Craftifact
European artifact repository SaaS for Maven, npm, Python, Docker and Go, with secure defaults and no vendor lock-in.
Profile last updated: · View sources
About Craftifact
Craftifact is an artifact repository SaaS operated by SoluForge in Berlin, Germany. It hosts Maven, npm, Python, OCI (Docker) and Go (beta) artifacts with hosted, proxy and group repository types, role-based access control with SSO via OIDC, CycloneDX SBOM auto-generation, vulnerability and licence signal mapping, leaked-credential detection, and rule-based cleanup of obsolete artifacts.
The product is positioned as a lean alternative to JFrog Artifactory and Sonatype Nexus for SMB and mid-sized engineering teams. The entire stack runs on Hetzner infrastructure in Germany: the marketing site at craftifact.com is served from a Hetzner dedicated server with no CDN in front, the SaaS application runs on Hetzner Cloud Nuremberg, and the identity provider runs on a separate Hetzner host behind Caddy. A self-hosted edition is available as Early Access for organisations with on-premise residency requirements.
Features
- Maven, npm, Python, OCI (Docker) and Go (beta) artifact formats
- Hosted, proxy and group repository types
- SSO via external OIDC IdP, plus native IdP with TOTP and passkey 2FA
- Role-based access control with user grouping
- CycloneDX SBOM auto-generation when not provided on upload
- Vulnerability mapping to components and individual artifacts
- Dependency and transitive-dependency inspection across repositories
- Licence signal review from SBOM data
- Leaked-credential and token detection mapped back to the originating artifact
- Rule-based cleanup of obsolete artifacts (Pro tier and above)
- S3-compatible external storage (Teams tier and above)
- Comprehensive audit logging (Pro tier and above)
Alternatives
Other European companies in the same category as Craftifact.
Sovereignty Scorecard
Procurement-grade signals on data sovereignty, ownership, and EU residency.
We score every European vendor against six sovereignty dimensions captured in the SHIELD acronym. Each card below maps to one letter — read them as a checklist when comparing providers.
The third parties that touch customer data — payment processors, KYC vendors, support chatbots, analytics.
Where the legal entity sits, who controls it, and which subsidiaries operate under the same group.
Where customer data is physically stored, who runs the hosting stack, which CDN sits in front.
Whether the vendor or its subprocessors fall under the US CLOUD Act or other extraterritorial reach.
Public terms, privacy policy, DPA, subprocessor list, impressum, and security or trust pages.
Independent audits and certifications (ISO 27001, BSI C5, TISAX, SOC 2) plus open-source transparency.
Privately held
Bootstrapped sole proprietorship (Einzelunternehmen) operated by Benjamin Wenzel. No external investors disclosed on any primary source. Viktoriia Wenzel is named as COO and CFO on the SoluForge about-us page. Neither the Craftifact nor the SoluForge impressum lists a GmbH or 'i.G.' (in formation) entity as of 2026-05-12.
🇩🇪 Berlin, Germany
Benjamin Wenzel SoluForge
Fixed region
All declared infrastructure runs on Hetzner in Germany. The marketing site is on a Hetzner dedicated server, the SaaS application on Hetzner Cloud Nuremberg, the identity provider on a separate Hetzner host. Region is not customer-configurable on the SaaS plans.
Website: Hetzner dedicated server in Germany (188.40.219.138 in DE-HETZNER-20090423 / AS24940). Apache with mod_pagespeed; no CDN in front
Application: Hetzner Cloud Nuremberg (78.47.128.78 in CLOUD-NBG1)
Email: Hetzner shared mail (MX terminator: www646.your-server.de)
CDN: None -- direct from origin, no Cloudflare, Fastly or Akamai in the request path
| Name | Country | Purpose |
|---|---|---|
| Hetzner Online GmbH | 🇩🇪 Germany | Hosting and infrastructure: dedicated server for the marketing site, Hetzner Cloud Nuremberg for the SaaS application, identity-provider host, mail server and authoritative DNS. |
Pricing
€99
- 40 GB base storage (up to 120 GB with add-on at €15/mo)
- Maven, npm, Python, OCI and Go repository formats
- Hosted, proxy and group repository types
- Native IdP with TOTP and passkey 2FA
- 24-hour backup retention (3 days history)
€199
- 80 GB base storage (up to 280 GB with add-on at €25/mo)
- SSO via external OIDC IdP
- Rule-based cleanup of obsolete artifacts
- External repository import
- Comprehensive audit logging
- 1-hour backup retention (30 days history)
€399
- 160 GB base storage (up to 600 GB with add-on at €40/mo)
- Custom domain support
- Supply-chain insights
- S3-compatible external storage
- Full Pro feature set
Contact
- Custom storage allocation
- Custom SLA terms
- Negotiated DPA
Questions & Answers
6 questions
Where is my data stored?
All Craftifact infrastructure runs on Hetzner in Germany. The SaaS application runs on Hetzner Cloud Nuremberg, the marketing site on a Hetzner dedicated server, and the identity provider on a separate Hetzner host. Region is not customer-configurable on the SaaS plans; the self-hosted edition lets organisations choose their own deployment target.
Is Craftifact subject to the US CLOUD Act?
No. The operating entity is Benjamin Wenzel SoluForge, a German sole proprietorship based in Berlin, with no US subsidiary or US-headquartered parent. The only declared subprocessor is Hetzner Online GmbH (Germany). No US-incorporated subprocessor appears on the published subprocessor list at https://craftifact.com/subprocessors/, so the declared data path stays outside CLOUD Act reach.
Which artifact formats are supported?
Maven, npm, Python, OCI (Docker) and Go (beta) — five package formats with hosted, proxy and group repository types per format. SBOM generation uses the CycloneDX format and is automatic when an SBOM is not provided with the artifact upload.
What's the SLA?
99.9% uptime per calendar month, measured at the platform-availability layer. Maintenance windows are Tuesdays 00:00 to 04:00 CET/CEST, capped at 4 hours per month and excluded from the uptime calculation. Service credits are not automatic; remedies are agreed contractually where applicable. Support response targets (non-binding, Monday-Friday 08:00-18:00 CET/CEST): P1 within 1 hour, P2 within 2 hours, P3 within 4 hours, P4 within 8 hours.
Is Craftifact open source?
No. The SoluForge and craftifact GitHub organisations exist (created 2025-06-10 and 2025-07-22 respectively) but currently have no public repositories. Craftifact is a commercial SaaS; a self-hosted edition is available as Early Access for organisations with on-premise residency requirements. The licence model for the self-hosted edition is not stated publicly.
Does Craftifact publish a DPA?
Yes. A preview of the standard Data Processing Agreement is publicly available at https://app.soluforge.de/shop/legal/dpa/preview/?legal_context=shop. The final personalised DPA is generated post-login on the shop. Annex 3 of the DPA points dynamically to the live https://craftifact.com/subprocessors/ list and obliges Craftifact to give customers 14 days' prior notice of any subprocessor change.
Quick facts
Sources & verification
Every fact on this page is backed by a primary or independent source. Most recent verification: May 12, 2026.
Found an error? Report it
Profile content
- primary · about-pagecraftifact.comHomepage hero and meta description
- primary · about-pagecraftifact.com
- primary · security-pagecraftifact.com/security
- primary · about-pagecraftifact.com/featuresFeature set used in the second paragraph
- primary · othercraftifact.com/deLanguage switcher exposes EN at / and DE at /de/
- primary · pricing-pagecraftifact.com/pricingPrices server-rendered; net EUR, B2B only
- primary · termsapp.soluforge.de/shop/legal/termsAnnual 10% discount and 14-day post-invoice payment
- primary · about-pagecraftifact.com/features
- primary · security-pagecraftifact.com/security
- primary · termscraftifact.com/slaSLA targets and maintenance window
- primary · subprocessor-listcraftifact.com/subprocessors
- primary · dpaapp.soluforge.de/shop/legal/dpa/previewPublic preview DPA
- primary · about-pagecraftifact.com/self-hosted
Sovereignty (SHIELD)
- primary · subprocessor-listcraftifact.com/subprocessorsPage lists Hetzner Online GmbH as the only subprocessor; effective date 13.01.2026
- primary · http-headersapp.soluforge.dePublic subprocessor list at craftifact.com/subprocessors/ as of 2026-01-13 names Hetzner Online GmbH only. Note for the customer: the CSP form-action directive on app.soluforge.de also allows mollie.com and pay.mollie.com -- if Mollie is in use for payments it should be added to the published subprocessor list.
- primary · impressumcraftifact.com/legal-notice
- primary · impressumsoluforge.de/impressumSame legal entity, address and VAT for both brands
- primary · impressumcraftifact.com/legal-noticeSingle Vertretungsberechtigt = Benjamin Wenzel; sole-proprietor structure
- primary · about-pagesoluforge.de/ueber-unsViktoriia Wenzel listed as COO & CFO; Benjamin Wenzel '10+ years DevOps' background
- primary · dns-recordscraftifact.comMarketing site, SaaS app, IdP, mail and authoritative DNS all on Hetzner DE
- primary · dns-recordscraftifact.comdig + whois on 188.40.219.138 returns DE-HETZNER-20090423 / AS24940; SaaS app on 78.47.128.78 in CLOUD-NBG1; MX = www646.your-server.de
- primary · http-headerscraftifact.comcurl -I returns server: Apache + x-mod-pagespeed; no cf-ray, x-served-by, Akamai or Fastly headers
- primary · subprocessor-listcraftifact.com/subprocessorsOnly Hetzner Online GmbH (Germany) is declared
- primary · dns-recordscraftifact.comFull stack on Hetzner DE; no US infrastructure detected
- primary · impressumcraftifact.com/legal-noticeAll legal-doc URLs surfaced via the site footer and the /legal/ index
- primary · othergithub.com/craftifactGitHub user exists (created 2025-07-22), 0 public repos
- primary · othergithub.com/SoluForgeGitHub org exists (created 2025-06-10), 0 public repos. No OSS published as of verification date