fremforge Product Privacy Notice

title: fremforge Product Privacy Notice author: fremverk date: 2026-05-25 status: Published v1.10 version: “1.10” lang: en #

Last updated: 2026-05-25

Effective Date: 2026-04-25 — Current Version: 1.10 (effective 2026-05-25; full revision history in §Change log)

This notice supersedes the pre-launch marketing privacy policy for users of the hosted fremforge product at frem.sh. The marketing-site policy continues to cover visitors to www.frem.sh during and after launch.

1. Who this notice is for #

This privacy notice applies to you if you use the hosted fremforge product — that is, if you sign in to an organisation at frem.sh/<org> as a member, administrator, or owner, or if you use the public REST API at frem.sh/_app/api/v1/* as an authenticated user or via a registered agent.

Visitors to www.frem.sh, docs.frem.sh, and status.frem.sh are covered by the separate marketing-site privacy policy. Those sites are anonymous, cookie-free, and collect no personal data beyond server-access logs needed for edge delivery.

Anonymous visitors to public-docs wikis. If a tenant has opted in to anonymous public read of a repository wiki at frem.sh/<org>/<repo>/wiki[/...] (see Develop → Wiki and public docs), unauthenticated visitors to that surface are subject to this notice for the server-access logging only — no cookies are set, no authentication is required, no profiling is performed. Server-access logs capture IP, user-agent, requested path, and response status as part of normal edge-delivery telemetry; retention is the same as the §6 operational-logs retention (30 days hot, 3 years archive). The wiki content itself is published by the tenant Customer under their own determination of legal basis (typically legitimate-interest in publishing technical documentation); fremverk acts as hosting service provider under the DSA for that content. Custom CSS embedded by the tenant Customer in the wiki may include external-URL references (e.g. background-image: url(...)) — the tenant Customer is responsible for the privacy implications of any external URLs they reference; fremverk does not sanitise such references and does not control the third parties they reach.

2. Data controller and privacy contact #

fremverk ApS
CVR: 39150689
Ringager 4C, 2. tv, 2605 Brøndby, Denmark
Email: compliance@frem.sh

fremforge is a product brand of fremverk ApS. fremverk ApS is the legal and GDPR-responsible entity for all personal data processed in connection with the fremforge product.

Your organisation (the tenant) is the data controller for repository content, issues, pull requests, CI logs, and member activity produced within its organisation. fremverk ApS processes that data as a processor under the Data Processing Agreement (DPA) signed with the tenant at signup.

fremverk ApS is the data controller for account data, billing data, authentication metadata, audit logs, and other operational data required to run the fremforge service.

Data Protection Officer #

fremverk ApS is not required to designate a Data Protection Officer under GDPR Art. 37, because its core activities do not involve (a) processing by a public authority, (b) large-scale regular and systematic monitoring of data subjects, or (c) large-scale processing of special-category or criminal-offence data. This assessment is reviewed annually or when material changes to the Service are made.

The privacy contact for all data-protection questions, data-subject requests under GDPR Chapter III, and supervisory-authority liaison is compliance@frem.sh, routed to the data protection-responsible partner at fremverk ApS. This mailbox is the functional equivalent of a DPO contact for the purposes of data-subject communications.

If, following review, a DPO designation becomes required, fremverk will update this notice with the DPO’s name and contact details.

fremverk maintains a record of processing activities (ROPA) under GDPR Art. 30. The ROPA is reviewed annually and is available to the Danish supervisory authority on request.

3. What we process, why, and on what legal basis #

3.1 Account and authentication #

• What: email address, display name, password hash (if local auth is used), OIDC/SAML subject identifiers and claims mapped from your identity provider, TOTP secret (if 2FA is enabled), recovery codes (stored as bcrypt hashes; the original code is shown to the user once at generation and is never reversibly stored), session and API token identifiers, user-agent and IP of authentication events.
• Why: to authenticate you and enforce the access model (per-org session binding, SSO enforcement, SSH authorization via your IdP session).
• Legal basis — where fremverk ApS is controller of this account data (the authentication record itself and its operational metadata): contractual necessity under the agreement between fremverk ApS and your organisation (GDPR Art. 6(1)(b)) together with the legitimate interest (Art. 6(1)(f)) of maintaining access control and security of the Service. Your organisation remains the controller of its relationship with you as a user of its instance; its own legal basis (typically employment contract or a user-facing terms of service) applies to its processing of your data via fremforge, and fremverk ApS processes on its documented instructions per the DPA.

3.2 Repository and collaboration content #

• What: repositories, commits, issues, pull requests, comments, labels, wiki pages, releases, package registry artifacts, CI workflow definitions, CI run logs, webhook delivery records, audit log entries, SLSA provenance attestations.
• Why: because that is the product — a Git forge with CI/CD.
• Legal basis: contractual necessity under the tenant’s DPA. The tenant is the controller of this content; fremverk ApS is the processor.

3.3 Billing and commercial data #

• What: organisation name, legal entity, VAT number, billing contact, billing address, payment method (via Mollie; fremverk ApS never sees raw card data), seat count history, invoice records.
• Why: to invoice the tenant and comply with Danish bookkeeping obligations.
• Legal basis: contractual necessity (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) for invoice retention.

3.4 Operational and security logs #

• What: authentication events, admin-UI actions, API calls, policy enforcement decisions (push protection blocks, rate-limit hits, SSRF-filter rejections), infrastructure-level logs (T Cloud CES/LTS, T Cloud APIG access logs, runner controller).
• Why: to operate the service securely, respond to incidents, and produce the audit-log export the tenant admin can pull on demand.
• Legal basis: legitimate interest (Art. 6(1)(f)) of fremverk ApS in maintaining service security and integrity; contractual necessity for audit-log availability to the tenant.

3.5 Cookies and local state #

We set four strictly-necessary cookies on the authenticated product surface. No non-essential cookies. No analytics. No consent banner required under ePrivacy Directive Art. 5(3). Full inventory:

www.frem.sh, docs.frem.sh, and status.frem.sh set zero cookies and contact no third-party operators. (The authenticated product surface at frem.sh and the status page each load brand fonts from https://www.frem.sh/fonts/ — same legal entity, same Bunny pull-zone, served from EU-only edges. No external CDN, no fonts.googleapis.com or equivalent. Per ePrivacy Article 5(3) this is not a third-party trace; per GDPR sub-processor disclosure, www.frem.sh is fremverk’s own surface, listed in DPA Annex B as part of the Bunny CDN sub-processor entry.)

Browser localStorage may hold UI preferences (theme, table density) set only in response to your explicit action in the admin UI. Never used for analytics, advertising, or cross-site tracking.

3.6 Support correspondence — split by channel #

3.6 Support correspondence — split by channel.

(a) Tenant support@frem.sh tickets: fremverk acts as processor on the Customer’s behalf for any personal data embedded in ticket bodies. Lawful basis (Customer side): performance of contract with the data subject or legitimate interest. Retention: 12 months from ticket closure.

(b) abuse@frem.sh reports under DSA Art. 16: fremverk acts as controller. Lawful basis: legal obligation (Regulation (EU) 2022/2065 — Digital Services Act). Retention: 5 years (DSA Art. 24 transparency-reporting horizon).

(c) security@frem.sh vulnerability reports: fremverk acts as controller. Lawful basis: legitimate interest in platform security (Art. 6(1)(f) GDPR, balancing test documented in fremverk’s ROPA). Retention: 24 months from report acknowledgement, or longer where actively used in defensive analysis.

3.7 Customer-configured AI processing #

If the Customer (the tenant admin) configures one or more AI vendors at Organisation admin → AI integrations, parts of repository content, pull-request diffs, issue text, and review prompts that you author may be sent through fremverk’s api to that AI vendor for processing. The AI vendor is chosen by the Customer, contracted directly between the Customer and the vendor, and is the Customer’s own processor — not a fremverk sub-processor (DPA Annex B §B.8).

What this means for you as a data subject:

• The Customer decides whether AI processing is enabled, which vendor (e.g. OpenAI, Anthropic, Google Vertex), and what prompts are sent.
• The Customer may choose a vendor incorporated outside the EU/EEA (including US-incorporated vendors); jurisdictional exposure of that processing is governed by the Customer’s own contract with the vendor, not by fremverk’s DPA.
• Prompts and responses transit fremverk’s api for routing + audit-trail emit only — fremverk does not retain the prompt or response body beyond the request lifecycle. The audit-trail emit records the call (timestamp, actor, vendor identifier, prompt-length / response-length) but not the prompt body.
• fremverk’s commitment in AUP §3.7 (no training on Customer Content) applies to fremverk and its appointed sub-processors. It does not bind the Customer’s chosen AI vendor — the Customer is responsible for ensuring its chosen vendor’s terms align with the Customer’s own AI-training-data posture.
• If you want to know whether your tenant has AI processing enabled and which vendor, ask your tenant admin or contact fremverk per §15.

4. Where the data is processed #

Every processing surface is operated by entities with no US parent. Full sub-processor list, including each sub-processor’s certifications, is maintained on the trust page.

5. CLOUD Act / US extraterritorial-law posture #

fremforge has no CLOUD Act exposure on any processing path. All Customer Personal Data — repositories, CI runs, audit logs, authentication, billing, payment-instrument data, outbound transactional email, and inbound shared-mailbox correspondence — is processed by entities with no US parent: Deutsche Telekom AG inside Germany, Heinlein Hosting GmbH inside Germany, Mollie B.V. in the Netherlands, Lettermint B.V. in the Netherlands, and Bunny CDN at EU edge PoPs only.

fremverk ApS is a Danish entity. Neither fremverk ApS nor any of its sub-processors is subject to the US CLOUD Act, Foreign Intelligence Surveillance Act, Executive Order 12333, or related US compelled-disclosure statutes. See DPA §11.3 for the full posture.

Schrems II transfer assessment: not applicable. No Customer Personal Data is transferred outside the EEA on any processing path.

6. Retention #

• Account data: for the lifetime of your active membership in a fremforge organisation. Deleted within 30 days of your removal from all organisations, subject to any legal-hold obligations.
• Repository and collaboration content: for the lifetime of the tenant’s subscription. On tenant offboarding, retained for 60 days to allow full export (Terms §16.5), hard-deleted from primary storage within 30 days thereafter, and purged from live-tier backup stores within a further 30 days (DPA §9). Total time from termination to live-tier backup-purge completion is up to 120 days. Disaster-recovery tier: in addition to the live-tier retention above, fremverk holds a separate DR-tier of monthly snapshots with 13-month retention (DPA Annex A.9) for catastrophic-recovery scenarios; these snapshots are sealed, fremverk-side-only, and used only to restore the platform after a catastrophic failure. Personal data inside DR-tier snapshots is purged on the rolling 13-month schedule independent of tenant offboarding.
• Operational logs (HTTP, runner, infrastructure): 30 days hot, 3 years immutable archive.
• Authentication and security audit events: queryable hot tier per tenant choice (90 / 180 / 365 / 730 days; default 90 — enterprise plans default 365); 3 years immutable archive (hash chain only — payload redacted after the hot-tier cutoff). Tenant admins on enterprise plans set the hot-tier window at Authentication policy → Audit log retention. Data-subject access requests against a row past the hot-tier cutoff return the redacted record (chain hashes remain verifiable).
• Billing records: 5 years per Bogføringsloven.
• Closed support tickets: 12 months.
• DSA abuse reports: 5 years (DSA Art. 24).
• Audit-log exports initiated by the tenant: 7 days in the signed OBS bucket from which the tenant downloads, then purged.
• Waitlist data (legacy from pre-launch): purged at launch + 90 days, or earlier on request.

7. Your rights #

Under GDPR (Chapter III), you have the right to:

• Access (Art. 15) — obtain confirmation that we process data about you and a copy of it.
• Rectification (Art. 16) — correct inaccurate data.
• Erasure (Art. 17) — have your personal data erased, subject to legal retention obligations.
• Restriction of processing (Art. 18) — limit how we use your data in specific circumstances.
• Portability (Art. 20) — receive your personal data in a structured, machine-readable format. For fremforge tenant data, the self-service signed export provides this at org level; for your individual account data, contact compliance@frem.sh.
• Objection (Art. 21) — object to processing based on legitimate interests.
• Withdrawal of consent (Art. 7(3)) — where we rely on consent, withdraw it without affecting the lawfulness of prior processing.
• Complaint to a supervisory authority (Art. 77).

How to exercise: email compliance@frem.sh. We respond within 30 days (Art. 12(3)). For requests that involve repository or collaboration content owned by your organisation, we will route you to the organisation’s administrator where fremverk ApS acts as processor only.

Your organisation’s controller obligations: if your organisation is a GDPR controller in the EU, it has separate obligations to you directly under GDPR. fremverk ApS cannot answer controller-level data-subject requests on your employer’s behalf; the DPA defines the hand-off.

8. Sub-processors #

The current sub-processor list is maintained on the trust page and updated with 30 days’ advance notice of any change, per the standard DPA clause.

At the date of this notice, the sub-processors are:

P1-LEG-09: VIES (the EU Commission’s VAT-number validation service at https://ec.europa.eu/taxation_customs/vies/) is contacted at signup time to validate Customer-supplied VAT identifiers and qualify the reverse-charge mechanism. VIES is a non-commercial public-sector service operated by the European Commission and is not a sub-processor under Article 28: the only data submitted is the VAT identifier (a business-registration number, not personal data of the data subject), and lookup results (valid / invalid / unavailable) are stored against the tenancy record. Disclosed for transparency.

P1-LEG-10: Simply.com A/S (DK) is the registrar + DNS provider for the brand-redirect domains fremforge.com, fremforge.eu, fremforge.dk (all 301-redirect to www.frem.sh). No Customer Personal Data transits Simply.com — only DNS lookups for the redirect targets. Listed for transparency; not a sub-processor under Article 28 (DNS is generally treated as utility infrastructure, equivalent to internet routing). The product domain frem.sh and customer-facing surfaces use BunnyDNS (Bunny CDN d.o.o., Slovenia — same sub-processor as the CDN/WAF/edge tier, already disclosed in Annex B row 2) for DNS — no Simply.com dependency on the customer-facing path.

Bunny: EU-only edge configured at pull-zone level; geo-replication outside EU disabled.

Mollie: Card-network sub-sub-processors (Visa Europe Services Inc. UK branch — parent Visa Inc. is US; Mastercard Europe SA — Belgium) operate under PCI-DSS. The Visa Inc. parent caveat is disclosed in DPA §11.3. Customers preferring zero US-parent exposure on the payment path may pay by SEPA Direct Debit.

9. Security #

Technical and organisational measures include, but are not limited to:

• TLS 1.2+ on every customer-facing surface. The certificates served at the public edge (frem.sh, www.frem.sh, etc.) are managed by Bunny CDN’s integrated certificate provisioning. The internal origin-TLS pipeline (Bunny edge → fremforge load balancers) uses certificates issued by Actalis S.p.A. (Italy, Aruba Group), an eIDAS Qualified Trust Service Provider on the EU Commission’s Trusted List under Regulation 910/2014. The CA receives only the FQDN being certified (*-origin.frem.sh) — never customer personal data — and is therefore not a sub-processor under Article 28 (same posture as VIES). See DPA Annex B for the full disclosure.
• AES-256 encryption at rest for repositories, databases, object storage, and backups, with keys managed in T Cloud DEW (Data Encryption Workshop).
• Scoped service accounts for every control-plane function; no super-admin tokens in normal operation.
• Mandatory MFA for platform administrators and break-glass accounts.
• Immutable audit log with tamper-evident hash chaining, anchored to OBS WORM storage.
• Pre-receive secret scanning on every push; dependency scanning on every PR; signed commits via OIDC identity (optional); SLSA provenance on build artifacts.
• Hosted runners run as per-pod kernel-isolated (T Cloud CCI) serverless containers; no shared kernel between tenant jobs.
• SSRF hardening on every outbound path: per-pod VPC Security Group egress allowlist (Cloud Native Network 2.0) + a forced outbound-proxy CONNECT tunnel with SSRF deny-set + an app-layer SSRF guard; the three layers compose such that no tenant-influenced code path can bypass them.
• Published security-patching SLA: Critical CVEs (CVSS ≥ 9.0) patched within 48 hours of upstream fixed release, High (7.0–8.9) within 72 hours, Medium (4.0–6.9) within 7 days, Low at the next scheduled maintenance window (see trust page §Security patching). This SLA is cited verbatim in the DPA security annex.

Details and additional measures are documented in the DPA security annex.

10. International transfers #

No Customer Personal Data is transferred outside the EEA on any processing path. All processing — repositories, CI runs, audit logs, authentication metadata, billing, payments, outbound transactional email (Lettermint B.V., Zwolle, Netherlands), and inbound shared-mailbox correspondence (Heinlein Hosting GmbH / mailbox.org, Berlin, Germany) — takes place inside the EU/EEA at entities with no US parent. No Article 46 GDPR safeguard is required.

11. Profiling and automated decision-making #

fremforge does not subject you to automated decisions producing legal or similarly significant effects on you (GDPR Art. 22). Automated decisions within the product — push-protection rejection of a commit containing a secret, merge-block on a CRITICAL dependency CVE, rate-limiter throttle on abusive traffic — are product rules that affect commits and requests, not data subjects, and can be reviewed or overridden by the tenant administrator per the policy hierarchy. Customer-configured AI features (§3.7) are similarly tenant-admin-controlled product rules: the tenant admin chooses whether AI processing is enabled and which vendor receives prompts; fremverk does not initiate AI processing on data subjects without the Customer’s explicit configuration.

The automated controls described above (commit push-protection, CI policy gates, dependency-scan blocks) do not produce legal or similarly significant effects on the data subject within the meaning of Art. 22(1): the controls operate on the technical content of a Git or CI request, not on the person, and the Customer’s tenant administrator can review and override every decision through the audit log and the policy-override workflow described in the documentation.

12. Children #

The Service is not directed to children. Where Customer Content includes personal data of a child, the Customer is responsible for the legal basis. The Danish digital-consent age under Databeskyttelsesloven §6(3) is 13; some other EU member states set 16. Customers should configure their organisations consistently with the age in the data subject’s member state.

fremforge is a B2B product and is not directed to children. We do not knowingly collect data from children. If you believe a child has signed up or been added as a member, contact compliance@frem.sh.

13. Supervisory authority #

Datatilsynet (Danish Data Protection Agency)
Carl Jacobsens Vej 35, 2500 Valby, Denmark
Phone: +45 33 19 32 00
Website: datatilsynet.dk
Email: dt@datatilsynet.dk

You may also lodge a complaint with the supervisory authority in your own EU member state.

14. Changes to this notice #

We may update this notice from time to time. Material changes are announced through two parallel channels so a Customer who watches either channel learns of changes: (a) the trust page (Watch the trust page or its RSS feed for in-product changes) AND (b) direct email to each Customer’s designated billing contact for changes affecting the legal basis of processing or adding a sub-processor. Both channels deliver at least 30 days’ advance notice for material changes — the dual-channel mechanism guarantees notification even if one channel is missed (mailing-list opt-out, billing-contact email change, etc.). The effective date at the top of this page reflects the last meaningful content change. Prior versions are retained in Git and available on request.

Annex A — Processing activities by role #

Annex B — Contact quick reference #

• Privacy questions, data-subject requests: compliance@frem.sh
• General support: support@frem.sh
• Security vulnerabilities: security@frem.sh
• Abuse reports (DSA Art. 16): abuse@frem.sh
• Legal and law-enforcement contact: compliance@frem.sh
• Commercial inquiries: hello@frem.sh

Change log #

Versions track the DPA change-log — substantive sub-processor or processing-purpose updates published in the DPA are reflected here in the same numbered version, on the same effective date.