Partner Selection5 min

Who owns the code? IP and exit clauses in outsourcing

You paid for the code. That does not mean you own it. In most jurisdictions, copyright in software defaults to the party that wrote it — not the party that funded it — unless a written agreement says otherwise. If you are buying a $100K+ build, IP ownership in software outsourcing is not a legal footnote. It is the asset.

This post is general information, not legal advice. Have a lawyer in your jurisdiction review your actual contract.

The default rule works against you

Who owns the code in outsourcing? Absent a written assignment, usually the vendor.

  • US. The "work made for hire" doctrine covers employees automatically. Independent contractors — which is what an agency is — are covered only in narrow statutory categories, and custom software rarely fits cleanly. Without an express written assignment, the contractor typically retains copyright and you get, at best, an implied license of uncertain scope.
  • EU. Copyright vests in the author by default, and the work-for-hire concept is weaker or absent in most member states. Moral rights complicate things further: in some jurisdictions they cannot be assigned at all, only waived or not asserted. An assignment clause drafted for Delaware does not automatically survive contact with French or German law.

The practical consequence is the same on both sides of the Atlantic: if your contract does not contain explicit assignment language, you may own an invoice history and nothing else.

Assignment language that actually works

You do not need twenty pages. You need a few precise commitments:

  • Present-tense assignment. "Contractor hereby assigns" — not "agrees to assign." Future-tense promises require a second act that may never happen.
  • Everything, everywhere. All work product: source, configs, infrastructure-as-code, schemas, documentation, designs, test suites. Worldwide, irrevocable, including the right to sue for past infringement.
  • Moral rights handled. A waiver where enforceable, a covenant not to assert where not. This matters more in the EU than the US.
  • Pre-existing IP carved out and licensed. Every serious vendor brings internal tooling and libraries. That is fine — but the contract must license anything embedded in your deliverables, perpetually and royalty-free. A deliverable you own that depends on a tool you don't is a deliverable you don't control.
  • Open-source disclosure. You want a manifest of third-party licenses. A copyleft dependency in the wrong place can compromise the value of everything around it.

The timing red flag

Among software development contract red flags, one deserves its own section: ownership conditioned on final payment — or worse, on "completion of the project."

It sounds reasonable. It is a trap. Projects end early. Scope disputes happen. Vendors get acquired or go under. If assignment triggers only at the end, then during a mid-project dispute the vendor owns everything and your leverage is zero. The fair structure: IP assigns continuously as work is created, and the vendor's remedy for non-payment is a payment claim — not a hostage.

If a vendor resists per-sprint or continuous assignment, ask why. The honest answer is usually "leverage." That tells you what the relationship will feel like when something goes wrong.

Paper ownership vs. operational control

A perfect assignment clause is worthless if the vendor holds the keys. Ownership on paper and control in practice are different things, and buyers routinely secure the first while ignoring the second. Check who controls:

  • The repositories. Code should live in your GitHub/GitLab org from day one, with the vendor as a collaborator you can revoke. Not the other way around.
  • The cloud and SaaS accounts. AWS, domain registrar, DNS, monitoring, error tracking, app store listings. Every account should be rooted in your organization with your billing.
  • The documentation. Architecture decisions, runbooks, environment setup. If it lives in the vendor's Notion, it is not yours in any way that matters at 2 a.m. during an incident.
  • The pipeline. CI/CD definitions checked into your repo, secrets in your vault. A deploy process that only works from the vendor's laptop is a dependency, not a deliverable.

Common lock-in mechanisms are rarely sinister and often just sloppy: vendor-owned repos, proprietary internal frameworks woven through your codebase, undocumented deploy rituals, credentials that live in one engineer's password manager. Sloppy or sinister, the effect is identical — switching costs that convert into pricing power at renewal. We wrote more about how vendor incentives shape these structures in dev agency vs. product studio.

Exit clauses: plan the divorce while you're friendly

Every engagement ends. Good contracts make the ending boring:

  • Termination for convenience with a defined notice period, so you are never trapped in a failing engagement.
  • Handover obligations that survive termination: credentials, documentation, license manifests, and a working build delivered within a fixed window.
  • Paid transition support — a capped block of hours to onboard your team or a successor. Paying for it is fair; it also makes the obligation enforceable rather than theoretical.
  • No deletion without instruction, paired with GDPR-compliant data return or destruction, certified in writing.

If a vendor's contract has no exit mechanics at all, that is not an oversight. That is the business model.

How we structure it

Our position at Binari is simple, because we think anything else is a red flag we would flag in someone else's contract:

  • Full IP assignment from day one. Present-tense, continuous, not conditioned on final milestones.
  • Your repos, your cloud accounts, from the first commit. We work inside your organization; you can revoke our access in one click. During development we often host staging on our managed on-premise infrastructure to keep your cloud burn low — but everything is containerized from day one and CI/CD promotes to your AWS/GCP/Azure at launch, so there is nothing to migrate off of.
  • Weekly demos and a fixed-fee discovery sprint first, so you are never more than a few days from a working, inspectable state of your own asset.
  • NDA on request, GDPR-compliant data handling as standard for our US and EU clients.

We would rather win the next engagement on merit than on switching costs.

Buying a significant build this year? Send us your draft contract — we will tell you within one business day whether the IP terms would survive our own red-flag list.

Hamza Dastagir

Founder of Binari Digital. Builds and incubates production platforms — AI systems, data infrastructure, and payment rails for tokenized assets.

More from Hamza
Back to the blog

Building something
like this?

We write about what we ship. Bring us what you're shipping.