Journal entry ·

EU sovereignty by design, not by declaration

By BorgMark Editorial · Sovereignty ·Compliance ·Infrastructure

“Hosted in the EU” has become the most overused phrase in B2B SaaS. It is also, by itself, almost meaningless. Data residency in Frankfurt does not change the jurisdiction of the company that operates the service, and it is jurisdiction — not server location — that a regulated client’s legal team writes down on the questionnaire.

This is the line BorgMark draws, and the engineering choices that follow from it.

The question on the form is jurisdiction

The CLOUD Act and its analogues allow US authorities to compel US-controlled companies to hand over data, regardless of where that data is stored. An EU data centre operated by a US-parented company is, on the form, a foreign-jurisdiction toolchain. This is not a hypothetical risk that vendors invented to sell a thing — it is the wording on the actual procurement template at every regulated buyer we have spoken to.

The first architectural choice, therefore, is corporate: BorgMark is operated by BV CEEJAY, a Belgian company with no US parent and no US subsidiary. That is the foundation everything else stands on. Without it, the rest is theatre.

Sub-processors are part of the answer

A platform is also the sum of the providers it depends on. A short list, in plain language:

  • Hetzner Online GmbH (Germany) — compute, storage, database
  • Combell NV (Belgium) — transactional email
  • Mollie B.V. (Netherlands) — payments

That is the entire list. No Cloudflare in front of the application. No Auth0 / Okta for SSO. No Stripe for billing. No Vercel, no AWS, no GCP, no Azure — not for “edge functions,” not for “image optimization,” not for “just analytics.” Each addition would expose either data or metadata to a non-EU jurisdiction. We chose not to add them.

What this costs us

Engineering honesty: choosing EU-only providers is operationally more expensive than the alternative. The US-headquartered hyperscalers have nicer dashboards, more turnkey services, and a larger ecosystem. We give those up. In exchange, the answer to “where does the code live, and who can compel access?” fits on one line and survives a legal review.

For agencies whose clients are not asking that question yet, this is overhead. For agencies whose clients are asking, it is the entire reason to switch.

What we will publish next

This is the first entry in what we will run as an engineering and compliance journal — long-form, dated, no spin. Subjects already on the list: how we operate Forgejo at scale, what DORA auditors actually ask of source control, and the concrete steps of migrating a GitHub Enterprise tenant into BorgMark. Subscribe via RSS to follow along.