EU jurisdiction · Managed CI/CD · Security-scanned actions

The EU GitHub alternative with the runners and the marketplace built in.

Hosted Forgejo with managed CI/CD runners and a curated, security-scanned actions marketplace. Included, not bring-your-own. Everything stays on EU infrastructure, under a jurisdiction you can name in a contract.

Managed runners, no build server to run Open-source core, exit is a clone EU-only data residency
borgmark.eu / northstar / gov-tender-api
DATA RESIDENCY Frankfurt, DE 🇩🇪
JURISDICTION EU · GDPR
SUB-PROCESSORS EU-based only
SOURCE Open · auditable
pipeline #418 · main running in EU ●
1
build
2
test
3
scan
4
ship
What you get

A familiar Git platform. Sovereign by construction.

BorgMark is hosted Forgejo with the parts a security review actually checks, bolted in, so you switch in an afternoon, not a quarter.

Use the Forge, Luke.

The open-source Git platform your team already knows. Pull requests, issues, code review, mirroring. Nothing to relearn.

Runners included, not bring-your-own.

Managed CI/CD runners come with it. No Hetzner box to provision, patch, or explain in an audit. Push, and it runs in the EU.

A marketplace you can trust by default.

A curated, security-scanned actions marketplace. The convenience of an actions ecosystem without inheriting an unvetted supply chain into your pipeline.

EU data residency, on the record.

Repositories, artifacts and logs stay on EU infrastructure under EU jurisdiction. A location you can name in a contract.

The Forge will be with you, always.

Standard Git underneath and an open-source core means your exit is a clone away. Auditable, not a black box.

One-step migration.

Mirror in from GitHub or GitLab with history, issues and CI intact. Move one stuck project first, or the whole org.

Every build, in the EU

The pipeline never leaves the jurisdiction.

Source, runners, artifacts and logs all stay on EU infrastructure. There's no hidden hop to a US region, and nothing for you to wire up to make that true.

deploy · core-banking-api region: eu-central
clone
build
test
scan
ship
No egress outside the EU · logged & exportable
The deal you're trying to close

The last gate isn't technical. It's jurisdictional.

You're selling into a bank, a hospital, a government buyer. The pilot worked, the contract's drafted. Then their security team sends the questionnaire, and it asks where your source code and CI run, under whose law, and who could be compelled to reach them. "It's on GitHub" stopped being a one-line answer.

Schrems II

Lawful transfer is now a written question.

EU case law has made data transfer to US-controlled tooling something the buyer's legal team asks about in writing, and expects an answer for.

US CLOUD Act

Jurisdiction, not server location.

US-parented providers can be subject to US legal process even when data sits on European disks. The questionnaire asks about jurisdiction, not the data centre's postcode.

NIS2 · DORA

Supply-chain accountability lands on you.

Regulated buyers have to account for their suppliers' security posture. Your toolchain shows up in their audit, so it has to hold up.

You could just self-host

You can run Forgejo yourself. You can't sign your own DPA.

Standing up Forgejo on a Hetzner box gets your code into the EU. It doesn't get you a sub-processor you can list, a DPA the buyer's legal team can counter-sign, an attestation that no US parent can be compelled under the CLOUD Act, or audit logs a third party will vouch for. The questionnaire isn't asking where the bytes sit. It's asking who is accountable, in writing. That's what you're buying, and it's the one thing you can't self-host.

The differentiator

Answers for the security questionnaire.

The actual line items that stall deals with regulated buyers, and what BorgMark lets you write in the box.

01 Where is source code and build data stored?
EU data centres only, region named in the contract. No replication to non-EU regions.
02 Is the provider subject to non-EU jurisdiction?
EU-operated, no US parent, outside the reach of the US CLOUD Act.
03 List all sub-processors and their locations.
Short, EU-based sub-processor list, published and versioned.
04 Can the platform be independently audited?
Open-source core, reviewable, not a black box. Audit logs exportable.
05 How is the CI/CD supply chain controlled?
Curated, security-scanned actions marketplace. No unvetted third-party actions pulled into your pipeline.
06 What is the exit / portability plan?
Standard Git plus open formats. Full export on demand, no proprietary trap.
Pricing

Two branches. Both stay in the EU.

Start with a 14-day full-access trial on Walled Garden. Step up to Sovereign Fortress when a buyer requires dedicated infrastructure.

Sovereign Fortress
€399 / month · up to 20 users

For when you win the regulated deal and the buyer requires dedicated infrastructure.

Everything in Walled Garden, plus:

  • Single-tenant Forgejo VM
  • Dedicated PostgreSQL
  • Custom domain (git.your-company.com)
  • SAML/OIDC SSO
  • Priority support · compliance audit logs
  • BYO runners on request
Talk to us
Questions

The objections, answered.

Yes. The open-source Forgejo forge, hosted and operated by us in the EU, with managed CI runners and a curated, security-scanned actions marketplace bolted on. No proprietary fork you'd be stuck with.

Yes. Repos mirror in with full history; issues and pipelines come across. Move a single stuck project first and expand from there.

On EU infrastructure, in a region we name in your contract. No replication to non-EU regions, and the build pipeline runs in the same jurisdiction.

Only under EU legal process. There's no US parent company, so the US CLOUD Act doesn't reach it, which is the point you can put in writing for a buyer.

Self-hosting gets your code into the EU but not the paper a security review wants: a sub-processor to list, a DPA to counter-sign, an independent no-US-parent attestation, vouched audit logs. You're buying an accountable counterparty, not a server.

It removes a recurring finding: an externally-controlled toolchain under foreign jurisdiction, and an unvetted CI supply chain. It's not a certificate by itself, but it's an answer an auditor accepts.

Standard Git plus open formats means a full export on demand. Your exit cost is a clone, not a renegotiation.

Two ways in

Make "where does the code live?" a one-line answer.

Sign up on Walled Garden for a 14-day full-access trial. For Sovereign Fortress, we'll provision your dedicated tenant. Talk to us first.

Start 14-day trial