Security

Data and system access controls

• Personal data is accessible and manageable only by properly authorized staff.
• Direct database query access is restricted.
• Access rights to our applications used to process personal data are established and enforced; access is via secure passwords and two-factor authentication, where possible.
• Personal data is never stored locally, or in physical form.

Data encryption and transmission controls

• n8n will always encrypt sensitive data (e.g. passwords, credentials you create in the app to communicate with different services) when transitioning data to/from different services to ensure it cannot be read, copied, modified or removed without authorization during electronic transmission or transport.
• n8n has the decryption key at hand to decrypt that data for use.
• Account passwords are hashed. Our own staff can't even view them. If you lose your password, it can't be retrieved — it must be reset.

Data backups and deletion

• We generate daily backups of execution data, stored workflows, webhooks and encrypted credentials, and store them using a secure sub-processor. These backups enable us to restore your data in case of accidental deletion or subscription cancellation.
• By default, raw execution logs are purged on a rolling basis, and are deleted no more than 30 days after executions have taken place, unless longer log retention time is requested by the user.

Data segregation

• Data from different n8n subscribers is logically segregated on systems managed by n8n.