IP Protection When Outsourcing Software: Clauses You Cannot Skip

IP protection when outsourcing software: the work-for-hire trap, moral rights, open source risk, escrow, AI code, and a 12-clause contract checklist.

Date Published:

By

MONA Global

Direct answer: Protecting your IP when outsourcing software comes down to five contract terms: an explicit IP-assignment clause (not "work for hire," which rarely applies to custom code), an NDA signed before discovery that flows down to every subcontractor, disclosure of any open-source components, unconditional handover of source code and credentials, and a named, enforceable dispute-resolution forum. Miss one, and ownership stays arguable.

This article is general information to help you brief your own lawyer before signing an outsourcing contract. It is not legal advice, and nothing here substitutes for review by qualified counsel in your jurisdiction and the vendor's.

Why "We'll Handle the IP" Is the Riskiest Line in an Outsourcing Pitch

Most outsourcing IP disputes do not start with theft. They start with a contract that assumed ownership would sort itself out: an unsigned NDA, a "we'll assign it later" clause, an unvetted subcontractor, an undisclosed open-source package. By the time it matters, the product is live or the vendor is gone, and the buyer discovers "the client owns everything" was never written down in a way a court or arbitrator would enforce. Every clause below exists because a real deal got stuck on exactly that gap.

Work-for-Hire vs. IP Assignment: The Clause Most Contracts Get Wrong

Direct answer: "Work for hire" and "IP assignment" are not interchangeable, and most custom software does not qualify as work for hire at all. An assignment clause, written in the present tense ("Contractor hereby assigns"), is the only reliable way to transfer ownership of code built by an outsourced team, whether the vendor is a company, a subcontractor, or a freelancer.

Under US copyright law, an employee's code is automatically owned by the employer. An independent contractor's code is not, unless it fits one of nine narrow statutory categories, a contribution to a collective work, a translation, a compilation, an instructional text, and so on. Ordinary custom software written from scratch generally does not fall into any of them, which is why courts have repeatedly found that simply labeling a development agreement "work made for hire" does not make it one (source: CCB Journal — The "Work For Hire" Doctrine Almost Never Works In Software Development Contracts; Willcox Savage — Use the Magic Words: Ownership of Code).


Work-for-hire clause

IP assignment clause

Legal basis

Copyright Act's narrow statutory categories

Ordinary contract law, transfer of title

Works for custom software?

Rarely, most code doesn't fit the nine categories

Yes, applies to any code, any author

Risk if used alone

Ownership can default back to the developer if a court finds the category doesn't apply

Low, provided the wording is unconditional

Correct wording

Avoid relying on this alone

"Contractor hereby assigns, and agrees to assign," not "will assign in the future"

The wording detail matters as much as the clause type: an assignment that says the developer "agrees to assign" or "will assign" the rights implies the actual transfer happens later, through some additional step. If that step never happens, ownership legally never transfers (source: Willcox Savage, above). The safe pattern combines both: a present-tense assignment as the operative transfer, with a work-for-hire statement included only as a backup, never as the sole basis for ownership.

Moral Rights: The Protection an Assignment Clause Cannot Buy

Direct answer: Moral rights, the author's right to be credited and to object to distortion of their work, are separate from economic ownership and, in most civil-law jurisdictions including Vietnam, cannot be fully signed away even with a complete IP assignment. An assignment transfers who owns and exploits the code; it does not automatically transfer who is legally recognized as its author.

Vietnam's 2022 Intellectual Property Law, effective from January 1, 2023, protects computer programs as literary works and grants authors moral rights that include the right to be named, the right to decide when and how a work is first published, and the right to object to modifications that would harm their reputation. Except for the right of first publication, these moral rights are protected indefinitely and, with the narrow exception of the right to title a work, cannot be transferred by contract (source: Tilleke & Gibbins — The Trouble with Moral Rights in Vietnam, and a Possible Solution; Lexology — Moral Rights under the 2022 Intellectual Property Law of Vietnam).

In practice, this rarely blocks a buyer from freely modifying or relicensing code it paid for; the 2022 law explicitly allows authors and copyright holders to agree in writing on modifying or upgrading a computer program. But it does mean an assignment clause alone is not the full picture in a civil-law jurisdiction: pair it with written developer consent to future modification, and do not assume "we own the IP" also means "no individual developer retains any right connected to this code."

Where IP Actually Leaks: Subcontractors and Freelancers Inside the Vendor

Where IP Actually Leaks Subcontractors and Freelancers Inside the Vendor illustration

Where IP Actually Leaks: Subcontractors and Freelancers Inside the Vendor (AI-generated illustration)

Direct answer: IP assignment and NDA terms signed with a vendor company do not automatically bind the individual freelancers or subcontractors that vendor uses. Every layer between you and the person actually typing code is a place your protection can silently fail unless the contract explicitly forces it downstream.

An outsourcing company you contract with may itself route parts of the work to subcontractors or independent freelancers, especially under deadline pressure or on a specialized module. Without a flow-down clause binding every subcontractor to confidentiality and IP-assignment terms no less restrictive than your own, and holding the primary vendor liable for a subcontractor's breach, your protection chain has a gap you may not discover until a dispute forces you to ask who actually wrote the file and what they signed (source: SixFifty — Understanding Subcontractor Non-Disclosure Agreements). Ask directly, before signing: does the vendor employ its engineers or broker freelancers, and who is contractually liable if a subcontractor breaches the agreement?

Open Source in Your Deliverable: License Compliance and Contamination

Direct answer: Open-source components are in nearly every modern codebase, and license conflicts inside them are now the norm, not the exception. Without a disclosure and compliance clause, you can inherit copyleft obligations, such as being required to open-source your own proprietary code, without ever knowing an open-source dependency was there.

"Contamination" happens when a restrictively licensed component, most often something under the GPL family, gets mixed into a proprietary codebase, potentially subjecting the surrounding code to the same license's disclosure obligations. The 2026 Open Source Security and Risk Analysis report found that 68% of audited codebases contained open-source license conflicts, up from 56% the year before, with one extreme case surfacing 2,675 distinct conflicts in a single codebase (source: Black Duck — 2026 OSSRA Report). A vendor that doesn't track its dependencies has no way to warn you before a component like this ends up in your delivered software.

The contract fix: require the vendor to disclose every third-party and open-source component used, ideally a software bill of materials, warrant that none triggers copyleft obligations on your proprietary code without written consent, and indemnify you if that warranty is false. This is a standard clause in technology M&A due diligence, and an outsourcing contract deserves no less scrutiny than an acquisition would get (source: AcquisitionStars — Open Source Software Compliance in Technology M&A).

NDA Scope: Why "We Signed an NDA" Is Not Enough

Direct answer: A generic, one-page NDA signed after the first technical call protects almost nothing. The NDA needs to be signed before any discovery work, name what counts as confidential broadly enough to cover source code and business logic, and explicitly flow down to every subcontractor and freelancer the vendor brings in.

The most common failure is sequencing: teams share architecture diagrams, sample data, or even early code during a "discovery call" before any NDA exists, which means that information was never actually protected. Fix the order first: NDA before any technical discussion, not after a verbal agreement to work together. Then fix the scope: an NDA that only covers "materials marked confidential" misses everything shared verbally in a call, which is most of what actually gets discussed in early scoping.

Source Code Escrow: Insurance Against a Vendor That Disappears

Direct answer: Source code escrow places a copy of your code, and often build scripts, credentials, and documentation, with an independent third party, released to you automatically if the vendor goes bankrupt, shuts down, or stops meeting agreed support obligations. It matters most for long-running engagements where you depend on the vendor's continued existence to maintain software you don't fully hold in-house.

An escrow agreement defines specific release triggers, typically insolvency, abandonment, or a defined support-level failure, verified by the escrow agent rather than left to a dispute (source: Wikipedia — Source Code Escrow; Traverse Legal — What Is a Software Escrow Agreement). In the US, this is reinforced by the Intellectual Property Bankruptcy Protection Act, which stops a bankruptcy trustee from blocking a licensee's contractual right to reach escrowed materials it needs to keep using the software (source: CodeKeeper — Software Escrow for Vendor Risk Management). It matters less for a short project where you already hold the code at delivery, and a great deal for a dedicated team or Offshore Development Center run for years. See offshore software development for how the engagement model shapes what you need to protect.

Who Owns the Code When AI Writes Part of It

Who Owns the Code When AI Writes Part of It illustration

Who Owns the Code When AI Writes Part of It (AI-generated illustration)

Direct answer: In the US, purely AI-generated code without meaningful human creative input cannot be copyrighted at all, human authorship is required. When a developer meaningfully edits, selects, or directs AI output, copyright can attach to that human's contribution, and an ordinary assignment clause transfers it to you the same way it transfers hand-written code.

The US Copyright Office has held that AI cannot be an author, and the Supreme Court declined to revisit that when it denied certiorari in Thaler v. Perlmutter on March 2, 2026, leaving human authorship as settled law for now (source: U.S. Copyright Office — Copyright and Artificial Intelligence; MBHB — Navigating the Legal Landscape of AI-Generated Code). The practical risk: if a vendor delivers code that is substantially AI-generated with minimal human editing, you may not be able to enforce copyright over it against anyone, including a competitor who copies it. Require the vendor to disclose meaningful AI-assisted generation and confirm a named human materially reviewed and directed the output, both for enforceability and because AI output carries its own share of the open-source contamination risk above.

Enforcing Your IP Across Borders: Arbitration vs. Local Courts

Direct answer: A US or EU court judgment does not automatically enforce against a vendor with no assets in your country. For a Vietnam-based vendor, naming an arbitration institution, VIAC, SIAC, or HKIAC, in the contract, with a clearly scoped arbitration clause and a defined seat, gives you a real enforcement path; suing in your home court against a vendor with nothing to seize there usually does not.

Vietnam acceded to the New York Convention on recognition and enforcement of foreign arbitral awards in 1995, meaning a foreign award should in principle be enforceable in Vietnamese courts unless narrow exceptions apply (source: Watson Farley & Williams — Enforcement of Foreign Arbitral Awards in Vietnam). In practice, enforcement has been inconsistent: Vietnam's Supreme People's Court rejected 46% of foreign arbitral award applications between 2005 and 2014, and even a properly conducted SIAC arbitration has been refused by a Vietnamese court citing "fundamental principles of Vietnamese law," though the environment has grown more arbitration-friendly since a 2015 update to the Civil Procedure Code (source: Ant Lawyers — Arbitration in Vietnam: 7 Realities Foreign Companies Must Get Right; Le & Tran — Arbitration Clauses in Contracts: Are They Enforceable in Vietnam?). Arbitration remains the strongest available option, but the clause needs care: name the institution precisely, state governing law, and keep the covered dispute types unambiguous, since a vague clause is a common reason Vietnamese courts decline to honor one.

The 12-Clause IP Protection Checklist

The following is reference language to bring to your lawyer, not a substitute for their review. Contract law varies by jurisdiction and governing law, and the exact wording that holds up depends on both.

  1. IP assignment, present tense. "Contractor hereby assigns and transfers to Client all right, title, and interest," not "agrees to assign."
  2. Scope: foreground vs. background IP. Define clearly that pre-existing vendor tools, libraries, or frameworks (background IP) remain the vendor's, while everything built specifically for you (foreground IP) transfers.
  3. Moral rights consent. Written developer consent to future modification, adaptation, and relicensing of the work, to the extent permitted under the governing law.
  4. Subcontractor flow-down. Every subcontractor and freelancer engaged by the vendor must sign IP-assignment and confidentiality terms no less restrictive than the master agreement, with the vendor remaining liable for their breach.
  5. NDA before discovery. Signed and effective before any technical scoping call, architecture discussion, or sample data exchange, not after.
  6. Open-source disclosure. Vendor discloses all third-party and open-source components used, ideally via a bill of materials, updated at each major release.
  7. License-compliance warranty and indemnity. Vendor warrants no undisclosed copyleft component triggers disclosure obligations on your proprietary code, and indemnifies you if that warranty is false.
  8. Continuous handover, not just final delivery. Source code, credentials, and documentation transfer to you at each milestone, in a repository you control, not only at contract completion.
  9. Source code escrow. For long-running engagements, code and build materials held by an independent escrow agent, released on defined triggers, insolvency, abandonment, or SLA failure.
  10. AI-use disclosure. Vendor discloses meaningful use of AI code generation and confirms a named human materially reviewed and directed the output.
  11. Non-infringement warranty. Vendor warrants the delivered code doesn't infringe a third party's IP, with indemnification if a claim arises.
  12. Dispute resolution and forum. A named arbitration institution (VIAC, SIAC, or HKIAC), seat, and governing law, with an explicit carve-out allowing injunctive relief for IP breaches without waiting for arbitration to conclude.

When You Need a Partner Instead of a DIY Contract

Most of the failures above don't come from a bad-faith vendor. They come from a contract nobody with IP experience actually reviewed clause by clause before signing. MONA is a Vietnam-based software company with 200+ staff and 14,000+ projects delivered since 2016, and every engagement signs an NDA and locks the IP-assignment terms before any discovery work starts, with employed engineers rather than unvetted subcontractors on the core team. If you're scoping an outsourcing engagement and want the IP terms handled correctly from the first conversation, not renegotiated after a problem surfaces, that's the standard to hold any vendor to, MONA included.

For the fuller list of outsourcing risks beyond IP, see offshore software development risks; for the complete pre-signature checklist across cost, scope, and delivery terms, see the software outsourcing contract checklist.

Ready to scope an outsourcing engagement with the IP terms right from day one? Talk to MONA about your project →

Frequently Asked Questions

What is the difference between work-for-hire and an IP-assignment clause?

Work-for-hire only applies automatically to employees, or to independent contractors whose work fits one of nine narrow statutory categories that most custom software doesn't meet. An IP-assignment clause, written in the present tense, transfers ownership by ordinary contract law regardless of category, which is why it should be the primary clause, not a backup.

Do I automatically own the code my outsourcing vendor writes?

No. Without a clear, present-tense assignment clause, ownership can default to the developer or vendor, especially for independent contractors and freelancers. "The client owns everything" needs to be written into the contract explicitly; it is not the automatic legal default in most jurisdictions.

What are moral rights, and can they be waived?

Moral rights are the author's right to be credited and to object to harmful modification of their work, separate from economic ownership. In civil-law jurisdictions like Vietnam, most moral rights cannot be transferred by contract, though authors can agree in writing to allow future modification of the work.

Should I require source code escrow when outsourcing software development?

Escrow matters most for long-running engagements, dedicated teams or an Offshore Development Center, where you depend on the vendor's continued existence. For a short, one-off project where you already hold the delivered code, escrow adds less value than for software you'll rely on the vendor to maintain for years.

Who owns code generated with AI assistance during an outsourced project?

Purely AI-generated code without meaningful human input isn't copyrightable in the US, per current Copyright Office guidance. When a developer meaningfully edits or directs the AI output, copyright attaches to that human contribution and transfers to you through a standard IP-assignment clause.

Can I enforce a foreign court judgment against a Vietnamese outsourcing vendor?

Rarely, if the vendor has no assets in your jurisdiction. Vietnam is a New York Convention member, so a properly drafted arbitration award, through VIAC, SIAC, or HKIAC, has a real enforcement path, though Vietnamese courts have historically rejected a significant share of foreign award applications on procedural grounds.

What happens to my IP if my vendor uses subcontractors or freelancers?

Your IP-assignment and confidentiality terms with the vendor company do not automatically bind the individual subcontractors it uses. The contract needs an explicit flow-down clause requiring every subcontractor to sign equivalent terms, with the vendor liable for their breach.