# How to Protect Your Source Code

> How to protect proprietary source code — copyright registration, trade secret measures, access controls, and contract protections.

Guide  |  Author: Lidiia Levitska  |  Source: Intellectual Property Law (outsideipcounsel.com)
Canonical: https://outsideipcounsel.com/guides/how-to-protect-source-code/


<div class="quick-answer"><p><strong>Quick answer:</strong> To protect your source code, use a stack, not a single tool. Copyright protects the literal code automatically the moment you write it, and registering it with the U.S. Copyright Office — while redacting the secret parts — lets you sue and claim statutory damages. Trade secret law protects the underlying algorithms and architecture <em>as long as you keep them confidential</em>, which means access controls, encryption, and NDAs. Written employee and contractor assignment agreements make sure your company actually owns the code. Escrow reassures licensees, and a patent fits only rare, genuinely novel methods. Layer all five and your code is defensible from copying, theft, and ownership disputes.</p></div>

Source code is often a startup's single most valuable asset — and one of the easiest to lose control of. It can be copied in seconds, walked out the door by a departing engineer, or, worse, quietly owned by the freelancer you paid to build it. This guide lays out the practical protection stack every founder and their counsel should have in place: copyright, trade secret discipline, contracts, escrow, and — where it fits — patents.

## Is source code automatically protected, and why register it?

Yes. Original source code is a "literary work" under the Copyright Act, and copyright attaches **automatically the moment the code is fixed** — the instant you save the file. You do not need to publish it, register it, or add a copyright notice to own it.

So why bother registering? Because registration is what gives the copyright teeth:

- **You cannot sue until you register.** Under **[17 U.S.C. § 411(a)](https://www.law.cornell.edu/uscode/text/17/411)**, a U.S. copyright owner must obtain registration (a completed application isn't enough — the Supreme Court settled this in *Fourth Estate v. Wall-Street.com*, 2019) before filing an infringement suit.
- **Statutory damages and attorney's fees.** If you register **before** the infringement begins — or within three months of first publication — you can elect **statutory damages of up to $150,000 per work for willful infringement** under **[17 U.S.C. § 504(c)](https://www.law.cornell.edu/uscode/text/17/504)**, plus attorney's fees under **§ 505**. Without timely registration you're limited to actual damages and profits, which are hard to prove and often small.
- **Public record and presumption of validity.** A registration made within five years of publication is prima facie evidence that your copyright is valid.

Filing is cheap. As of 2026 the electronic **Standard Application fee is $65** (the $45 Single Application generally doesn't fit a company-owned work, since it's limited to a single author who is also the sole owner). The Copyright Office has proposed raising these fees, so confirm the current amount before you file — but even at the higher proposed rate, it remains the best-value insurance in all of IP.

To see how courts handle software copying disputes, browse our [copyright case analysis archive](/topics/copyright/).

## How do you register code without giving away your secrets?

This is the question that stops most founders — they assume registering means handing the government (and, via the public record, competitors) a full copy of their crown jewels. It doesn't. The Copyright Office has **special deposit rules for computer programs** precisely because so much code contains trade secrets.

For a program that contains trade secrets, you don't deposit everything. You deposit **identifying portions**, and you may **block out (redact)** the confidential parts. The Office offers several accepted options, including:

- **First 25 and last 25 pages** of source code with the trade-secret portions **blocked out** — as long as the redactions are proportional and an *appreciable amount* of original computer code remains visible.
- **First 10 and last 10 pages** of source code with **nothing** blocked out.
- **First 25 and last 25 pages of object code** plus any 10 or more consecutive pages of source code with nothing blocked out.
- For a short program (fewer than 50 pages), the **entire** source code, with trade-secret portions blocked out.

A separate registration is needed for each subsequent **version** that contains meaningful new, copyrightable material — so a fast-moving codebase may warrant periodic re-registration of major releases rather than every commit. The practical playbook: register the initial release and each major version, always using the redacted-deposit option so you preserve trade secret status while still perfecting your right to sue.

## Should your code be a trade secret, a patent, or both?

Copyright only stops literal copying of your *expression*. It does **not** protect the ideas, algorithms, data structures, or system architecture underneath — anyone free to independently write different code that does the same thing. That gap is where **trade secret** protection does its work.

Under the federal **Defend Trade Secrets Act (DTSA)** and the state-law **Uniform Trade Secrets Act (UTSA)**, your algorithms, architecture, and know-how qualify as trade secrets if they have economic value from being secret and you take **reasonable measures** to keep them secret. Unlike copyright, a trade secret can last forever — but it evaporates the instant the code leaks or is reverse-engineered.

A **patent** is a third, narrower option. It can cover a genuinely novel, non-obvious *technical method* your software implements, but two realities limit it:

- **Eligibility is hard.** Since *Alice Corp. v. CLS Bank* (2014), abstract ideas "implemented on a computer" are unpatentable under **[35 U.S.C. § 101](https://www.law.cornell.edu/uscode/text/35/101)** unless they recite a specific technical improvement.
- **Filing publishes your code's logic.** A patent trades secrecy for a ~20-year monopoly, so you generally can't patent an algorithm *and* keep it a trade secret.

We compare these regimes head-to-head in [software patent vs. copyright](/guides/software-patent-vs-copyright/), and whether an app can be patented at all in [can you patent an app?](/guides/can-you-patent-an-app/). For most companies, the answer is **copyright + trade secret**, reserving patents for a small set of defensible innovations.

## What "reasonable measures" do you actually need?

Trade secret protection is won or lost on whether you took **reasonable measures** to keep the code confidential — the element defendants attack first. For source code specifically, a strong program includes:

- **Access on a need-to-know basis.** Not every engineer needs the whole repository. Use repository permissions, private branches, and per-service scoping.
- **Authentication and encryption.** SSO with mandatory MFA on your Git host, encryption in transit and at rest, and no credentials or secrets committed into the repo.
- **Audit logging.** Track who cloned, pulled, or downloaded what, and when — these logs are gold if you ever litigate.
- **Confidentiality markings.** Headers and repo notices stating the code is proprietary and confidential.
- **Endpoint and device controls.** Managed devices, disk encryption, and the ability to revoke access remotely.
- **Vendor diligence.** Confirm your Git host, CI/CD provider, and cloud vendors are contractually bound to protect your data.
- **Offboarding discipline.** Disable repo and cloud access the moment someone leaves, and preserve their access logs.

You don't need Fort Knox — you need measures *reasonable under the circumstances*, and documentation proving you took them. Our [reasonable secrecy measures checklist](/guides/reasonable-secrecy-measures-checklist/) turns this into a concrete to-do list you can implement this week.

## Who actually owns the code — you or the developer?

This is the trap that sinks acquisitions and fundraising. Copyright ownership does **not** automatically follow the person paying for the work.

- **Employees:** Code written by an employee within the scope of employment is a **work made for hire**, so the employer owns it by default. Even so, always get a signed **confidentiality and invention-assignment agreement (CIIAA)** to remove any doubt and to capture pre-existing IP disclosures.
- **Contractors and freelancers:** This is the danger zone. Independent-contractor software is generally **not** a work made for hire under **[17 U.S.C. § 101](https://www.law.cornell.edu/uscode/text/17/101)** — commissioned software isn't one of the nine enumerated categories. Absent a **written assignment**, the contractor keeps the copyright and merely grants you an implied license, even after you've paid in full. You must have every contractor **assign** the code in writing.

Layer **NDAs** on top of assignment for anyone — employee, contractor, partner, or investor — who sees the code; a well-drafted NDA is also key evidence of reasonable secrecy measures (see [the NDA that holds up](/guides/nda-that-holds-up/)). For the full ownership picture at a company, see [who owns your startup's IP](/guides/who-owns-startup-ip/) and the [startup IP checklist](/guides/startup-ip-checklist/).

## What technical measures actually keep code out of reach?

Legal rights let you *punish* misuse after the fact; technical measures reduce the odds it happens at all — and they double as evidence of reasonable secrecy. The most effective ones:

- **Keep secrets server-side.** Never ship proprietary algorithms, API keys, or business logic in client-side code (a web bundle or a mobile app can be decompiled). Push the sensitive logic behind an API you control.
- **Compile and obfuscate what must ship.** Distribute compiled binaries rather than source, and use minification and obfuscation for anything that has to run in the browser or on a device. It won't stop a determined reverse-engineer, but it raises the cost and signals that the code isn't meant to be read.
- **Segment the repository.** Split the most sensitive components into separate, tightly permissioned repos so no single engineer or contractor holds the entire system.
- **Watermark and fingerprint.** Subtle, unique markers in the code can prove copying if a competitor's product is ever examined in litigation.
- **Monitor for leaks.** Scan public code hosts and paste sites for your distinctive strings; leaked repositories and hard-coded secrets surface constantly, and catching them fast limits the damage.

None of these replaces the legal stack — they reinforce it. Reverse-engineering a lawfully obtained product is generally **not** a trade secret violation, so technical friction plus airtight contracts is what closes that gap.

## Should you use source-code escrow with customers?

If you license software to enterprise customers, they'll often worry: *what happens to our business if you go bankrupt or stop supporting the product?* **Source-code escrow** solves this without exposing your code.

A neutral third-party escrow agent holds a copy of the source code and build materials. The customer can access it **only** on defined **release conditions** — typically your insolvency, discontinuation of the product, or a material, uncured support failure. Until then, the code stays sealed. Escrow lets you close deals with risk-averse buyers while keeping the code out of their hands day to day. Draft the release triggers narrowly and specify exactly what's deposited (current source, build scripts, documentation) and how often it's updated.

## What about open-source components in your codebase?

Almost every proprietary codebase pulls in **open-source dependencies**, and their licenses can quietly undermine your protection. **Copyleft** licenses — most notably the **GPL** — can require you to release your own source code if you distribute software that incorporates or links to GPL-covered code in the wrong way. **Permissive** licenses (MIT, Apache 2.0, BSD) are far friendlier but still carry attribution and, for Apache, patent-and-notice obligations.

Maintain a **software bill of materials (SBOM)**, run license-scanning tooling, and vet every dependency's license *before* you ship. Getting this wrong can force disclosure of the very code you worked to protect. We cover the details in [open source and software IP](/guides/open-source-and-software-ip/) and the strategy tradeoffs in [open-source licensing for startups](/guides/open-source-licensing-startups/).

## The bottom line

There's no single "protect my source code" button — there's a stack, and the strength comes from layering it. **Copyright** attaches automatically and, once registered (redacting the secret parts), lets you sue and claim statutory damages. **Trade secret** discipline — access controls, encryption, logging, and NDAs — protects the algorithms and architecture copyright can't reach. **Written assignment agreements** ensure your company actually owns what employees and contractors build. **Escrow** unlocks enterprise deals without exposure, and a **patent** fits the rare, genuinely novel method. Put all of this in writing and in practice, and your code stops being a liability waiting to leak and becomes a defensible asset.

*This guide is general education, not legal advice, and does not create an attorney-client relationship. Source code protection depends on your specific facts, your contracts, and your state's trade secret law — consult an attorney licensed in your jurisdiction before acting.*


## Frequently asked questions

### Is source code automatically protected by copyright?

Yes. Under U.S. copyright law, original source code is protected automatically the moment it is fixed in a tangible medium — the instant you save the file. You do not need to register or put a notice on it to own the copyright. But you cannot file an infringement lawsuit until the work is registered with the U.S. Copyright Office, and registering before infringement (or within three months of publication) is what unlocks statutory damages and attorney's fees.

### Can I register source code without publicly revealing it?

Yes. The Copyright Office lets you register code while shielding trade secrets. Instead of depositing everything, you submit identifying portions — typically the first 25 and last 25 pages — and you may block out (redact) the portions containing trade secrets, as long as an appreciable amount of original code remains visible. Alternative deposit options exist for short programs and code that is entirely secret.

### Should source code be a trade secret or a patent?

Most proprietary code is best protected as a trade secret plus copyright. Copyright protects the literal code from copying; trade secret law protects the ideas, algorithms, and architecture as long as you keep them confidential. A patent may fit a genuinely novel, non-obvious technical method, but software patents face a high eligibility bar under Alice v. CLS Bank, and filing publishes your invention — the opposite of secrecy.

### What contracts do I need to protect source code?

Two are essential. Every employee needs a confidentiality and invention-assignment agreement so the company — not the individual — owns the code. Every contractor or freelance developer needs a written assignment, because absent one, the developer often keeps the copyright even after you pay them. Layer NDAs on top for anyone who sees the code, and use source-code escrow when you license to customers who fear you might disappear.
