Hosted Forgejo with CI/CD built in. No VPS to bring, none to babysit. The Git platform you can put in a bank's security questionnaire.
Banks, insurers and energy operators are pushing jurisdiction questions down to their suppliers. As their agency, that question lands on your desk — and "it's on GitHub" is no longer an answer that passes.
EU case law put thousands of organisations using US-controlled tooling into an unclear position on lawful data transfer. Your clients' lawyers know this.
US-parented providers can be compelled to hand over data even when it sits on European disks. Jurisdiction, not server location, is the real question.
Regulated clients must account for their suppliers' security posture. Your toolchain is part of their attack surface — and their audit.
BorgMark is hosted Forgejo with the parts agencies actually need bolted in — so you adopt it in an afternoon, not a quarter.
The open-source Git forge your team already knows. Pull requests, issues, code review, mirroring — nothing to relearn.
Build runners are included and managed. No Hetzner box to provision, patch, or explain in an audit. Push, and it runs.
Repositories, artifacts and logs stay on EU infrastructure under EU jurisdiction. A location you can name in a contract.
Standard Git underneath and an open-source core means your exit is a clone away. Auditable, not a black box.
Mirror in from GitHub or GitLab with history, issues and CI intact. Move one client project, or all of them.
SAML/OIDC sign-in and hard org boundaries, so each client's code stays walled off — the way their security team expects.
Source, runners, artifacts and logs all stay on EU infrastructure. There's no hidden hop to a US region, and nothing for you to wire up to make that true.
The actual line items that stall agency deals with regulated clients — and what BorgMark lets you write in the box.
Placeholder figures — set your real numbers before launch. Structure is what matters here.
Small agencies moving their first regulated client off GitHub.
Multiple regulated clients, isolated per org, SSO across the team.
Named region, contractual SLAs, audit support for DORA/NIS2 scope.
Yes — the open-source Forgejo forge, hosted and operated by us in the EU, with managed CI runners and the agency-grade access controls bolted on. No proprietary fork you'd be stuck with.
Yes. Repos mirror in with full history; issues and pipelines come across. You can move a single stuck client project first and expand from there.
On EU infrastructure, in a region we name in your contract. No replication to non-EU regions, and the build pipeline runs in the same jurisdiction.
Only under EU legal process. There's no US parent company, so the US CLOUD Act doesn't reach it — which is the point you can put in writing for clients.
It removes a recurring finding: an externally-controlled toolchain under foreign jurisdiction. It's not a certificate by itself, but it's an answer your client's auditor accepts.
Standard Git plus open formats means a full export on demand. Your exit cost is a clone, not a renegotiation.
We're onboarding a small group of agencies first. Bring the client deal that's stuck on the security review — that's the one we want to unblock.