Can a Software Publisher Force You to Audit Your Customers?

Many software-solution vendors utilize third-party infrastructure or application programs as frameworks for embedded solutions that they sell to their customers and install on their customers’ computers. Licenses for those third-party products typically can be acquired by a vendor and passed to its customers pursuant to the terms of an Independent Software Vendor (ISV) or Original Equipment Manufacturer (OEM) license agreement. Under those agreements, the third-party publisher often receives a set fee based on the number of licenses for its software that are distributed to the vendor’s customers. This licensing model is a relatively old one in the software world, but it is one that retains a number of pitfalls for unwary solution vendors.

One of the most significant problems that can arise is associated with the audit clause in the ISV or OEM agreement. Almost all such agreements require the vendor to agree to periodic audits of its records to ensure that the number of licenses sold to customers is equal to the number of licenses for which the publisher received payment. Those kinds of audits typically are not a huge problem for most vendors. However, many of those agreements also either expressly or arguably require the vendor to obtain information regarding the then-current usage of the licensed products on its customers’ computers. Especially with regard to those agreements where such end-user audit rights are not clearly announced (of which IBM’s ISV and OEM agreements are notoriously excellent examples), demands to audit a vendor’s customers often are received with shock by the vendor’s audit team.

Given that fact, it is absolutely critical for vendors contemplating or using such agreements to have a firm grasp of the following:

  1. What does the license agreement say?

Vendors should be intimately familiar with all of the terms of their license agreements, but especially with the terms pertaining to audits. Before signing such agreements, any ambiguities regarding the potential for customer audits need to be resolved with clearly-defined obligations in the license agreement. If that is not possible, or if the agreement is already signed, then the vendor should interpret any ambiguous terms to require customer audits and should take steps to ensure that it is able to comply with those terms. It may make sense to fight about a poorly-defined audit obligation during an audit, but the company nevertheless should be prepared to comply in the event that the publisher is unwilling to back down. (Keep in mind that some agreements of this type give the publisher the right to terminate all licenses ordered under the agreement in the event of non-compliance by the vendor. That right represents immense bargaining power in the event of a dispute.)

  1. What do the customer agreements say?

If a license agreement with a software publisher opens the door to customer audits, then the next step is to determine to what extent the vendor’s agreements with its customers can accommodate such activity. To the extent possible, the vendor needs to take steps to ensure that those agreements give the vendor the right to gather any information required by the vendor’s agreement with the software publisher. Many OEM or ISV agreements also include a laundry-list of required terms addressing subjects other than audits that must be included in a vendor’s customer agreements. The absence of such terms from those agreements can compromise a vendor’s ability to comply with a publisher’s audit demands and, therefore, can jeopardize the vendor’s ability to continue using the publisher’s products.

  1. How can the information be collected from customers?

If the publisher agreements require it and the customer agreements allow it, the final step is to determine how relevant deployment information may be collected from end users. In some cases, it may be feasible simply to require end users to ensure that any computers running the software in question are connected to the Internet and made available to the vendor for data-collection activities. However, that kind of a requirement may not be realistic for solutions marketed to certain industries – such as health care or finance – where regulatory or best-practices requirements effectively may prohibit the maintenance of such “back doors.” A better solution for most vendors would be to include terms in customer agreements (A) that permit the vendors to disclose any information in their possession regarding their customers’ usage of software licensed from third-party licensors, if requested by those licensors, and (B) that obligate the customers to provide reasonable assistance and information regarding their usage of any products licensed from any such third-party licensors. Those terms also should be in addition to any audit terms in the vendor’s favor (so that its ability to protect its intellectual property is not negatively affected by the audit activities of its licensors), and they should specify that the customers agree to pay any additional fees that may be required if their usage of the third-party software is in excess of agreed limits.

We strongly recommend that any solution vendors consult with legal counsel, both before entering into any ISV or OEM agreements, as well as immediately upon receipt of any audit-notice letters received from software publishers pursuant to any such agreements.