Agency vendor lock‑in: how to avoid it

The cost of vendor lock‑in

Classic scenario: the agency shipped a project on custom Bitrix with unique components and no documentation. A year later you want to switch — and hear "your build is non‑standard, we'll need 2 months to figure it out, +$20K".

That's vendor lock‑in in action. Direct cost — 20–50% of the new project budget. Indirect — no flexibility, no negotiation leverage, dependency on specific people at the current agency.

Four types of lock‑in

1. Custom code lock‑in. Unique components without documentation. Cure: require JSDoc/PHPDoc and a README on every significant feature.
2. Infrastructure lock‑in. CI/CD, secrets, cloud accounts — owned by the agency. Cure: everything in your accounts from day one.
3. License lock‑in. Code is owned by the agency, you only get a "license to use". Cure: full IP transfer in the contract.
4. Platform lock‑in. Closed SaaS with no data export. Cure: open‑core platforms under MIT/Apache.

What to put in the contract

1. IP transfer

Clause: "Exclusive rights to the code, design files and documentation pass to the Customer upon sign‑off of the phase acceptance act." Without it, agency lawyers can later interpret it as a license.

2. Documentation as scope

Documentation is a separate deliverable, not an attachment. Minimum: architecture diagram, API reference, runbook, ADRs (architecture decision records) on key forks.

3. Handoff package

An explicit list of artifacts handed over at project close (see below). No clause, no obligation.

4. Penalty for missing artifacts

If docs are missing at handoff — 10% penalty on the phase fee. Motivates the agency to write docs continuously, not at the last minute.

Handoff artifacts

• All source code in your Git (not the agency's).
• C4 architecture diagram (Context / Container / Component).
• API reference (OpenAPI / GraphQL schema).
• DB schema with ER diagram.
• Infrastructure code (Terraform / Ansible / docker‑compose).
• CI/CD pipelines in your GitHub/GitLab.
• Runbook for common incidents (500s, sync failed, payments failing).
• Knowledge base accessible to your team.
• 30–60 min architecture walkthrough recording by the agency CTO.

Open‑core: what and why

Open‑core is a model where the core of the product is released under an open‑source license (MIT/Apache) and commercial add‑ons are paid. Examples: Medusa, Saleor, our Frontbox.

Why it protects from lock‑in:

• Even if the vendor disappears, your team can maintain and extend the core on their own.
• There are other agencies on the market that know the same open‑core. You can switch teams without "rewriting".
• A community pool of bug fixes and security patches — you don't pay for every update.

Pre‑signing checklist

• ☐ Contract has an IP transfer clause for code and documentation.
• ☐ Full handoff package is listed.
• ☐ Penalty for missing documentation is specified.
• ☐ All infra accounts are yours (not the agency's).
• ☐ Git repo — yours.
• ☐ Platform — open‑source or open‑core under MIT/Apache.
• ☐ There's a backup agency that knows the same platform.
• ☐ You're not paying for a "license to use the code".

FAQ

What is vendor lock‑in and why is it dangerous?

Vendor lock‑in is dependence on a specific agency, platform, or technology where switching becomes financially prohibitive. Direct exit cost: +20–50% of the new project budget to "figure out" the existing codebase. Indirect cost: no negotiation leverage — the agency knows replacing them is expensive.

How do I know if I already have vendor lock‑in?

Four signals: (1) no documentation for the codebase, (2) servers and CI/CD are on the agency's accounts, (3) the contract says "license to use" instead of IP transfer, (4) the platform is a closed SaaS with no data export.

What must be in the contract to protect against lock‑in?

Four clauses: transfer of exclusive rights to code and documentation, documentation as a separate deliverable, an explicit handoff artifact list, and a 10% penalty for missing artifacts. If any clause is absent, the agency has room to maneuver.

Is a recorded architecture walkthrough mandatory?

Not mandatory — but it's the cheapest way to transfer implicit knowledge. A 30–60 min recording with the agency CTO saves the new team 2–4 weeks of onboarding. Cost to produce: zero. Value: disproportionate.

What if the agency refuses to hand over the source code?

Send a written request citing the IP transfer clause in the contract. If refused — a formal notice with a deadline. Without an IP transfer clause, your legal position is weaker, which is exactly why it needs to be in the contract before work starts. With the clause in place, the agency is legally obligated to hand over the code.

Why is open‑core better than a closed SaaS?

Two key differences: (1) the core is public — even if the vendor closes down, the code doesn't disappear; (2) other agencies know the same platform. Competition for you as a client is preserved, and the cost of switching agencies drops significantly.

How much does it cost to exit vendor lock‑in?

Depends on the depth. Custom Bitrix with no documentation — $20K–40K on discovery and rewriting. Handing off a Frontbox project (open‑core, docs included) to a new team — $2K–4K on knowledge transfer. A 10× difference.

Is Frontbox open‑core? Can I take it to a different agency?

Yes, the Frontbox core is released under the MIT license. The source is available to anyone, any team can continue development, and there's no licensing fee for the core itself. You're not locked into WebGoodPeople as your only option.