Can an offshore dev agency steal your code?

The first time an offshore agency locked our GitLab repo because an invoice was a couple of days late, I felt my stomach drop. Two junior engineers pinged me asking why their commits were suddenly read-only. That’s when the “can they just walk away with our code?” question stopped being hypothetical.

Short answer: yes, they technically can. Also no, they usually don’t. (Annoying dual truth, I know.)

Here’s why the door is even open: in many jurisdictions the person who creates the work owns the copyright by default unless there’s a written transfer. That little nuance is buried deep in Swiss, German, and—surprisingly—quite a few U.S. state statutes. I’m not a lawyer, but I’ve paid enough of them to draft contracts to spot the pattern. Most template “software development agreements” shipped by offshore shops keep the IP with the vendor until final payment lands. Sounds reasonable on paper, yet it gives them leverage if anything goes sideways.

(Side note: I got this wrong for a good year—kept assuming the invoice PDFs and the pull requests somehow implied ownership. They don’t.)

Now, is every agency lurking in the shadows waiting to repackage your SaaS idea for the next founder? No. The decent ones make their money on predictable retainers, not on black-market code drops. But the risk is big enough that I treat it like fire insurance: hope I never need it, insist on it anyway.

My checklist, refined after a few bruises:

1. Put the IP transfer clause on page one, not page thirteen. Spell out that ownership moves with each paid invoice, not just at “project completion.”
2. Reference governing law you can actually enforce. I default to Swiss law because that’s where I sit; pick whatever court you can physically show up to.
3. Mirror the clause downstream. The agency must have matching agreements with its subsidiary and, ideally, individual devs. That back-to-back chain sounds bureaucratic, but it closes loopholes faster than you think.

I could be wrong, but I’ve yet to find a cheaper workaround than adding a local wrapper entity—basically a front company in your jurisdiction that invoices you and subcontracts the low-cost team abroad. If things blow up, you sue the wrapper at home. They chase the subsidiary; the subsidiary deals with the engineers. Everyone speaks the same legal language and nobody boards a 14-hour flight for a deposition.

(Yes, the structure adds a few percentage points to the day rate. In my experience the peace of mind is worth more than the espresso budget it consumes.)

Even with the paperwork sorted, keep practical control levers:

• Repos live in your GitHub organization. Grants of access, not transfers of ownership.
• CI/CD keys rotate from your vault.
• Production credentials stay in an encrypted secret manager the agency cannot export. There’s an argument that this slows them down; I’ve found the hit negligible once everyone learns the tool.

Could an agency still ghost you, fork the code, and sell a clone? Sure. But that clone will be forever tainted—any serious investor doing diligence will bounce the minute you slide a cease-and-desist across the table. The real value is rarely the raw code; it’s the brand, the customer list, the domain knowledge. Harder to pirate those.

So no, the offshore scene isn’t a lawless frontier. It’s more like a busy airport: mostly safe, occasionally chaotic, and a nightmare only if you ignore the posted rules. Draft the contract, wire the invoices on time, keep the keys on your side of the fence. That’s usually enough to sleep at night—though there are still risks and challenges in managing offshore development, well, at least until the next 3 a.m. deploy.