Managed Forgejo with EU data residency, cryptographic audit trail, SAML/SCIM via Authentik, HIPAA BAA-readiness, and AI training opt-out. Built for government, healthcare, finance, and legal.
Built on Forgejo, the open-source Git platform publicly backed by the Dutch government for digital sovereignty. Wrapped with enterprise SSO, immutable audit logs, and EU-resident compute.
Your repositories, CI artifacts, and metadata remain in EU jurisdiction. No data crosses to US-based cloud hyperscalers. Configurable per-namespace residency zone (EU-West, EU-Central).
Powered by Authentik (live at authentik.eliteaiempire.com). Federate with Azure AD, Okta, Google Workspace, or any SAML IdP. Auto-provision users and groups via SCIM. No manual seat management.
F9 immutable audit log captures every push, review, merge, and admin action as a tamper-evident Redis stream. Append-only by design. SOC 2 Type I control evidence ready on demand.
Your code is never used to train AI models. Per-repo BYO-LLM keys (AES-256/Fernet, HKDF-derived) let you run AI code review against your own model endpoints — Anthropic, Groq, Azure OpenAI, or on-prem.
Technical safeguards aligned to HIPAA Security Rule: encrypted at rest and in transit, access logging, minimum-necessary access controls, dedicated tenant isolation. BAA execution is a legal gate (Iskra/counsel required).
Self-hosted runners on EU compute. No per-minute billing. Full compatibility with GitHub Actions workflows. Bring your own runner labels for ARM, x64, GPU, or air-gapped environments.
Semgrep OSS + multi-model LLM review cascade (Groq, Cerebras, Gemini, Anthropic). Inline PR comments posted by a dedicated bot user. Equivalent to CodeRabbit ($24/mo) included in every paid tier.
99.9% uptime SLA. Public status page with real-time breach detection. Automatic SLA credits on breach — no ticket required. Uptime measured from the platform edge, not internal health checks.
Sovereign Git is purpose-positioned for buyers where data sovereignty, audit trails, and compliance posture are table stakes.
GDPR Article 44 data transfer restrictions, NIS2 security controls, sovereign-cloud mandate. Forgejo is already backed by the Dutch government (2026).
PHI-adjacent code repositories, audit logging aligned to HIPAA Security Rule Technical Safeguards, BAA-ready infrastructure posture.
SOC 2 Type I control evidence, immutable commit history for regulatory examination, segregated environments for DORA compliance.
Client data isolation, attorney-client privilege-aware access controls, conflict-of-interest repo segregation, CCPA-aligned data handling.
Air-gapped runner support, on-prem LLM via BYO-LLM keys, no vendor dependency on US hyperscalers (AWS/Azure/GCP).
GxP-adjacent audit trail, validated system documentation support, 21 CFR Part 11-aligned electronic records posture.
Both run on US hyperscaler infrastructure by default. EU data residency is an add-on (GitLab) or unavailable at the Enterprise tier without custom contracts (GitHub). We built sovereignty-first.
| Feature | Sovereign Git | GitHub Enterprise | GitLab Ultimate |
|---|---|---|---|
| EU Data Residency (default) | Yes | No (US default) | Add-on / custom contract |
| Open Source Core (Forgejo/Gitea) | Yes | No (proprietary) | No (proprietary) |
| No Microsoft dependency | Yes | Microsoft-owned | Yes |
| SAML 2.0 / SCIM (bundled) | Yes (Authentik) | Enterprise only (+$21/user) | Premium+ (+$29/user) |
| Cryptographic Audit Trail | Yes (append-only) | Audit log, not cryptographic | Audit log, not cryptographic |
| AI Code Review (bundled) | Yes (no add-on) | Copilot $19/user/mo add-on | Duo Pro $19/user/mo add-on |
| BYO-LLM (no training on your code) | Yes | No | No |
| HIPAA BAA-Ready | Yes (infra posture) | Enterprise + legal review | Custom contract required |
| CI/CD Unlimited Minutes | Yes (self-hosted runners) | Billed per minute | 50K min/mo then billed |
| Starting Price (per seat/mo) | $149 | $21 + $19 Copilot + $30 GHAS = $70+ | $99 + $19 Duo = $118+ |
We are honest about the difference between "infrastructure-ready" and "audit-certified." The table below shows the current state without marketing inflation.
| Framework | Status | What Is Ready | What Requires Legal Gate |
|---|---|---|---|
| GDPR | INFRA READY | EU data residency architecture, no third-country transfers by default, access logging, data minimization controls, right-to-erasure tooling | DPA (Data Processing Agreement) execution requires Iskra/legal; formal DPIA for high-risk processing |
| SOC 2 Type I | SOC2-READY* | F9 cryptographic audit trail (append-only Redis stream), Authentik access control, TLS everywhere, uptime monitoring, incident response runbooks | Formal SOC 2 Type I audit requires a licensed CPA/auditor engagement (Iskra gate). "SOC2-ready" != "SOC2-certified." |
| HIPAA | BAA-READY* | Technical safeguards (encryption at rest/transit, access logging, minimum-necessary access), dedicated tenant isolation, audit trail, BYO-LLM no-training guarantee | BAA (Business Associate Agreement) execution requires licensed legal counsel and Iskra signature. Not currently executed. |
| EU AI Act | COMPLIANT | BYO-LLM: no AI model trains on customer code. AI code review output is advisory (human-in-loop). No high-risk AI system deployment per Article 6/Annex III. | If customer uses Sovereign Git to develop high-risk AI systems, customer-side conformity assessment applies. |
| NIS2 | PARTIAL | Incident detection + response runbooks, supply-chain code audit (F1 AI review), cryptographic audit trail, multi-factor authentication via Authentik | Formal NIS2 Article 21 risk management documentation and registration with national authority (customer obligation). |
| ISO 27001 | ROADMAP | Access controls, audit logging, incident management posture | Full ISO 27001 audit and certification requires formal audit body engagement. Not on current roadmap — available via custom enterprise contract. |
We use "infrastructure-ready" and "BAA-ready" to mean: the technical controls are in place. This is meaningfully different from "certified" or "compliant."
Per-seat monthly pricing. Annual contracts available at 15% discount. Volume pricing for large procurement (50+ seats) on request.