, they would be jolly-well-rogered if they had deployed your stuff in the middle of their mission-critical revenue-generating operations. Our solution was always to use a mutually agreed third-party source code escrow service such as Iron Mountain. The only escrow release triggers were company insolvency/bankruptcy, or refusal to meet the SLA of support requests for an extended period of time (the -Off Clause).
> 1) Has anybody run into a request like this? How would you respond?
Yes. Satisfy their justification without showing code. It is possible to show how algorithms made their decisions. Make this part of your product. You already noticed there is a demand for it and that delivering a black box can be a deal-breaker. So read up on LIME, decision paths, interpretable models on black box output, etc. and give them the capability to see how an algo made its decision.
> 2) How likely do you think their goal is to genuinely "see what happens under the hood" as opposed to replicate in the future?
Unlikely they'll replicate. It would set them up for legal problems. Depending on how deep your moat is (training data, novel optimization techniques, encoded domain expertise), they probably wouldn't even need to see source to replicate in-house. It may be more about not being hood-winked, paying top dollar for a product that does a few imports from open source libraries.
> 3) Are there any legal protections we can put in place to prevent them from not just copy-pasting our code, but also from "learning from it" or so?
Not that I know of. Perhaps you could charge extra for the code review, so in the case of "learning from it" they'll at least pay for it. A thought exercise: did you learn from open source/open research/commercial solutions before building your Proof-of-Concept? If no, then they don't need to either (provided they can hire the talent), if yes, you are like a thief who is worried they will steal from you :).
Unless downtime of your application results in money lost for them (as opposed to bad decision making) then I would probably say no to this. If it comes down to "Is the data science good enough?" that is basically a sales objection. If you can, talk about success with other companies and your track records. There are legitimate reasons for a customer to need to see your source code, verifying that you can do your job is not one of them. Treat like a sales objection.
You can find templates for proprietary information agreements at EveryNDA:
Defeat the Confusion: Confidentiality v. Non-Disclosure
Examples of Microsofts Shared Source licensing can be found as well. These contracts are typically reserved for heavy hitters. Who have enhanced security or performance requirements. FBI, JP Morgan, etc. And of course Microsoft has open sourced large portions of its own dev tools and sdks.
Microsoft Shared Source Initiative
I think what you may begin to realize is that its their alternative data that represents the motherload. And its not your algorithms but level of service that will differentiate you. The insights mined from that alternative data may be so valuable as to outweigh your other concerns. And gaining access to it might be the paramount mission for your startup. As the executive, ultimately its your call. Good luck!
Are you rolling out your product as a SaaS offering, or is this something you're planning to license to people to run on-premises? If the latter, I expect that you'll get lots of requests for source, either for inspection or for escrow.
Personally, I wouldn't be scared of BigCo ripping you off. For the most part, large companies care a lot about staying on the right side of their contracts, and also it's generally really hard for a large company to out-innovate a startup. So I would be pretty surprised to see them steal your source (assuming you put in place an appropriate NDA etc.). EDIT: I'd be even more surprised to see them try to compete; the worst likely case is that they steal the source and stop paying you, not that they steal the source and get into the data analytics / ML business themselves.
However, I think that in the ML world, this "what the hell is the algorithm doing" question is a really common one, and it'd be super-worthwhile to invest in some sort of tooling to peel back the cover of the algorithm a bit. Validation of appropriate responses against future data is a real quagmire right now, to the point that some people are using ML to help find a solution, but then trying to re-implement the logic more traditionally once the ML algorithms figure out what to design for. I think there's something there, at least for a good subset of use cases.
Also, it's common for a large enterprise to require some sort of source code escrow if they do a big deal with a startup. Sounds like this is different than what they're asking for, since the source in escrow won't be available to them until the escrow conditions are triggered. Again, I wouldn't be concerned about signing escrow agreements, but I would make it a negotiation point, rather than a standard term.
I'm willing to be that the same company wouldn't ask Microsoft or IBM to see the source code of the software they buy from them. So I'd start by wondering why they can't treat your software, too, as the proprietary black box it is.
Is it because they're aware that you can't convincingly threaten them with litigation? Do they think you're too small to protect yourself effectively from the danger of IP theft?
If that is the case, then the answer is clear.
If the client actually has legitimate concerns- couldn't they ask you to run some specific tests, or make some experiments, and report the results to them? The amount of time spent to think of such tests should not be more than the amount of time needed to review your code and you could argue that examining the behaviour of your system can be more informative than looking at the source code.
I have not run into issues like this, but I would at least make an attempt to meet them in the middle. NDA's and the such are not something I would be confident in, particularly given that this customer can throw a lot more money and effort into legal.
Regarding meeting them in the middle, I would put together a presentation that describes how your algorithm works at a high level. I'd do your best to split the balance between being transparent and focused on the customer, and not divulging what you consider to be differentiating parts of your implementation.
If you get push back for the above, I think you're dealing with either brain rape, or some pretty unprofessional contacts in your customer's organization. If it's the latter, you should do your best to navigate around those contacts.
Another data point, but I worked for a company that made an expensive DSS for a very lucrative industry. We showed a potential "partner" our code and how it worked and everything. They took our ideas and made their own product as a direct competitor. Reminded me of Apple and Xerox.
Definitely get legal council involved.
A possible way to protect yourself is print it out and put it in old fashioned binders and let them see the binder while you are watching. Not sure if that will fly, but it would be hard(er) for them to steal it. Tell the company your concerns (which are valid) and what methods they would accept. I don't think it's unreasonable for you to bring it up with them.
I used to work for a company that did model risk management consulting for large banks and source code reviews were a standard part of what we did. What sounds different from the OPs situation is that it is the customer who would be conducting the review and not a third party. Take everything you read here with a grain of salt but it would be best to consult a lawyer. Even if you hold the patents for what your software is doing under the hood it may difficult and expensive to sue in the event that your customer does simply copy your secret sauce
My partner and I met with Google ATAP after emails and conversations.
Our experience if I was you is to be weary. Google just wanted to see our secret sauce and once revealed kick us to the curb.
They need to pay you or you walk away!
Sam Ritchie from Stripe was a guest on This-Week-in-Machine-Learning/AI (TWiMLAI) (podcast) talking about explaining black box predictions.
TL; DR is basically you keep a decision tree in parallel to your model that carries with it long/short-form text that "explains" why the model does what it does.
Here's a somewhat contrarian view - if what you are making is so good (or unique/special/non-trivial) that it is valuable to more than just one huge customer, then just because they are huge and you are seeing dollar signs, doesn't mean you should agree to their request without due consideration.
They may attempt to compete with you or re-implement what you do, but again - if what you did is so good and perhaps non-trivial to re-implement (an assumption), then you should consider the value of what you have above their immediate demands. They might not have to be your "only" customer.
If you are trying to build a business to last on your own, you must ask yourself, is this the kind of customer I want?
Of course, you should consider who the customer is and their mission/vision/values/actions, what your and their goals might be in this instance, how to accommodate their request (like the suggestions for code escrow, etc.) while protecting yourself (surely there are ways through a competent IP lawyer).
Sometimes the big customer can break (or make) your company. I think your course of action depends a lot on what you have and what you want.
That they are interested in you so seriously is probably a good sign, as much as it is something to be concerned about. Consider the value of your use case and what it might be to others as well.
This might be me being naive, but, if they will be good to work with, and a good customer to have, they will be willing to work with you fairly. Otherwise, be cautious and consider the calls for legal advice.
According to to their stated motivation, they're not actually interested in the source code: they want to know how your software makes decisions, presumably important ones on behalf of their business. The people who articulate such a request (management), as a rule, are not qualified to answer it by looking at the source code. If that is indeed their concern, they've probably filtered it through their internal development shop, who's come up with the idea that they could review the source code and answer. Management thought that was a splendid way to do it - no need to bother you guys with such tedious busywork (OK, probably slightly rose-tinted, but the general outline of the narrative is plausible).
If this understanding is what they're really after, then that's what you need to think about answering. Worrying about ML as an opaque black box is a bit of a thing these days, so it will probably come up with future clients as well.
If you answering this is not satisfying to them, and they keep insisting on the source code, and they can't articulate why, then they are not being honest, and you should walk away (or at least clearly state that if they don't withdraw that requirement, there will be no agreement).
Ask them what their real needs are. Odds are they really want one of the two following. Protection in case you go out of business; Protection in case you have a legal violation (ie you use GPL code and they link to you - suddenly their code is GPL).
If it is the first, code escrow is very common. You should probably set this up as a gesture of goodwill even if they don't ask for it.
If it is the second, there are tools that you can run to ensure you don't (you should anyway - though the tools tend to be "enterprise software" and thus expensive for what they do). Once you are sure you are free from that type of them a lawyer can draw up legal indemnification documents.
If it is anything else, this is done - for an additional fee. 20 years ago a company sold us an OS, as I recall the price for source code was $100,000 on top of all other costs. My company refused to pay even though it would have saved far more money if we had been able to understand what the code was doing, and thus been able to integrate our code better.
I'm not sure what legal requirements were in place, but you should defiantly have a lawyer who knows this area of law create the agreement. Not just any lawyer, one with experience is worth paying for - find the lawyer first and pay him $200 to give a high end estimate of his costs to draw up the agreement - this is your minimum price for seeing the code. (which is to say you expect to make nothing after the lawyer is paid unless a second customer also wants source code)
Unlike most I wouldn't reject it. However it should be an additional expense, and it should be covered by some strong legal language.
I don't think this is that extra-ordinary of a request. I work in FinTech, and we have routinely had large financial institutions who hire third-party companies in doing code audit and reviews. The key is the third-party companies who do this for their business.
I think the key for you is that it needs to be a third-party company that specializes in these types of code audits. I would NOT just hand over source code to the actual company.
If they require proof that your models are working, you should be able to show them simulations to that effect.
If it is a matter of due diligence, then it should be something that is discussed between your lawyers and the company's lawyers.
If this ask is coming from the engineering side of the company then that is a red flag.
You should also think of the impact in terms of acquiring other customers once you have opened a bit too much to this customer.
This is a legal issue which files under compliance. Many times enterprises that are looking to acquire a small company they will request code audit. This audit usually is requested after the agreement of sale. For legal reasons, this provides the safety that your company doesn't provide any compliance issues moving forward in your code. This process is just playing it safe so there wont be any legal issues moving forward. WhiteSource easily verifies license compliances on premises or using their Saas program. They provide a very timely report that will ease the process. https://www.whitesourcesoftware.com/open-source-license-comp...
(Customer has $50+bn in revenue) tells us nothing. How good is it going to be for YOU? Because that should be the main data point for this decision. You might want to charge them 10X-50X the usual price if their request involves trade secret disclosure.
Insofar as their motives are concerned, you should assume the worst; that that they will steal your IP and force you into endless litigation. From a game theoretic min/max perspective this is a sound way to think about it. It's also reasonably likely. There is a good chance they want you to get them started on a problem they don't know how to solve and then they will iterate off your solution. Happens all the time. Imo, if you are building a business in this space, you shouldn't let them do this to you.
Other options: Offer to add some explainable AI visualization stuff into the app. Hide the best parts behind a web service and only agree to give them the source code for the gui. It sounds crazy but people will agree to compromises like this all the time.
The answer is no. I had huge enterprise customer do the same thing, asking lots of questions. We didn't tell them much but they were asking very detailed questions as to the how. They didn't follow through with the deal and released a competing product about a year later.
They were simply fishing us for answers on how to solve problems.
Nope, never let them see it. Those algorithms are key to your success.
Unless they are buying your company and are doing due diligence.
If I were you and I decided that this is worth it, I would try to arrange the deal so that it only occurs after all of their other due diligence has been completed, and the source code audit is the last remaining obstacle to doing the deal. And I would insist that they first define, at least roughly, what it is acceptable and unacceptable. So, after the audit is completed, unless they can point to something in the code that is unacceptable, then they are compelled to go through with the deal.
You want to avoid a situation where you accommodate them on this, and they come up with some other hoop you have to jump through. Or where they give you some vague excuse like, "thanks, but we decided to go in a different direction" and walk away.
I've seen huge enterprise customers ask similar things in the past. Especially with startups, they know that if they decide to steal your algorithm and replicate it, you will never be able to afford to sue them. I've seen a number of enterprises where they had a team large enough that they could throw whatever resources it took to build your solution and once they had some ideas how it worked, then they were off to the races.
It could also be a bluff to see how far they can push you. Enterprises love to ask for ridiculous things to see if they can get it. I once worked for a fairly large retailer ($10b/yr) that wanted to put into a contract with Microsoft that they could have access to the Windows and SQL Server source code.
Clarify if the concern is Chapter 11 motivated.
We've put source code in escrow to address concerns of going out of business.
But if they really just want to see IP (which is fluid and changes every 90 days), then I'd only provide abstract diagrams and maybe decision tree outputs from the ML.
In a past life I was at a SaaS company that was asked this from every single customer (and they were BIG customers). We always said no. No, no, no.
You know why? It was not secret sauce at all and boolean logic. Amazing how the wool was pulled over a pile of rubbish ;)
I used to work a large investment bank, and it was not uncommon for our clients and auditors to ask about how we handled, security, financial transactions etc. Our rules were pretty much as follows.
1. Everyone involved signs an NDA. 2. No property of the bank is allowed to leave the premises at any point in time. Any supporting documentation was printed out and they were allowed to review it in certain designated rooms. The documents were not allowed to leave that room and they were reviewed to make sure nothing was missing at the end. 3. Any questions must be provided in writing so there is a record of the question and response.
No one gets the secret sauce. They pay for your results.
Gut answer is No.
Honestly, they are no experts, or they wouldn't need you, so them reading and interpreting your code is a patently ridiculous request.
However, there is a huge opportunity here, based on the fact this is new ground for you and them. If they are truly worrying about justifying later the decisions to be made, then you CAN agree to design a report based on whatever your engine is doing, that shows addditional useful data (i.e., not just the correct decision in each situation, but the likelihood of it being correct or expected return). Invent a middle-ground solution.
Then make them agree TO PAY FOR THIS REPORT AS PART OF THE CONTRACT.
Would be good to know if its SaaS or something that goes into their datacenters.
If you are SaaS, I would not share source code. Ever. I often get questions from potential enterprise customers, and while pushing back is not always easy, the reasons are respected. One argument is that you are protecting other customers/tenants by not allowing it, and you will do the same for them when they are onboarded.
If its in their datacenters, there are many reason they might want to see source code (licensing, security, scalability etc). But i would still argue you could keep your core algoritm IP out of that.
Other thoughts: Are they vetting you for potential acquisition?
Reply back with “is this an acquisition offer?”
1) Yes - We said no because the source code is an embodiment of our trade secrets and the basis of our company but we'd be happy to answer your questions.
2) Likely they aren't trying to "steal" you IP. They stated their goal as them want to see how your algorithms made their decisions. So just answer as best as you can without giving away your trade secrets.
3) Yes, there is a way to do this with legal protection. Which would be to follow a clean room process. However, this is pretty expensive for a small company to do. So I wouldn't offer it.
Give them a test: if they are reasonable they will respond to anything reasonable in a reasonable way. So ask them in detail why they want to do this, how they want to do it, are there alternatives. If they answer in a fair and honest fashion, then propose some way to solve their problem in a way that is fair to you. There are lots of good suggestions here: third party, at your site, hiding the secret sauce, etc.
If they are bullies, irrational, arrogant or silly, then save yourself lots of headaches and very nicely say its not something you can do.
They stated their intent was "to see how your algorithms made decisions" that sounds like its your secret sauce. They didn't ask for escrow of source code should you go bankrupt.
Have your people interacting with them be confident enough to tactfully state they will walk away from the PoC if that is a condition.
Coca-cola hasn't revealed theirs, why should you?
Ask more questions about if they are seeing things in the analytics results that don't look correct... that might be their concern if they are basing business decisions on your software.
It is so funny to read very decisive answers with no explanation and/or not mentioning if author has any real world experience dealing with this kind of deals and/or machine learning.
Is this the business side asking? They're implicitly giving you product guidance here.
I'm also in the DS/ML space, and there is an absolute dearth of explainability in our models. It's atrocious given the decision that are based on these models to not be able to explain why they come up with what they did.
Get back to them and tell them you'll add explainability to your models. Even if it's just something simple like LIME (vary each input to a model, measure the change it produces - works for any model).
1) Were they stakeholders or from legal?
2) They are likely looking for concrete methods they can leverage as the platform grows.
3) Don't give them access to the entire kitchen if they're only asking for a recipe.
I'd show my source code if I were you -- for one simple reason. Most data science teams in large enterprises suck. Even teams that have technical chops, I can tell you with experience that they won't be able to achieve anything even if they have access to your code. Having a solution is a minor thing for an internal team to push out a solution. You as a startup have more chances of success than an internal team. I'v been on both sides, multiple times and it's not even close.
When I worked for a very large networking company, we wanted to bring in a small company's only product which would have been central to the day-to-day running of engineering. Because they were so small with so little track record, we wanted to make sure that we could get their source code should they ever go out of business.
I can't think of a good reason to require code inspection prior to purchase. Testing, measuring, and generally trying to break the code during evaluation seems fair game though.
If you were selling, you would be obliged to do this, under enforcable contract terms which penalize theft of the IPR.
I think the onus would be similar for the single customer model. In effect, if you are coding to deliver to them, and they are bankrolling your deployment, they're buying you in all but name. So, the conditionality on their checking of your IPR, should be the same as selling your IPR.
A point to make:
The company asking to see your code has deep pockets. That means they have a whole lot to lose if they breach a contract and steal your intellectual property.
So, if you put together a well-crafted non-disclosure and non-compete contract their risk is high if they mess with you. It'll cost you something to get a solid contract, but it may be worth it if you also get the business.
Is there such a thing as an "independent code review", I would be perfectly happy to give an independent auditor access to my source code???
They could verify it works, that it will preform at scale, and that it doesn't have security vulnerabilities. But I wouldn't want to show that source code to a client who would potentially build the same product themselves.
> How would you respond?
In these situations it's best to ask yourself a simple question: what would Coca-cola do if they asked to see the formula.
I am a little surprised by many of the answers here. I thought the conventional wisdom here was, essentially, "Your source code is not as valuable as you think it is". For what it's worth (literally 2c probably), my $0.02 is that I agree with that conventional wisdom. Don't be anal about this, nobody wants to steal your source code.
What would you see this technology outright for if they just asked you to cash out and leave? Double or triple that amount and ask for it to be put in escrow as security, subject to release on the decision of an arbitration panel consisting of 3 academic computer scientists. They'll refuse of course, but it gives you something to negotiate with.
I'd show my source code if I were you -- for one simple reason. Most data science teams in large enterprises suck. Even such teams have intellectual brain power, I can tell you with experience that they won't be able to achieve anything even if they have access to your code. Having a solution is a minor thing for an internal team.
There's a lot of technical focus here. For me, it's about the money. If a client is going to pay me £3m to use my software, you're damn right they can review our source code. As the amount of revenue/profit declines, so too does my desire to expose my business to the risk of a source code review.
Surely this is what trade secrets laws are for.
Probably if you get then to sign some kind of non-compete non-copy contract and hand over the source then if they do decide to cut you out, you can just sue them and make more money than you would have as a startup anyway.
Get it legalled and then just hope they overstep.
I'm not experienced with these types of situations but my common sense is telling me that you could, and should, make a high level design presentation.
That could include snippets of code where appropriate to show exactly how decisions are being made.
This presentation will likely benefit you in the future.
Yes, if forced, ask for an escrow source code agreement where you release source code only in the instance of your company's bankruptcy/insolvency and they are stuck with an unfinished product. Otherwise, this is too great a risk of your sauce being out there.
I work a a large corp and we occasionally run our own POCs or engage externally to learn about significant aspects of a technology or process. Sometimes learning about what matters can make us better at selecting good vendors.
We are generally not in the business of the services our vendors provide and don’t have the staff, expertise, incentives or instructional fortitude to compete.
That said, I’d never ask for a vendors source code (especially on a POC) unless I felt like an escrow situation was warranted if they went out of business.
If I were you I’d ask for
1. Something like a non-compete or exclusivity agreement. They will not replicate the functionality internally or work with another vendor.
2. A lot of money to see the source code. If they are trying to learn from what you have, then you are providing them with a material benefit you should be compensated for. Offer to throw in consulting services if their objective is to learn.
Bottom line, cover the risk that they steal your magic or otherwise benefit without you being compensated.
Isn't this one of the big research areas in the ML space? ie explaining how a model made a decision. This is hard if you have the source code. Personally, I'd look into how to explain your model without giving away the secret sauce.
Isn't the logical question to ask "Why do you need to see how our algorithms make their decisions?" Surely if this is due to legal issues then they can point you to the relevant law?
Do not show. Enterprise customers are known to string startups along, and then not buy anything. They don't even think it's wrong -- to then, a couple of months is nothing.
I've had customers ask to see certain parts of the source, and we've never done it – it has also never been a dealbreaker. If it is, I'd be very suspicious of that deal.
It sounds like they want to understand how an algorithm came to it's decision. If I were in your position, I would ask if rule extraction would satisfy their needs.
If you agree, this may mean no investor will be serious with you after that (you've shown your internals to lots of other people). Use that as an excuse to say no.
Depending on what they're reason is, it may be satisfactory to have the code looked at by a qualified 3rd party (with proper NDAs all-ways).
Can you write a methodological doc in LaTeX, detailing general algorithmic choices, without giving away your secret sauce?
There are a lot of interesting posts in this thread, but if your Spidey-senses are tinging, pay attention to them.
If my memory serves me right, This is exactly how Microsoft stole Apple's code in the early days
Easy: Make them pay for the privilege, based on how much you think it’s worth you to NOT show them.
we wanted to see our supplier's source code to use their api as their documentation seemed lacking, they asked us sign an nda that if broken would cost us a lot of money. all of a sudden we found their api sufficient to do what we needed to do.
Sure, access to the source is acceptable if they're offering to buy you out.
You should consider hiring the services of a Software Escrow firm.
Do you ask to see Microsoft Windows source code. Well, then that.
"If you want to see our source code then acquire us."
1) Yes. I would say "no". 2) Not very. 3) Yes, but they are not likely to be effective or easy to enforce.
If they want to look at it badly enough they can buy it.
If it is amazon, take a pass
My 2c as someone who works on the enterprise side of these requests:
There are a couple of reasons reasons we might ask to look at your code:
1. While not a reason to look at your code, instead, if we don't have a valid reason to look or don't have access to technical resources either internal or via external consultants who we are fairly confident could build whatever the software is we are buying given time and resources then we DO NOT WANT TO SEE YOUR IP. This goes as far as shell scripts vendors use for stuff that we don't particularly care about. If they leave them on our boxes we make sure we destroy the data. If the company is worth 50bn then there is it a very small chance their about to make a huge pivot to your particular niche and therefore need your code to solve a problem. The reason companies buy software is because they don't want to pay people to maintain it and in addition they DEFINITELY don't want to get sued for looking at your code. So for no other reason than legal repurcussions you can probably trust them not to do anything sketchy. (Disclaimer: small business units do sometimes go rouge. Make sure youre talking to someone who understands the company wide impacts of fucking this up)
2. If the code is going to be used in sensitive environment (ie. Air gapped networks) we may want to scan for both destructive malware dependencies or just bad code that intentionally or unintentionally might damage systems. Also you would be amazed how many vendors build hooks to call out to the internet in standalone software packages that they "certify" for offline use.
3. If we need to build a bunch of integrations ourselves (ie you would be useless to us in so far as needing to understand legacy core banking systems and the like and therefore are not helpful with your knowledge of the code base, we need someone with knowledge of both code bases at a fairly low level) then depending on the size of the code base we might ask for all of it or just all the external interface implementations. Not the definitions. The actual code.
4. If you are a small company it is not unlikely that we will negotiate a clause which says that if you disappear or all your developers die or whatever, then we are allowed to internally use your code base to build our own stuff since we will end up with dependencies on it and will want to make sure we can still function without you (this is obviously not ideal, we would rather throw money at you to make problems go away, but if you aren't a business any more then we just have to hire people to do it) I actually heard a colleague working at a competing bank in Australia tell me that their agreement with hashicorp gives them ownership of consul enterprise code base for use internally if hashicorp disappears. You just need to make sure your lawyers and on this properly to make sure you clearly define the circumstances in which the large companies expectations of you maintaining the code are no longer met and therefore they can do it if they need to.
5. If we just don't trust you to not be hiding some black magic bullshit behind the scenes. This is usually the result of particularly uninformed sales people making claims that cannot technically be true, and thus out due diligence require that we handle it ourselves. It's also much more likely that we will recommend a bunch of software auditing companies we have used and we trust to audit the code base for us, just so we don't have the liability of your IP in our heads.
6. If we have government financial institution regulations which apply to the thing we want to use your software for and we are required to check of sign off the risk. As an example, an Australian bank running things on cloud platforms that hook back into traditional on prem systems it is mandatory without exception that all data at rest or in flight be encrypted. We trusted a large software company on this and only when we had auditors sniffing traffic over the network did we discover that major data intensive operations relating to backup integrity decrypted everything and then pumped it over the wire between instances using HTTP at which point we where $6m deep in licensing fees so we had a few very difficult conversations about "fix it or fuck off and pay us substantial reparations" because we suddenly needed a lot of technical lawyers (who ate as rare as hens teeth) to explain what had happened to avoid fines that could have cost literally billions.
Summary: there are a bunch of reasons a company might want to see your code. If the person you are talking to is speaking on behalf of the whole organisation (ie. They understand broader business implications of doing anything shady) then you're almost definitely safe. If your a bit on the fence about the whole thing, get a third party auditor in, but the request itself is pretty reasonable.
This is the untold story about Nothing Real (the original Shake developers), Apple, Steve Jobs, Disney, and the shake source code...
NR developed shake, and when bigger studios started using it, they wanted access to the source code. Disney was one customer who paid to put shake's source code into escrow, with a stipulation that if NR ever went under or got acquired, they could pull it out of escrow and build shake (on Linux) themselves.
Enter Steve Jobs and Apple, who viewed shake as an asset that could help push studios towards Mac OS X, and away from SGI and upstart Linux which was steadily taking SGI's high-end CG market. When Apple acquired Nothing Real, Steve wasn't at all happy with the animation studio's CTO who decided to exercise their contract and pull the shake code out of escrow.
Disney ported shake to amd64 Linux and continued to use and extend it all the way until Tangled (2008), and while it's not their main workhorse compositor these days, shake still runs today, despite Apple's best efforts to kill it ;-). To Apple's credit, they eventually realized that shake's source code was not really that big of an asset, so they offered a deal at one point where studios could pay (50k+?) to get access to the source code. Many studios payed.
Having compared the NR sources to the Apple sources, quite a bit of work was done to put in PPC-specific assembly and performance optimizations (e.g. optimizing for G5's cache sizes) into Darwin-specific #ifdefs.
One takeaway from this story is that the "big" customer (Disney) in this case was not at all interested in stealing IP. They were an animation studio and their core product was something not-software. If the customer in your case is in a closer space, it's a different calculus.
The customer's viewpoint was more of being able to decide their own fate in the event of the company going away. And it turns out, those things did happen, so having the deal in place was a good thing for the customer. Likewise, Nothing Real made out very well in all of this, as they got paid by Disney (among others), and later acquired by Apple who really didn't care enough about the pre-existing contracts to not acquire them.
One protection in the contract was that it only allowed for the studio to produce binaries for themselves, but not distribute them. A practical consequence of this is that Disney could not share shake binaries with Pixar, and while Pixar had also purchased a source license from Apple, Disney could only share (git format-patch) patches with Disney's changes. I really wish we could have open sourced the shake source code, even for historical purposes. Apple still can.
Make sure the deal is reasonable and there shouldn't be any problems. If you don't trust the company then maybe you shouldn't take them on as a client, but otherwise a reputable company will be very willing to keep things as friendly as your lawyers can get them to be. Having a good lawyer is key.
Regarding copy-pasting your code -- in shake's case, having the source code was really helpful for plugin development. Maybe consider ways to help customers leverage actually having the source code. Making the system plugin-able is a great way to do that, as customers mostly want to customize stuff, and plugins are a great way to get customers "deeply integrated" (aka locked) into your ecosystem.
1) yes but was more than algorithms 2) If you're not realistic and being stupid with yourself and look at the amount of money that the industry has there's ($50bn) no legitimate way if I were to see your code would not steal it because I have "UNLIMITED RESOURCES". I'll first try using scare tactics of pulling out of the contract then if it's not good and I really want it I'll try putting you in a binding contract and litigated out of court and three by the time you realize all the shit that's happened to you you'll be with your head stuck up in to you know where writing a pity log post. Whining about how the deal of a lifetime got away. 3) If a lawyer tells you that they can find a way to bind them in the contract they must have actual software experience must be experienced for 10+ years and must know IP patent law. (Last I checked you're not KKR). If you don't want to believe what I'm telling you just look at the cases Java oracle case comes to mind so that the android source code and so does. Plenty of others.
SOLUTION: 1) DON'T BE A CUCKMINDED i.e. not Antifragile. 2) There's five of you so some of you might agree some of you might not you have to be joint in your decision and equally around because if you're not that's a weak link. THE ANSWER MUST BE NO AND SAID ASTUTELY. "NO" COMING FROM ALL OF YOU IN DIFFERENT WAYS THAT YOU'RE ABLE TO COMMUNICATE. Where's case scenario if the industry has 50 billion I don't think you should have a hard time finding another potential even bigger customer in this field. (Speculation You're in the insurance business)
Other legal criteria: They may try coercing you as far as compliance and legal statutory, regulatory factors are concerned to say that they want to see the source code. In that case you can find a third-party which you should do a lot of homework on unbiased arbitrator To have a look at. By the way you should put this in the contract if it ever arises and by the size of the company that you're referring to it sounds like that would be something I would do. If it's your crown jewel protect it simple.
Historical relevance: Look at how the shell company was formed in order to compete with standard oil and how Rockefellers ROSE there was no sharing going on.
PS your welcome, pass it on.
And the only thing you need to know about the law is if I have enough resources the law doesn't matter and that's a fact in this country particularly when it comes to huge sums of money & tech. It's nascent and it's not really understood by a bunch of 80-year-old judges.
With regards to the following comments please save that shit for your grandma I really don't care I don't even want an opinion and no I'm not gonna be answering to this comment.
All five must be on board with this decision
1) yes but was more than algorithms 2) If you're not realistic and being stupid with yourself and look at the amount of money that the industry has there's ($50bn) no legitimate way if I were to see your code would not steal it because I have "UNLIMITED RESOURCES". I'll first try using scare tactics of pulling out of the contract then if it's not good and I really want it I'll try putting you in a binding contract and litigated out of court and there by the time you realize all the shit that's happened to you you'll be with your head stuck up in to you know where writing a pity blog post. Whining about how the deal of a lifetime got away. 3) If a lawyer tells you that they can find a way to bind them in the contract they must have actual software experience must be experienced for 10+ years and must know IP patent law. (Last I checked you're not KKR). "Yes I'm No I wont accept work" If you don't want to believe what I'm telling you just look at the cases Java oracle case comes to mind so does the android source code and so on. Plenty of others.
1) DON'T BE A CUCKMINDED i.e. not Antifragile.
2) There's five of you so some of you might agree some of you might not you have to be joint in your decision and equally around because if you're not that's a weak link. THE ANSWER MUST BE NO AND SAID ASTUTELY. "NO" COMING FROM ALL OF YOU IN DIFFERENT WAYS THAT YOU'RE ABLE TO COMMUNICATE. Where's case scenario if the industry has 50 billion I don't think you should have a hard time finding another potential even bigger customer in this field. (Speculation You're in the insurance business)
Other legal criteria: They may try coercing you as far as compliance and legal statutory, regulatory factors are concerned to say that they want to see the source code. THIS IS ALL BULLSHIT TACTICS IT REALLY DOESN'T MATTER IF THEY TELL YOU SOMETHING ABOUT RACE AND DEMOGRAPHICS THAT JUST MEANS YOU HAVE A REALLY DUMB LAWYER ALL THESE ACCUSATIONS ARE BEATABLE DEPENDING ON PLAUSIBLE DENIABILITY AND THE WAY THAT THE ALGORITHM HANDLE IT AT THE TIME BESIDES NO ONE UNDERSTANDS IT. (Remember if it's not inherently and deliberately made by you & the "can pewter" made the decision i.e. the algorithm Made that presumption. there's really not shit that they could do to you).
In that case you can find a third-party which you should do a lot of homework on unbiased arbitrator (NO BIG FIRM WHITE SHOEBOX PROFESSIONAL SERVICE THAT THEY WOULD QUERY WHATEVER CODE THEY NEED THAT'S JUST A FANCY WAY OF HAVING SOMEONE ELSE DO THE STEALING FOR THEM)
To have a look at.
By the way you should put this in the contract if it ever arises and by the size of the company that you're referring to it sounds like that would be something I would do.
If it's your crown jewel protect it simple.
OPEN SOURCE LICENSE OR NOT THE PROBLEM WITH A LOT OF START UPS NOWADAYS IS THEY TRY TO BALANCE MORALITY WITH BUSINESS WELCOME TO THE NEW WORLD. Just because they make you feel bad doesn't mean that it's really bad.
Historical relevance: Look at how the shell company was formed in order to compete with standard oil and how Rockefellers ROSE there was no sharing going on.
PS your welcome, pass it on.
And the only thing you need to know about the law is if I have enough resources the law doesn't matter and that's a fact in this country particularly when it comes to huge sums of money & tech. It's nascent and it's not really understood by a bunch of 80-year-old judges. Even the young ones don't.
With regards to the following comments please save that shit for your grandma I really don't care. I don't even want an opinion. And No I'm not gonna be answering to this comment.
All five must be on board with this decision
Your attestation in a contract should be sufficient. They wouldn't ask Microsoft or sales force to do this..
Are they worried about license compliance and afraid that they may get sued for AGPL/propitiatory license violation?
Are they afraid of malware, security holes in the third party libraries you might be using?
Ask if running the source code through well known license compliance or vulnerability scanner and then sharing the reports from such scans with them be enough.
How many total paying customers do you hope to sign? If the count is 100, you have negotiation room, if the count is 2, then you don't have much choice.
Ask if they would be open to signing three to five year license agreement up front, that gives them access to do source code audits. Ask if the would be open to buying your IP outright with two years of guaranteed employment with them (You won't leave them for two years, rendering their investment useless).
>Are there any legal protections we can put in place to prevent them from not just copy-pasting our code, but also from "learning from it" or so?
A 50+bn dollar business can't hire people that can't "learn" what you have on their own, without looking at your source code? Forget about it. Let's say that they take your feature set and put it in front of their PhD ML crew, do you think you have something that the PhDs can't produce? How about they put it as a requirement in front of their ML interns fresh out of college? US doesn't allow process patents, as far as I know, you can try patents. But I don't know if suing your customers would get you more future customers.