Sovereignty and data residency
This page covers the legal entity, governing law, and data path behind the “EU-only, no asterisks” claim. For the specific services that process your data, see sub-processors.
Legal entity
Section titled “Legal entity”Codebahn is operated by Hackerman AB, incorporated in Sweden. Org. nr 559079-1918. Registered address: Drakenbergsgatan 33, 412 69 Gothenburg, Sweden.
No US parent company, no US subsidiary, no US investors. The entity that signs your contract is the same entity that operates the service.
Governing law
Section titled “Governing law”Contracts are governed by Swedish law. The Data Processing Agreement follows GDPR. There is no arbitration clause routing disputes to a US jurisdiction.
Data path
Section titled “Data path”Every provider is EU-incorporated. No data leaves the EU for storage, processing, or analytics. See sub-processors for the service-by-service list with locations, providers, and retention details.
Data is encrypted in transit (TLS 1.2+, with 1.3 where supported by both endpoints) and at rest (AES-256). Server logs with IP addresses are kept for 30 days. Billing records are kept for seven years, as Swedish bookkeeping law requires.
CLOUD Act
Section titled “CLOUD Act”The US CLOUD Act compels US-incorporated companies to produce data stored abroad on US government request. Codebahn is not a US company and has no US parent. The Act does not apply.
Ticking “EU region” on a US-owned service changes the datacenter, not the legal entity that controls your data. That distinction is the point.
EU tech sovereignty
Section titled “EU tech sovereignty”The EU’s tech sovereignty agenda defines the goal: Europe should be able to develop and control its own digital infrastructure without depending on non-EU providers. Source code hosting is part of that infrastructure.
Codebahn meets that bar by construction, not by bolt-on. The entity is Swedish. The servers are French and German. The contracts are governed by EU law. There is no US parent that could be compelled under the CLOUD Act, and no acquisition path that would change that.
If your organization is evaluating providers against EU digital sovereignty requirements, the relevant facts are on this page and the sub-processors list.
What we do not have yet
Section titled “What we do not have yet”We do not hold ISO 27001 or SOC 2 Type II. If your procurement requires those signed audit reports today, we are not your vendor yet. We intend to pursue certification; we are not there now.
Related
Section titled “Related”- Sub-processors for the service-by-service list
- Export your data for the no-lock-in guarantee
- Data Processing Agreement on the main site