GitHub is the default. But when a regulated client asks where the code lives, "GitHub" needs a longer answer. Here is how BorgMark — hosted Forgejo under EU jurisdiction — compares for agencies that have to fill in security questionnaires.
| What a client asks | BorgMark | GitHub |
|---|---|---|
| Jurisdiction | ✓ EU company, no US parent — access only under EU legal process. | Operated by a US company (Microsoft) under US jurisdiction. |
| CLOUD Act exposure | ✓ Out of reach — there is no US entity to compel. | Subject to US legal process, including the CLOUD Act. |
| Data residency | ✓ EU region named in your contract; no non-EU replication. | EU data residency only on higher Enterprise tiers, and the operator stays under US jurisdiction. |
| CI/CD location | ✓ Runners, artifacts and logs stay in the same EU jurisdiction. | Actions runners default to non-EU regions unless you self-host. |
| Sub-processors | ✓ Short, EU-based list, published and versioned. | Large, global sub-processor list. |
| Platform | ✓ Open-source Forgejo core — auditable, no lock-in. | Proprietary and closed. |
| Exit & portability | ✓ Standard Git plus open formats; full export on demand. | Export exists, but proprietary features don't port cleanly. |
| NIS2 / DORA | ✓ Removes the foreign-jurisdiction toolchain finding. | A foreign-jurisdiction toolchain is a recurring audit finding. |
GitHub is owned by Microsoft, a US company, so it can be subject to US legal process such as the CLOUD Act — even for data stored on European servers. The question on the form is jurisdiction, not the data centre's address.
GitHub offers EU data residency on its top Enterprise tier, but the operating company remains under US jurisdiction. BorgMark keeps both the data and the jurisdiction in the EU.
Repositories mirror in with full history; issues and pipelines come across. Move one stuck client project first, then expand — your team keeps the Git workflow it already knows.
Walled Garden starts at €15 per user per month; Sovereign Fortress is €399 per month for dedicated infrastructure. See full pricing on the homepage.
No. BorgMark runs the open-source Forgejo forge, hosted and operated in the EU — not a fork of GitHub, and not a proprietary fork you'd be stuck with.
No. Forgejo offers the same pull-request, issue and code-review workflow your team already uses on GitHub.
It can keep data in the EU, but the operator stays under US jurisdiction, so the CLOUD Act question remains. BorgMark keeps both in the EU.
Yes. Many agencies move the regulated-client projects to BorgMark first and leave the rest where they are.
Start a 14-day full-access trial on Walled Garden, or talk to us about Sovereign Fortress.