GitLab.com SaaS EU Alternative 2026: Delaware CLOUD Act Exposure Despite EU Subsidiary
Post #1131 in the sota.io EU CI/CD Compliance Series — EU-CI/CD-TOOLS-SERIE #2/5
GitLab is one of the most popular DevOps platforms in the world. Its open-source CE edition runs behind some of the largest development teams in Europe. But there is a critical distinction that European compliance officers often miss: GitLab CE self-hosted and GitLab.com SaaS carry fundamentally different legal risk profiles under GDPR and the US CLOUD Act.
The key fact: GitLab Inc. — the US entity that operates GitLab.com — is incorporated in Delaware and listed on the NASDAQ stock exchange (ticker: GTLB). Under 18 U.S.C. § 2713, any US company must disclose customer data to US law enforcement on demand, regardless of where that data physically resides. This applies to GitLab.com in its entirety: every source code repository, CI/CD pipeline secret, merge request, build log, and container registry image you host there is legally compellable by US authorities — without a court order being required in the EU jurisdiction where you operate.
GitLab's European structure (GitLab B.V. in Amsterdam) helps with GDPR compliance on paper — it is the contractual data processor for EU customers. But it does not eliminate the CLOUD Act risk, because the ultimate technical and corporate control remains with the US parent.
GitLab Inc. Corporate Structure Analysis
Understanding who controls GitLab.com requires mapping the corporate hierarchy carefully.
GitLab Inc. (Delaware, San Francisco HQ) Founded 2013. Initial public offering on NASDAQ: October 14, 2021 (ticker: GTLB). Market cap approximately $11 billion as of 2025. Incorporated in Delaware. This is the legal entity that operates GitLab.com and owns all intellectual property. Being a US "issuer" under the Securities Exchange Act of 1934 further anchors GitLab to US jurisdiction.
GitLab B.V. (Amsterdam, Netherlands) The EU subsidiary. Acts as the data processor under GDPR Art.28 for European customers who sign GitLab's Data Processing Addendum. GitLab B.V. issues invoices for EU customers and appears in the contractual chain — but it is a wholly-owned subsidiary of GitLab Inc. (Delaware). When US authorities subpoena GitLab under the CLOUD Act, they subpoena the parent, which fully controls the subsidiary.
GitLab GmbH (Germany) German subsidiary for sales. No independent data processing authority.
GitLab Ltd. (UK) Post-Brexit UK operations. Operates under the UK GDPR.
Key Structural Finding: GitLab B.V. being your GDPR data processor does not shield you from CLOUD Act compelled disclosure. The CLOUD Act operates at the level of the US-incorporated parent, not the contractual chain. GitLab Inc. has possession, custody, or control over the data on GitLab.com regardless of which subsidiary signed your contract — because GitLab Inc. owns and operates the infrastructure and holds the encryption keys.
GitLab.com CLOUD Act Risk Assessment
GitLab Inc. — San Francisco, California (incorporated Delaware, NASDAQ-listed)
| Dimension | Score | Detail |
|---|---|---|
| US incorporation | 5/5 | Delaware C-Corp — unambiguous "US person" under CLOUD Act |
| NASDAQ listing | 2/5 | US "issuer" status anchors full SEC/DOJ jurisdiction |
| Infrastructure | 3/5 | GitLab.com runs on Google Cloud Platform (GCP), primarily US regions |
| PRISM participation | 0/5 | Not a named PRISM participant |
| Ownership structure | 2/5 | Publicly traded, no single controlling US government shareholder |
| Legal structure | 5/5 | All subsidiaries controlled by Delaware parent |
GitLab.com SaaS CLOUD Act Score: 17/25
This score of 17/25 is slightly lower than CloudBees (18/25) because GitLab is publicly traded (somewhat more transparent) and has a stronger EU subsidiary with genuine operational presence. However, the fundamental structural risk remains: GitLab Inc. is a US person that possesses, has custody of, and controls all data on GitLab.com — making CLOUD Act compelled disclosure legally straightforward for US authorities.
What Data Does GitLab.com Hold About Your Team?
GitLab is a comprehensive DevOps platform — which means the data it holds is far more sensitive than a simple code repository:
Source Code and Intellectual Property Every commit, branch, tag, and diff. Your entire development history. Proprietary algorithms, business logic, architecture decisions embedded in code. Feature branches often contain unreleased product roadmaps.
CI/CD Pipeline Secrets (GitLab CI/CD Variables) API keys, database credentials, deployment tokens, cloud provider access keys (AWS_ACCESS_KEY, GCP credentials). These are encrypted in GitLab's database — but GitLab Inc. holds the encryption keys. Under a CLOUD Act subpoena, these can be decrypted and disclosed.
GDPR Art.4 Personal Data in Pipelines
- Developer names and email addresses in git commit metadata
- IP addresses in pipeline job logs
- User-agent strings and request logs from merge request reviews
- Performance profiling data that can be tied to individual developers
Container Registry Images Complete application images, including proprietary libraries and potentially embedded configuration. A container registry on GitLab.com is a complete snapshot of your application that could reveal business-critical architecture.
Merge Requests and Code Review Discussions Engineering debate about product decisions, architectural trade-offs, security vulnerabilities discovered during review, and sometimes regulatory compliance discussions.
GDPR Compliance Analysis for EU Teams Using GitLab.com
Art.28 — Data Processing Agreement
GitLab B.V. (Amsterdam) acts as your data processor under Art.28. GitLab provides a Data Processing Addendum (DPA) that references GitLab B.V. as the contracting entity. This is GDPR-compliant on its face. However, the DPA explicitly acknowledges that data processing occurs on GitLab Inc.'s infrastructure — and that the parent company is the actual data controller in the cloud.
Art.44/46 — International Transfers
GitLab.com data flows to the United States (Google Cloud Platform). GitLab relies on Standard Contractual Clauses (SCCs) under GDPR Art.46(2)(c) for these transfers. Since the Schrems II ruling (2020), SCCs must be supplemented by a Transfer Impact Assessment (TIA) that evaluates US surveillance law — including the CLOUD Act.
TIA Red Flag: A proper TIA for GitLab.com must acknowledge that:
- GitLab Inc. is a US person subject to CLOUD Act compelled disclosure
- The CLOUD Act allows secret (ex-parte) orders that prevent GitLab from notifying you of disclosure
- US law does not provide EU data subjects with a judicial remedy equivalent to EU fundamental rights protections
Many legal teams approve SCCs for GitLab.com without adequately assessing this CLOUD Act dimension — which is a compliance gap flagged by numerous EU data protection authorities post-Schrems II.
Art.25 — Privacy by Design and CI/CD Secrets
Under Art.25, controllers must implement "data protection by design and by default." Storing CI/CD secrets (API keys, database credentials) on GitLab.com creates a structural tension with Art.25: the secrets exist in a US-controlled environment where they can be compelled without notice. The EDPB has indicated that data minimisation and purpose limitation under Art.25 should inform decisions about where sensitive operational data is stored.
Art.17 — Right to Erasure
GitLab.com maintains extensive audit logs, pipeline archives, and git history. Responding to Art.17 requests ("right to be forgotten") for developer data embedded in commit history is technically complex. GitLab's DPA acknowledges erasure obligations but notes that some data in git history may be technically difficult to fully erase — a known GDPR edge case.
GitLab Dedicated: Does It Solve the CLOUD Act Problem?
GitLab launched GitLab Dedicated in 2023 as a single-tenant SaaS offering. It addresses some concerns:
What GitLab Dedicated Offers:
- Single-tenant architecture (your data isolated from other GitLab.com tenants)
- Deployment in AWS EU regions (eu-west-1 Ireland or eu-central-1 Frankfurt)
- Data residency commitment for EU
- GitLab manages the infrastructure; you own your data isolation
What GitLab Dedicated Does NOT Solve:
- The parent company is still GitLab Inc. (Delaware) — US jurisdiction still applies
- GitLab Inc. engineers have access to the infrastructure for maintenance (even if contractually restricted)
- US authorities can still subpoena GitLab Inc. for access to Dedicated infrastructure
- GitLab Dedicated still runs on AWS (another US company with its own CLOUD Act obligations)
- The encryption keys are ultimately controlled by GitLab Inc.
GitLab Dedicated Pricing Reality: GitLab Dedicated pricing starts at approximately $99/user/month with a minimum of 50 users — that's a minimum of $4,950/month or $59,400/year for a small team. For medium-sized European engineering organisations (200+ developers), this means $19,800+/month. GitLab Dedicated does not eliminate the CLOUD Act risk — it reduces the surface area while adding substantial cost.
Verdict on GitLab Dedicated: It is a meaningful improvement for organisations that require cloud-managed CI/CD but cannot self-host. But it is not a CLOUD Act solution. For full elimination of US jurisdiction over your CI/CD data, self-hosting on EU infrastructure is the only complete answer.
NIS2 Art.21(2)(e) — Supply Chain Security and CI/CD
The EU Network and Information Security Directive 2 (NIS2), applicable since October 2024, explicitly requires essential and important entities to assess supply chain security risks (Art.21(2)(d)) and to implement security in their development environments (Art.21(2)(e)).
CI/CD pipelines represent one of the highest-risk supply chain attack vectors identified in current threat intelligence:
SolarWinds (2020): Nation-state attackers compromised the CI/CD pipeline of SolarWinds, injecting malicious code into software updates distributed to 18,000 customers — including US government agencies and Fortune 500 companies. The attack vector was the build system, not production servers.
XZ Utils (2024): A multi-year social engineering campaign targeted an open-source maintainer to embed a backdoor in the XZ compression library that ships in most Linux distributions. The attack specifically targeted the CI/CD and release pipeline.
Implications for GitLab.com Users Under NIS2: If your organisation is classified as essential or important under NIS2, your NIS2 risk assessment must include your CI/CD provider. GitLab.com's US jurisdiction creates a scenario where a US government actor could theoretically compel access to pipeline infrastructure in ways that might conflict with NIS2 incident notification obligations (Art.23). If US authorities obtain a secret (ex-parte) CLOUD Act order against GitLab Inc., you may be unable to fulfil your NIS2 Art.23 reporting duty — because you won't know about the compromise until after the CLOUD Act gag order expires.
NIS2 Art.21(2)(e) requires controls over "security in network and information systems, including vulnerability handling and disclosure." Hosting your CI/CD pipeline on infrastructure subject to secret US government compelled access is a supply chain risk that your NIS2 risk register should explicitly address.
EU-Native CI/CD Alternatives
For European teams that require zero CLOUD Act exposure on their CI/CD infrastructure, the following options provide full data sovereignty when self-hosted on EU cloud infrastructure.
Forgejo + Forgejo Actions (recommended for GitLab.com migration)
What it is: Forgejo is a community-managed fork of Gitea, operated by the Codeberg e.V. association (Berlin, Germany). It provides a complete Git hosting platform with CI/CD (Forgejo Actions, GitHub Actions-compatible syntax), pull request workflows, container registry, and package registry.
CLOUD Act Score: 0/25 — Forgejo is open-source software with no US corporate parent. When self-hosted on Hetzner or OVH, there is no US jurisdiction over your data.
Codeberg.org (hosted Forgejo, Berlin): Free hosted version run by a German registered association. Suitable for open-source projects. For proprietary code, self-hosting is recommended.
Migration from GitLab.com: GitLab projects can be exported and imported into Forgejo via the built-in import tool. CI/CD pipelines require manual adaptation from .gitlab-ci.yml syntax to Forgejo Actions YAML format (similar to GitHub Actions).
Woodpecker CI
What it is: An open-source CI/CD system descended from Drone CI. Woodpecker CI runs as a lightweight Docker-based pipeline system. It integrates with Forgejo, Gitea, GitHub, and GitLab self-hosted.
CLOUD Act Score: 0/25 — Apache 2.0 license. No US corporate parent. Self-hostable.
Best for: Teams that want to decouple their CI/CD from their Git hosting. Woodpecker CI can be paired with any Git host (including GitLab CE self-hosted) for maximum flexibility.
Kubernetes support: Woodpecker has a Kubernetes executor for scaling CI jobs. Suitable for medium and large teams.
Concourse CI
What it is: A pipeline-as-code CI/CD system developed by VMware/Pivotal, now maintained by the community. Declarative pipeline definitions using YAML resources and tasks.
CLOUD Act Score: 0/25 — Open source (Apache 2.0). VMware sold to Broadcom, but Concourse is community-maintained and self-hosted only.
Best for: Teams that prefer immutable pipeline definitions and strong reproducibility guarantees. More opinionated than Woodpecker CI.
Drone CI (Harness Open Source)
What it is: Drone CI was the predecessor to Woodpecker CI. Harness acquired Drone in 2020 — Harness Inc. is a San Francisco (Delaware) corporation, which creates CLOUD Act exposure for the hosted Harness Cloud product. However, Drone CE (Community Edition) is open source and self-hostable without any connection to Harness Cloud.
Self-hosted Drone CE CLOUD Act Score: 0/25 — When self-hosted with no Harness Cloud integration, there is no US jurisdiction.
Caution: Do not use Harness Cloud. Use Drone CE self-hosted only.
GitLab CE Self-Hosted (The "Same Software, Different Risk Profile" Option)
The most straightforward migration from GitLab.com is to run GitLab Community Edition (CE) self-hosted on EU infrastructure. You get an identical feature set to GitLab.com Free tier, including GitLab CI/CD (not Forgejo Actions — the same .gitlab-ci.yml format), container registry, and merge request workflows.
CLOUD Act Score: 0/25 — GitLab CE is MIT-licensed. When hosted on Hetzner or OVH infrastructure under your control, GitLab Inc. has no possession, custody, or control over your data. CLOUD Act does not apply.
Note on GitLab EE: GitLab Enterprise Edition (EE) includes a proprietary license. Self-hosting EE under the open-core license is permitted for non-production use and development; commercial use requires a GitLab EE subscription. The underlying code is still operated on your infrastructure, so CLOUD Act does not apply to self-hosted EE either.
Migration Guide: GitLab.com → GitLab CE Self-Hosted on Hetzner
This is the recommended path for European teams that want to keep the GitLab CI/CD syntax they know while eliminating CLOUD Act exposure entirely.
Phase 1: Infrastructure Provisioning (Day 1-2)
Minimum recommended server: Hetzner CCX22 (4 vCPU, 16 GB RAM): €15.90/month
- Suitable for teams up to 50 developers with moderate CI usage
- Storage: Add Hetzner Volume (100 GB): €4.48/month
- Total: ~€20/month for server and storage
Recommended for 50-200 developers: Hetzner CCX32 (8 vCPU, 32 GB RAM): €29.74/month
- Shared runner capacity for ~10-15 concurrent CI jobs
- Attach separate Hetzner Volume for repositories and artifacts: €9/month (200 GB)
- Total: ~€39/month
DNS: Point your own domain (e.g., git.yourcompany.eu) at the Hetzner server.
SSL: Let's Encrypt via Certbot or GitLab's built-in Let's Encrypt integration.
Phase 2: GitLab CE Installation (Day 2)
GitLab provides official Omnibus packages for Ubuntu 22.04 LTS:
# Ubuntu 22.04 on Hetzner
curl -s https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash
sudo EXTERNAL_URL="https://git.yourcompany.eu" apt-get install gitlab-ce
# Configure (edit /etc/gitlab/gitlab.rb for SMTP, LDAP, etc.)
sudo gitlab-ctl reconfigure
The Omnibus package installs and configures PostgreSQL, Redis, NGINX, and all GitLab components as a single managed unit. No Docker orchestration required for single-server deployments.
Phase 3: Repository and Data Migration (Week 1-2)
Export from GitLab.com: GitLab.com provides a per-project export feature: Settings → General → Advanced → Export project. Each export includes the repository, wiki, issues, merge requests, CI/CD configuration, and container registry images.
Import to GitLab CE: GitLab CE's "Import project" feature supports direct GitLab export archives. For large organisations with hundreds of projects, use the GitLab Rake task for bulk import or the GL export script.
Runner Migration:
GitLab CI/CD runners are registered separately. Deploy GitLab Runner on Hetzner (or your existing servers) and register against your self-hosted instance. The same .gitlab-ci.yml files work without modification.
# Install GitLab Runner (same package, different registration endpoint)
curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash
sudo apt-get install gitlab-runner
# Register against your self-hosted GitLab (not GitLab.com)
sudo gitlab-runner register --url https://git.yourcompany.eu --registration-token <your-token>
CI/CD Variables: Re-enter your secrets directly into the self-hosted instance. Do not export secrets from GitLab.com — treat the migration as an opportunity to rotate all credentials (recommended security practice).
Phase 4: GDPR Compliance Verification (Week 2)
After migration:
- No data processor agreement with GitLab Inc. (Delaware) required — you are the data controller and processor for your self-hosted instance
- EU data residency: confirmed (Hetzner Germany or Finland)
- CLOUD Act exposure: zero (no US corporate entity has possession, custody, or control)
- Art.32 security: configure GitLab's Omnibus security settings (2FA enforcement, strong password policy, audit log export)
Cost Comparison: GitLab.com vs Self-Hosted vs Alternatives
| Option | Price | CLOUD Act Score | GDPR Status |
|---|---|---|---|
| GitLab.com Free | €0/mo | 17/25 | High risk — SCCs required, TIA gap |
| GitLab.com Premium | $19/user/mo | 17/25 | High risk — same jurisdiction |
| GitLab Dedicated | $99/user/mo (min 50 users) | 14/25 | Reduced risk — still Delaware parent |
| GitLab CE self-hosted (Hetzner CCX22) | ~€20/mo total | 0/25 | GDPR-compliant, no CLOUD Act |
| GitLab EE self-hosted (with EE license) | $19/user/mo + ~€20/mo infra | 0/25 | GDPR-compliant, no CLOUD Act |
| Forgejo + Woodpecker CI (Hetzner CX22) | ~€5/mo total | 0/25 | GDPR-compliant, no CLOUD Act |
ROI for a 20-person engineering team:
- GitLab.com Premium: $380/month ($4,560/year)
- GitLab CE self-hosted: ~€20/month (€240/year — 95% cost reduction) with identical CI/CD features
- GitLab Dedicated would cost $1,980/month for 20 users — only available at 50+ user minimum
What About the EUCS (EU Cloud Certification Scheme)?
The EU Cybersecurity Act's Cloud Certification Scheme (EUCS) is currently under development by ENISA. Early drafts included a "sovereignty" requirement that would effectively bar US hyperscalers (and US-controlled SaaS like GitLab.com) from the highest EUCS assurance levels. The final scheme is expected in late 2026.
For regulated European sectors (banking under DORA, government under NIS2, healthcare under MDR) that will be required to use EUCS-certified providers, GitLab.com's Delaware parent structure represents a structural compliance gap that cannot be addressed by contractual measures alone.
Self-hosted GitLab CE on EU infrastructure — or EU-native alternatives like Forgejo — will be positioned to support EUCS compliance in a way that GitLab.com SaaS structurally cannot.
Decision Matrix: Which GitLab Option Is Right for Your Team?
| Criterion | GitLab.com Free | GitLab.com Premium | GitLab Dedicated | GitLab CE Self-Hosted | Forgejo + Woodpecker |
|---|---|---|---|---|---|
| CLOUD Act risk | HIGH | HIGH | MEDIUM | NONE | NONE |
| GDPR compliance complexity | High | High | Medium | Low | Low |
| Management overhead | None | None | None | Medium | Medium |
| Cost for 20 users/month | €0 | $380 | N/A (min 50) | ~€20 | ~€5 |
| GitLab CI/CD syntax | Yes | Yes | Yes | Yes | No (Forgejo Actions) |
| Container registry | Yes | Yes | Yes | Yes | Yes |
| NIS2 supply chain risk | HIGH | HIGH | MEDIUM | LOW | LOW |
| EUCS-ready (projected 2026) | No | No | Unlikely | Yes | Yes |
Recommended Path for European Teams
Startups and small teams (≤20 developers): GitLab CE self-hosted on Hetzner CX22 or CCX22. €20/month eliminates 17/25 CLOUD Act exposure entirely and provides the same feature set as GitLab.com Free. Migration takes 1-2 days with the official export/import tooling.
Mid-sized teams (20-100 developers): GitLab CE self-hosted on Hetzner CCX32 with dedicated runners. ~€50/month total for servers. Consider GitLab EE self-hosted for premium features (SAML SSO, advanced security scanning, compliance dashboards) at the standard per-user price — but without GitLab Inc. holding your data.
Organisations bound by NIS2 or DORA: Self-hosted GitLab CE/EE or Forgejo on EU infrastructure. The supply chain security risk of GitLab.com (US government compelled access to pipeline secrets without notice) is a material risk for NIS2/DORA compliance frameworks. Document this decision in your risk register.
Teams wanting zero operational overhead: If self-hosting is not operationally feasible, GitLab Dedicated reduces the risk surface (single-tenant, EU AWS regions) while keeping managed infrastructure. Accept the residual CLOUD Act risk (Delaware parent) and document it as a known, accepted risk in your GDPR record of processing activities. Do NOT use this option for highly sensitive IP or regulated personal data.
Conclusion
GitLab is an excellent DevSecOps platform — but the GitLab.com SaaS product carries a 17/25 CLOUD Act risk score that European compliance officers cannot ignore. GitLab Inc.'s Delaware incorporation means US authorities can compel disclosure of all GitLab.com data (repositories, CI secrets, pipeline logs, container images) without an EU court order and potentially without notifying you.
GitLab Dedicated reduces but does not eliminate this risk. Only self-hosting GitLab CE on EU infrastructure — or migrating to EU-native alternatives like Forgejo and Woodpecker CI — provides complete legal separation from US jurisdiction.
The good news: the migration from GitLab.com to self-hosted GitLab CE is technically straightforward, preserves 100% of your CI/CD pipeline syntax, and reduces costs by 90%+ for most teams. The CLOUD Act compliance win is essentially free.
Running EU-compliant CI/CD on sota.io: sota.io provides EU-sovereign container and application deployment on servers located in Germany (Hetzner) — ideal as the deployment target for CI/CD pipelines you've already migrated to self-hosted GitLab CE or Woodpecker CI. All data stays in the EU, all infrastructure is EU-controlled.
Next in this series: Azure DevOps EU Alternative 2026 — Microsoft CLOUD Act risk for enterprise CI/CD teams.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.