Codey Sovereignty: Swiss-Owned from Infrastructure to Application
Codey is VSHN's own managed Forgejo platform. Unlike GitHub (Microsoft), GitLab.com (US SaaS), or Bitbucket (Atlassian), every layer of Codey is Swiss-owned and operated: the application, the platform, the infrastructure, and the company behind it.
When you use GitHub, GitLab.com, or Bitbucket, your source code, pull requests, CI/CD pipelines, and project management data sit on US-controlled infrastructure, governed by US law, and accessible under the CLOUD Act without Swiss judicial process.
Codey delivers maximum sovereignty for code hosting because there is no foreign vendor in the stack. Forgejo itself is open source (MIT license), and VSHN AG is a Swiss company with Swiss shareholders. But sovereignty is more than ownership. The EU Cloud Sovereignty Framework defines eight dimensions that determine whether your provider is truly sovereign.
Why Codey achieves maximum code hosting sovereignty
Most "sovereign" code hosting options still depend on a foreign vendor somewhere in the stack — a US-owned platform, a US cloud provider, or a US parent company. Codey is different:
- Swiss-owned platform — Codey is built and operated by VSHN AG, a Swiss company
- Open-source application — Forgejo is MIT-licensed, community-governed, with no corporate parent
- Swiss infrastructure — runs on Swiss data centers (cloudscale.ch, Exoscale)
- No foreign dependencies — no US parent company, no US cloud provider, no proprietary components
- Full data portability — standard Git repositories, exportable issues and projects
Code hosting sovereignty compared
| Dimension | GitHub (Microsoft) | GitLab.com SaaS | Bitbucket (Atlassian) | Codey by VSHN |
|---|---|---|---|---|
| Ownership | Microsoft (USA) | GitLab Inc. (USA) | Atlassian (USA/Australia) | VSHN AG (Switzerland) |
| Governing law | US law | US law | US/Australian law | Swiss law |
| CLOUD Act | Exposed | Exposed | Exposed | Not exposed |
| Data location | USA (Azure) | USA (Google Cloud) | USA/EU (AWS) | Switzerland (cloudscale.ch, Exoscale) |
| Source code | Proprietary | Open core | Proprietary | Open source (Forgejo, MIT license) |
| Platform operator | Microsoft (USA) | GitLab Inc. (USA) | Atlassian (USA) | VSHN AG (Switzerland) |
| Operations team | USA | USA | USA/Australia | Switzerland (Swiss-only option) |
| Certifications | SOC 2, ISO 27001 | SOC 2 | SOC 2, ISO 27001 | ISO 27001, ISAE 3402 Type II |
VSHN sovereignty self-assessment
We applied the EU's Cloud Sovereignty Framework (v1.2.1, October 2025) to our own services. This framework was used to score providers in the EU's EUR 180M sovereign cloud tender in April 2026 — three pure-European providers achieved SEAL-3, while a consortium involving Google Cloud scored only SEAL-2.
This is a self-assessment, not a formal SEAL certification. We publish it for transparency so customers can evaluate our sovereignty profile using the same structured criteria the EU uses.
| # | Dimension | Weight | Assessment | Evidence |
|---|---|---|---|---|
| SOV-1 | Strategic | 15% | Strong | Swiss AG, no foreign parent, all shareholders Swiss citizens (Commercial Register) |
| SOV-2 | Legal | 10% | Strong | Swiss law (GTC), no CLOUD Act, EU adequacy decision |
| SOV-3 | Data & AI | 10% | Strong | Swiss DCs by default. Sovereign key management via Managed OpenBao + Swiss HSM |
| SOV-4 | Operational | 15% | Strong | Swiss 24/7 ops, Swiss-only support option. All services on vanilla Kubernetes |
| SOV-5 | Supply Chain | 20% | Strong | Infrastructure-agnostic — customer chooses provider. Open-source software |
| SOV-6 | Technology | 15% | Strong | 100% open source. VSHN contributes to K8up (CNCF), Crossplane providers, Project Syn |
| SOV-7 | Security | 10% | Strong | ISO 27001, ISAE 3402 Type II, Swiss SOC. FINMA-regulated customers |
| SOV-8 | Environmental | 5% | Moderate | DC operators: Green Datacenter AG (ISO 22301/27001/27701), Exoscale sustainability. VSHN CSR policy |
Overall: SEAL-3 equivalent — the same level achieved by the winners of the EU's own sovereignty tender. No provider worldwide achieved SEAL-4, as it requires fully EU/EEA-sourced hardware supply chains and open-source foundations — structural gaps shared by every cloud provider.
Get a sovereignty assessment for your code hosting
If you're hosting code on GitHub, GitLab.com, or Bitbucket and evaluating sovereign alternatives, we can assess your current setup against the EU framework and plan a migration to Codey that keeps your source code and development data under Swiss jurisdiction.