01 Data residency
✓ Repositories, artifacts and build logs are stored in EU data centres only, in a region named in your contract. No replication to non-EU regions.
02 Jurisdiction
✓ BorgMark is operated by an EU company with no US parent, so US legal process such as the CLOUD Act does not reach your code. Access happens only under EU legal process.
03 Sub-processors
✓ A short, EU-based sub-processor list is published and versioned, so every change is visible and reviewable.
04 Audit logs
✓ Administrative and access events are logged and exportable, so your client's auditor can review who did what, and when.
05 Open-source core
✓ BorgMark runs the open-source Forgejo forge — reviewable, not a black box — so security claims can be independently verified.
06 Incident response
✓ If a security incident affects your data, we notify you without undue delay, in line with GDPR breach-notification timelines.
07 Portability & exit
✓ Standard Git plus open formats means a full export on demand. Your exit cost is a clone, not a renegotiation.