CircleCI EU Alternative 2026: Delaware C-Corp, January 2023 Secrets Breach, GitLab CI/Woodpecker CI EU-Native DevOps
Post #2 in the sota.io EU DevOps Tools Series
CircleCI is one of the most widely used hosted CI/CD platforms in the world. Launched in 2011, it was among the first SaaS products to bring continuous integration to GitHub-hosted repositories at scale. For development teams that standardised on CircleCI in the mid-2010s, its tight GitHub integration, parallelism model, and orb ecosystem made it the default choice for test automation and deployment pipelines.
But CircleCI carries two risks that EU development teams must evaluate before committing to it for GDPR-sensitive DevOps workflows: first, its Delaware incorporation and US headquarters mean the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) applies to all data held on its infrastructure, including source code, environment variables, and production secrets. Second, in January 2023, CircleCI suffered a major security breach in which attackers stole customer environment variables, API tokens, and secrets from the CircleCI platform — proving that CI/CD infrastructure is a high-value target precisely because of the sensitive credentials it holds.
This guide analyses both risks and presents EU-native CI/CD alternatives that provide genuine data sovereignty for European development teams.
CircleCI, Inc.: Delaware C-Corp, San Francisco Headquarters
CircleCI was founded in 2011 in San Francisco, California by Paul Biggar and Allen Rohner. The company is incorporated as CircleCI, Inc. — a Delaware C-Corporation — headquartered at 750 Market Street, San Francisco, CA 94102.
| Dimension | Detail |
|---|---|
| Legal entity | CircleCI, Inc. |
| Incorporation | Delaware C-Corporation |
| Headquarters | San Francisco, California, USA |
| Founded | 2011 |
| Funding (total) | ~$315 million (IVP, Baseline Ventures, Top Tier Capital, DFJ) |
| Employees | ~800 (2023) |
| Primary data region | US East (default); EU West available |
| EU runner region | EU West (Ireland) — jurisdiction remains CircleCI/US |
The critical legal fact is straightforward: CircleCI, Inc. is a US corporation incorporated in Delaware. Regardless of which AWS or GCP region its runners operate in, the corporate entity owning the platform, its encryption keys, and its customer data is a US legal person subject to US federal law.
The CLOUD Act: What It Means for CircleCI Users
The Clarifying Lawful Overseas Use of Data Act (18 U.S.C. § 2713), enacted in 2018, requires US-incorporated companies to produce customer data in response to a valid US government order regardless of where the data is physically stored. The CLOUD Act explicitly overrides data localisation arguments — storing your CircleCI data in the EU West (Ireland) region does not remove it from CLOUD Act reach.
For a CI/CD platform like CircleCI, the CLOUD Act exposure is especially significant because of what CI/CD pipelines routinely process:
What CircleCI Holds That Is CLOUD Act-Compellable
| Data type | CircleCI exposure |
|---|---|
| Source code | Full repository clones run in every pipeline job |
| Environment variables | Database passwords, API keys, payment credentials, OAuth secrets |
| Deployment credentials | AWS IAM keys, GCP service account JSON, Kubernetes kubeconfig |
| Test artefacts | Coverage reports, screenshots, logs, compiled binaries |
| SSH keys | Host keys for deployment targets |
| Docker registry credentials | Private container registry authentication tokens |
| Third-party API tokens | Stripe, Twilio, SendGrid, Segment, and hundreds more |
A single US government order served on CircleCI, Inc. could compel production of all of these credential classes for a target customer without the customer being notified.
The January 2023 CircleCI Breach: CI/CD Secrets as High-Value Targets
The CLOUD Act is a legal risk. What happened in January 2023 demonstrated that CI/CD secrets are also a direct operational security risk — and that CircleCI's own infrastructure can be the attack vector.
Timeline of the January 2023 Incident
On 4 January 2023, CircleCI published a security incident notice. The full timeline:
| Date | Event |
|---|---|
| December 21, 2022 | Malware installed on a CircleCI engineer's laptop via a compromised session token |
| December 21–January 4 | Attackers used the session token to access CircleCI's internal systems and exfiltrate customer data |
| January 4, 2023 | CircleCI notified customers of the breach |
| January 13, 2023 | CircleCI published the full incident report |
What Was Stolen
CircleCI confirmed that attackers accessed and exfiltrated:
- Customer environment variables — including all secrets stored as environment variables in CircleCI project settings
- Encryption keys — the keys used to encrypt at-rest customer secrets, meaning attackers could decrypt environment variables even if they were stored encrypted
- API tokens — CircleCI API tokens used for automation
The scale of potential exposure was enormous. CircleCI advised all customers to rotate every secret stored in CircleCI immediately — API keys, OAuth tokens, deployment credentials, database passwords. Any customer who had stored production secrets in CircleCI environment variables was potentially compromised.
Why This Matters for GDPR and EU DevOps
The 2023 breach illustrates a structural risk of hosted CI/CD: the platform operator's own infrastructure security becomes your attack surface. Under GDPR:
- Article 32 requires "appropriate technical and organisational measures" to protect personal data. If customer database passwords stored in CircleCI are stolen, and those passwords provide access to databases containing personal data, the GDPR breach notification obligation (Art. 33, 72-hour notification to supervisory authority) is triggered.
- Article 28 requires data processing agreements (DPAs) with processors. CircleCI provides a DPA, but the breach demonstrated that contractual controls alone cannot prevent security incidents at the processor level.
- Article 83 penalties can apply regardless of whether the controller (you) or processor (CircleCI) was at fault — the breach notification obligation runs from the moment the controller becomes aware.
CircleCI's EU Data Region: What It Does and Doesn't Solve
CircleCI offers an EU deployment option that runs pipeline jobs in AWS eu-west-1 (Ireland). This addresses data residency — the physical location of data at rest — but does not address:
- CLOUD Act jurisdiction — CircleCI, Inc. (Delaware) remains the data controller; US compulsion orders apply
- Corporate control — CircleCI, Inc. holds the master encryption keys regardless of runner region
- Support access — CircleCI engineering and support teams in the US can access customer environments under US employment jurisdiction
- M&A risk — if CircleCI is acquired by a US company (or already has US VC board control), the corporate jurisdiction does not change
The EU deployment option is a data localisation measure, not a data sovereignty measure. For GDPR Art. 44 transfers analysis purposes, the data remains under the control of a US entity.
EU-Native CI/CD Alternatives to CircleCI
1. GitLab CI/CD (GitLab B.V., Amsterdam, Netherlands)
GitLab is the most mature EU-native CI/CD alternative to CircleCI. The company behind GitLab is GitLab B.V., incorporated in the Netherlands (Amsterdam). For GDPR purposes, GitLab B.V. is subject to Dutch law and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens — AP), not US federal jurisdiction.
GitLab.com (SaaS):
- Hosted by GitLab Inc. (US subsidiary of GitLab B.V.) — CLOUD Act applies to the SaaS platform
- For true EU sovereignty: GitLab Self-Managed or GitLab Dedicated (EU region)
GitLab Self-Managed (recommended for EU compliance):
- Deploy on your own infrastructure (Hetzner, OVH, Scaleway, or on-premises)
- Complete control over encryption keys, network access, and data residency
- EU corporate headquarters of the software publisher: Netherlands
- CI/CD feature parity with CircleCI: parallel jobs, caching, artefact storage, secrets management, container registry, security scanning
| Feature | CircleCI | GitLab Self-Managed |
|---|---|---|
| Publisher jurisdiction | US (Delaware) | EU (Netherlands) |
| CLOUD Act applies | Yes | No (self-hosted: your jurisdiction) |
| Secrets management | CircleCI-managed | Your infrastructure |
| Breach history | January 2023 | No comparable hosted breach |
| Orbs/Templates | 1,000+ orbs | 1,000+ component catalog entries |
| Docker layer caching | Yes | Yes |
| Test splitting | Yes | Yes |
| GitLab integration | Native (GitHub integration) | Native (built-in) |
GitLab corporate structure:
- GitLab B.V. (Amsterdam, Netherlands) — primary legal entity
- GitLab Inc. (San Francisco, CA) — US subsidiary for US operations
- Listed on NASDAQ as GTLB — but the software IP and primary corporate entity is Dutch
For EU organisations, self-hosted GitLab (Community Edition — open source; Enterprise Edition for advanced features) provides CI/CD that runs entirely within EU jurisdiction with no CLOUD Act exposure.
2. Woodpecker CI (Open Source, Self-Hosted)
Woodpecker CI is an open-source CI/CD system forked from the original Drone CI codebase. It is maintained by a community of contributors with no single corporate parent — the project is hosted on GitHub under the Apache 2.0 licence.
Why Woodpecker CI for EU compliance:
- No corporate jurisdiction — open source, self-hosted, your infrastructure controls the data
- CLOUD Act does not apply — you host it; there is no US company in the data chain
- Integrates with Gitea, Forgejo, GitHub, GitLab, Bitbucket
- Docker-native pipeline definition (
.woodpecker.yml) - Horizontal scaling via agent workers
Limitations vs. CircleCI:
- Smaller ecosystem than CircleCI (no orb marketplace equivalent)
- No managed cloud hosting (self-host only)
- Smaller community than GitLab
3. Forgejo + Forgejo Actions (Codeberg e.V., Berlin, Germany)
Forgejo is an open-source Git platform (fork of Gitea) maintained by Codeberg e.V. — a German non-profit association registered in Berlin. Codeberg hosts the Codeberg.org public instance; organisations can self-host Forgejo.
Forgejo Actions (introduced in Forgejo 7.0) provides GitHub Actions-compatible CI/CD using the same YAML syntax as GitHub Actions — making migration from GitHub Actions (and by extension, CircleCI) simpler.
Corporate structure of the publisher:
- Codeberg e.V. — eingetragener Verein (registered association) under German law
- Registered in Berlin, Germany
- Subject to German BDSG and GDPR, not US federal law
For EU compliance:
- Codeberg.org public instance: German jurisdiction, German non-profit
- Self-hosted Forgejo: complete control
- Forgejo Actions runners: self-hosted, your infrastructure
4. JetBrains TeamCity (JetBrains s.r.o., Prague, Czech Republic)
JetBrains is a Czech software company (IntelliJ IDEA, PyCharm, Kotlin). JetBrains s.r.o. is incorporated in the Czech Republic. TeamCity is their CI/CD product, available as TeamCity Cloud (SaaS) and TeamCity On-Premises (self-hosted).
| Dimension | Detail |
|---|---|
| Publisher | JetBrains s.r.o. |
| Incorporation | Czech Republic (Prague) |
| EU jurisdiction | Yes — Czech Republic, ÚOOÚ (Office for Personal Data Protection) |
| CLOUD Act applies | No (Czech entity, no US parent) |
| TeamCity Cloud regions | US, EU (Amsterdam) |
| On-Premises option | Yes — self-host on EU infrastructure |
Note on ownership: JetBrains is wholly owned by Sharovenkov Holdings Ltd. (Cyprus) which is owned by the two Russian founders. As of 2022, JetBrains has restructured its holding structure. For GDPR purposes the relevant entity remains the Czech s.r.o. For risk-averse EU organisations, TeamCity On-Premises eliminates any third-party hosting risk.
5. Concourse CI (Open Source, Self-Hosted)
Concourse CI is an open-source continuous thing-doer (their description) built around the concept of pipelines as code. Originally developed by Pivotal (now part of Broadcom), Concourse is now a community-maintained CNCF project.
- No corporate jurisdiction — open source, self-hosted
- Pipeline-as-code model using declarative YAML
- Strong containerisation model (all tasks run in containers)
- Used by large organisations including numerous EU enterprises
- Web UI for pipeline visualisation
6. Tekton Pipelines (CNCF, Self-Hosted)
Tekton is a cloud-native CI/CD framework running on Kubernetes. It is a CNCF (Cloud Native Computing Foundation) project — a Linux Foundation hosted project with no single corporate owner.
- Runs entirely on Kubernetes — deploy on any EU cloud provider
- Declarative pipeline definitions as Kubernetes CRDs
- Tekton Hub provides community-maintained task catalog
- Steeper learning curve than CircleCI but complete infrastructure control
CircleCI vs EU Alternatives: GDPR Compliance Comparison
| Factor | CircleCI | GitLab Self-Managed | Woodpecker CI | Forgejo Actions | JetBrains TeamCity |
|---|---|---|---|---|---|
| Publisher country | USA (Delaware) | Netherlands (B.V.) | Open source | Germany (e.V.) | Czech Republic |
| CLOUD Act applies | Yes | No (self-hosted) | No | No | No |
| 2023 breach history | Yes | No equivalent | No | No | No |
| Secrets custody | CircleCI platform | Your infrastructure | Your infrastructure | Your infrastructure | Your infrastructure |
| GDPR Art. 44 transfer risk | High | None (self-hosted) | None | None | Low (EU entity) |
| EU DPA authority | None (US company) | AP (Netherlands) | N/A | BFDI (Germany) | ÚOOÚ (Czech) |
| Managed cloud option | Yes (EU region) | GitLab Dedicated | No | Codeberg.org | TeamCity Cloud (EU AMS) |
| Self-hosted option | No | Yes | Yes | Yes | Yes |
| GitHub Actions YAML compat | No | Partial | No | Yes (Forgejo Actions) | No |
The Secrets Management Problem: Why CI/CD Jurisdiction Matters More Than Compute
For many cloud services, CLOUD Act risk is primarily about data at rest — customer records, documents, files. For CI/CD platforms, the risk profile is different and more acute.
CI/CD pipelines are credential aggregators. A single CircleCI project typically holds:
- Cloud provider credentials (AWS, GCP, Azure)
- Database connection strings (production databases)
- Payment processor keys (Stripe, Mollie, Adyen)
- Email service credentials (SendGrid, Postmark)
- Container registry tokens
- Third-party SaaS API keys
This means a CLOUD Act order served on CircleCI, Inc. could expose the entire credential estate of a customer organisation — not just the source code, but every service that code deploys to or integrates with.
The January 2023 breach made this concrete: attackers who gained access to CircleCI's internal systems could access encrypted secrets and the keys to decrypt them for every CircleCI customer. The breach response required companies to rotate every secret stored in CircleCI — a major operational incident that affected thousands of development teams globally.
Migration Path from CircleCI to GitLab CI
For EU development teams migrating from CircleCI to GitLab CI, the conceptual mapping is:
| CircleCI concept | GitLab CI equivalent |
|---|---|
.circleci/config.yml | .gitlab-ci.yml |
| Jobs | Jobs |
| Workflows | Pipelines with needs: dependencies |
| Orbs | Components (GitLab Component Catalog) or includes |
| Environment variables | CI/CD Variables (project/group/instance level) |
| Contexts | Protected/masked CI/CD Variables, Group Variables |
| Executors | Docker, shell, Kubernetes, or custom runners |
| Caching | cache: keyword with S3 or local cache |
| Artefacts | artifacts: keyword |
| Parallelism | parallel: keyword |
GitLab CI uses a declarative YAML syntax that is structurally similar to CircleCI. A typical CircleCI config with build, test, and deploy stages maps directly to a GitLab CI pipeline with equivalent stages.
What EU Organisations Should Do Now
- Audit CircleCI secret inventory — list every environment variable and context stored in CircleCI; evaluate which credentials have production access
- Assess GDPR data processor risk — if your CircleCI pipelines process personal data (user databases, analytics, logs), CircleCI is a GDPR data processor; ensure your DPA is current and evaluate CLOUD Act transfer risk
- Consider self-hosted GitLab or Woodpecker CI for pipelines that process the most sensitive credentials (production database passwords, payment credentials)
- Rotate credentials if you have not done so since the January 2023 breach
- Evaluate GitLab Dedicated EU if you want managed CI/CD with EU data residency and EU corporate control
Deploy Your EU-Compliant CI/CD on EU Infrastructure
If you are migrating to self-hosted GitLab, Woodpecker CI, or Forgejo, you will need EU-based infrastructure to run your CI/CD platform. sota.io provides EU-native managed hosting on Hetzner Germany — no US parent, no CLOUD Act exposure, and straightforward deployment for containerised applications including GitLab Runners and Woodpecker CI agents.
Deploy your EU-sovereign DevOps stack from €9/month. All data stays in Germany.
Next in the EU DevOps Tools Series: Jenkins EU Alternative 2026 — Apache Software Foundation (US 501(c)(3)), self-hosted angle, and the "open source is CLOUD Act-free" analysis.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.