Who Owns Your Code? How to Protect Your IP When Hiring a Software Development Agency

The Default That Catches Founders Off Guard

Most business owners assume they own what they pay for. In software, that assumption is wrong.

Under U.S. copyright law — and equivalents across most of Europe and the UK — the person who writes code owns it. Not the person who commissioned it, funded it, or had the idea. Unless your contract explicitly includes an IP assignment clause that transfers ownership to you, the agency retains the intellectual property rights to everything they build.

This isn't a loophole agencies exploit maliciously. Many smaller agencies simply don't have standard IP assignment language in their contracts. The issue doesn't come up — until it does. And it most commonly surfaces during due diligence for a funding round, an acquisition, or a pivot — exactly when you can least afford surprises.

Industry research consistently finds that around 25% of companies cite IP risk as a primary reason they don't outsource critical software development at all. That's a massive number of businesses foregoing access to outside talent, faster timelines, and specialized expertise — not because outsourcing is inherently risky, but because the legal mechanics are misunderstood.

The Four IP Risks in Every Outsourcing Engagement

The copyright gap is just the starting point. Here are the four risks that every decision-maker should understand before signing a contract with a software agency.

Risk 1: No IP assignment clause. The contract is silent on ownership. The agency builds your product. You receive a working application — but the underlying codebase legally belongs to them. If the relationship deteriorates, they can technically restrict your access to what you paid for.

Risk 2: Uncontrolled subcontracting. Many agencies use freelancers or sub-agencies for parts of a project — design, QA, specific integrations. If those subcontractors aren't bound by the same IP agreements as the primary vendor, anything they contribute exists in a legal gray zone. You may not own those components at all.

Risk 3: Reused code without disclosure. Agencies commonly maintain internal libraries, templates, and reusable modules to work faster. When those components end up in your product, your so-called custom software may be sharing infrastructure with dozens of other clients — or inheriting open-source licensing obligations you don't know about.

Risk 4: Data handling without a processing agreement. If your development partner accesses customer or employee data during development or testing — and they almost always do — without a signed Data Processing Agreement (DPA), you may be in violation of GDPR or CCPA regardless of what your own privacy policy says.

Four Agreements You Need Before Development Starts

These aren't optional extras for large enterprises. They're the baseline for any serious outsourcing engagement, regardless of project size.

Non-Disclosure Agreement (NDA). Covers your business concept, technical specifications, user data, and any proprietary processes you share during scoping. Sign this before you share anything — including your discovery call notes. A credible agency will sign without friction.

IP Assignment Agreement. Explicitly transfers all intellectual property rights — code, designs, documentation, trade secrets — to you upon delivery and final payment. This is separate from an NDA. If an agency resists including this clause or offers vague language like 'works made for hire,' treat it as a negotiation failure that requires resolution before signing.

Source Code Escrow (for long-term or mission-critical engagements). A code escrow arrangement deposits your source code with a neutral third party, releasing it to you if the agency ceases operations, enters insolvency, or becomes unresponsive for a defined period. For multi-year partnerships or business-critical systems, this is standard practice.

Data Processing Agreement (DPA). Required under GDPR Article 28 whenever a third party processes personal data on your behalf. This covers all development and testing phases, not just production. U.S. state equivalents (CCPA, VCDPA) have similar requirements.

Questions to Ask During the Sales Process

The conversation before you sign is the best time to surface an agency's IP practices. Good agencies have been asked these questions before and have clear, confident answers.

Ask: Does your standard contract include an IP assignment clause that transfers all rights to us on final payment? The answer should be yes, with the specific clause available to review.

Ask: Do you use internal code libraries or reusable components in client projects? If so, how are those licensed? There's nothing wrong with using libraries — but you need to know what's in your codebase.

Ask: Do you use subcontractors or freelancers? Are they under NDA and IP assignment with you? The answer should be yes to both, and they should be able to show you the standard agreements.

Ask: What does your offboarding process look like — specifically, how do we receive the full codebase, credentials, and documentation? This question reveals whether the agency has thought through the end of the engagement or assumes they'll retain access indefinitely.

An agency that hesitates, gets defensive, or gives vague answers to any of these questions is telling you something important about how they operate — and about what to expect if the relationship becomes difficult.

Red Flags That Signal IP Problems Ahead

Beyond the legal documents, behavior during the sales and onboarding process is a strong signal of how an agency treats IP in practice.

They're reluctant to sign an NDA before discovery. Any credible partner will sign a mutual NDA before you share project details. Reluctance here, or excessive negotiation over standard NDA terms, suggests they either don't have a standard process or are protective of something you should know about.

Their contract uses 'works made for hire' language without explicit IP assignment. Works-for-hire doctrine is narrowly defined and more complex than it sounds. Explicit IP assignment — 'all intellectual property created under this agreement is assigned to the client' — is what you need.

They can't give you a straight answer about subcontractors. A transparent agency knows exactly who they work with and can confirm those parties are under appropriate agreements.

They retain admin access to your infrastructure, code repository, or domain 'for convenience.' You should hold the master credentials for your cloud accounts, GitHub repository, and domain registrar. A responsible agency provisions your accounts and works within them — not the other way around.

There's no defined handover process. If an agency can't describe exactly what you receive at the end of the engagement — in what format, through what transfer mechanism, and when — that ambiguity is intentional.