Architecture & sovereignty

Technical stack

Singulr's infrastructure is built entirely on documented, auditable open-source components. No dependency on a proprietary vendor, no closed extension, no technical lock-in.

Forge engine

Forgejo 15.x LTS, under the GPL v3+ licence. Forgejo is a community fork of Gitea, maintained by Codeberg e.V. (Germany), with open governance and a public roadmap.

Database

PostgreSQL 17, under the PostgreSQL licence (BSD-equivalent).

Reverse proxy & TLS

Caddy 2, under the Apache 2.0 licence. Let's Encrypt certificates renewed automatically. HTTP/2 and HTTP/3 active.

Host operating system

Ubuntu 26.04 LTS, with unattended security updates enabled.

Containerisation

Docker Compose for orchestrating the application services. Persistent data on dedicated volumes, fully backed up and reproducible.

The entire stack can be reproduced identically on a third-party infrastructure. No component is proprietary to Singulr.

Joining the European sovereign federation

The European public sector is already building its sovereign forges, on a variety of free-software foundations:

• code.overheid.nl (Netherlands), soft launch April 2026, for the Dutch administrations — on Forgejo;
• opencode.de (Germany), for the German public sector — on GitLab (ZenDiS);
• code.europa.eu (European Union), for the institutions of the Union — on GitLab.

Different Git engines (Forgejo, GitLab), one shared requirement: code hosted under European jurisdiction and under control. Singulr chose Forgejo (a community fork of Gitea under the GPL v3+ licence, supported by Codeberg e.V.) and operates this foundation for the private, non-profit and local organisations that these public initiatives do not cover. Sovereignty is defined by jurisdiction and control, not by the choice of a specific Git engine.

Physical hosting

Singulr's production servers are hosted in Belgium, at Behostings (Diogenius SPRL), in the InterXion BRU1 (Zaventem) and BRU3 (Nossegem) datacenters, in the Brussels region.

The choice of a Belgian host is not incidental. It guarantees that the physical machines on which the Singulr services run are subject to Belgian and European law, without the extraterritorial application of a third-party law.

Backups

Daily backups are encrypted client-side with restic (AES-256), then stored on a Hetzner Storage Box located in Germany (Falkenstein datacenter). The decryption key remains under Singulr's exclusive control. Hetzner, as cold storage, has no access to the data in the clear.

Retention policy: 7 daily backups, 4 weekly, 12 monthly. Restores tested periodically.

Monitoring

Service availability is monitored from within the European Union by Better Stack (Czech Republic). The probes check the production domains every three minutes. Alerts are sent by email and mobile notification.

Legal sovereignty

Legal entity

Singulr is a trademark of Singulr ASBL, a non-profit association under Belgian law governed by the Code of Companies and Associations of 23 March 2019, with its registered office at Avenue Louise 231, 1050 Brussels, Belgium. Registration with the Crossroads Bank for Enterprises (BCE): [BCE À COMPLÉTER POST-DÉPÔT E-GREFFE].

Access and contracts are concluded with Singulr ASBL, under Belgian law, with jurisdiction assigned to the courts of the Brussels judicial district.

Personal data

The processing of personal data is governed by the General Data Protection Regulation (EU 2016/679) and the Belgian law of 30 July 2018. The privacy policy details the processing carried out, the legal bases, the retention periods and the rights that can be exercised.

Named processors

Singulr uses a limited number of processors, all established in the European Union:

• Behostings (Diogenius SPRL), Belgium — hosting of the production servers.
• Hetzner Online GmbH, Germany — storage of the client-side encrypted backups.
• Better Stack (Better Stack Hosting s.r.o.), Czech Republic — external availability monitoring.
• Brevo (Sendinblue SA), France — transactional emails (password resets, notifications).

No extraterritoriality

Singulr is subject only to Belgian and European law. Any requests from foreign authorities are handled according to the judicial cooperation procedures provided by that framework.

Operational security

Transport

All incoming traffic is encrypted in TLS 1.2 or 1.3. HSTS enabled with max-age=63072000 (two years) and includeSubDomains. No unencrypted port is exposed.

Authentication & access protection

Password authentication with modern hashing (bcrypt). SSH keys supported for access to Git repositories. Failed authentication attempts monitored by fail2ban with automatic banning beyond a configured threshold.

Response headers

The standard HTTP security headers are applied: Strict-Transport-Security, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, Referrer-Policy: strict-origin-when-cross-origin, a restrictive Permissions-Policy. The Server header is hidden.

Updates

The host operating system automatically applies unattended security updates. The versions of Forgejo, PostgreSQL and Caddy are actively tracked, with security patches deployed within timeframes documented in the SLA applicable to the subscribed plan.

Continuity

Service continuity relies on three independent layers:

1. Daily encrypted backups, stored with a provider distinct from the primary hosting provider (Hetzner Germany vs Behostings Belgium), with multi-tier retention.
2. External monitoring of application availability from a third-party provider (Better Stack), independent of the two previous ones, with real-time alerts.
3. Documented restore procedure, tested, allowing the complete reconstruction of a Singulr service on fresh infrastructure from the backups alone.

In the event of a failure of the primary hosting provider, the service can be rebuilt at a third-party Belgian or European provider from the backups, without dependency on a proprietary software vendor.

What Singulr does not currently offer

Out of honesty towards organisations evaluating the solution, here are the features that are not part of the Singulr scope as of the publication date of this page:

• No integrated continuous integration and deployment (CI/CD) service. Forgejo Actions is available but requires a dedicated runner, not included by default in the Cloud plans.
• No hosted Docker or OCI registry.
• No hosted package management service (npm, Maven, PyPI).
• No client-side encryption of the Git repositories themselves. TLS encryption protects transport; AES-256 encryption protects backups. Repositories at rest on the primary server are not encrypted on the Singulr side (they may be at disk level depending on the host's configuration).
• No contractual SLA on free or evaluation plans. SLAs are attached to paid plans.

These points may evolve. Singulr prefers not to announce a speculative roadmap, and to document each addition at the time it goes into production.

European sovereign ecosystem

Singulr covers the Git forge building block. A complete infrastructure requires other blocks: managed database, object storage, compute, CDN, observability, transactional email. European sovereign providers exist for each of these blocks.

This list documents, as of the publication date, that a 100% sovereign European stack can technically be assembled today. Singulr neither resells nor operates these services and has no commercial link with these providers.

Managed databases and compute

Scaleway (French SAS, Paris), Clever Cloud (French SAS, Nantes), OVHcloud (French SAS, Roubaix).

Storage, servers and infrastructure

Hetzner (German GmbH, Gunzenhausen, datacenters in Germany and Finland), Infomaniak (Swiss SA, Geneva, control transferred on 13 May 2026 to a Swiss public-interest foundation to guarantee non-transferability).

Transactional and marketing email

Brevo (French SAS, Paris), Mailjet (French SAS, Paris).

The criterion used for this list: registered office in Europe (EU or Switzerland), European jurisdiction applicable to contracts, physical infrastructure located in Europe. Solutions operating on top of an American hyperscaler infrastructure (AWS, GCP, Azure) are not listed here, as their status under the CLOUD Act and FISA 702 is not equivalent.

Technical contact

Technical questions relating to the architecture, the security commitments, or the terms of migration from a third-party provider can be addressed to contact@singulr.be.

A technical scoping call can be arranged on request, without commitment.