Get Started

n8n Legal

Security at n8n

Based in Berlin, prioritizing security and privacy is baked into our culture. Many of the world's most well-known Enterprises trust n8n with their data – we don’t take that lightly. Here are some of the measures, systems, and controls we’ve put in place – both at product and company level – to ensure security always underpins everything we do.

Compliance

n8n aligns its security program to SOC 2, a standard framework for security compliance. That means we have implemented processes and follow procedures that uphold high standards of security for our customers' data. We undergo continuous evaluation and annual audits by an independent auditor as part of ongoing compliance with this standard.

SOC2 badge 150px.png

SOC 2 report

Our SOC 2 report is available to enterprise customers. Others can refer to our SOC 3 report and the details about our security program below.

SOC 3 report

You can download our SOC 3 report here. The report contains the auditor’s opinion, management assertion, and system description.

Documentation

For more details about privacy, security and how we comply with GDPR at n8n, please visit our docs.

Customer data protection & encryption

User accounts, authentication, and authorization

n8n Cloud

When you sign up for an n8n cloud account, you create an account directly with n8n. When you create an account on n8n.cloud with a username and password, n8n implements best practices for account management. For example, n8n salts and hashes your password, then stores the hashed password in a database that’s encrypted at rest.

Self-hosted

n8n salts and hashes the passwords of self-hosted users on account creation. However, encrypting other data at rest is the responsibility of the user. Refer to Data Encryption | Self-hosted n8n for more information.

n8n supports custom session timeouts on self-hosted.

Third-party accounts

A key part of n8n's functionality is linking third-party services. When you link an account from a third-party application, you may need to either authorize n8n OAuth application access to your account, or provide an API key or other credentials.

n8n recommends using OAuth for third-party applications that support it. The OAuth protocol allows n8n to request scoped access to specific resources in your third-party account without you having to provide long-term credentials directly. n8n must request short-term access tokens at regular intervals, and most applications provide a way to revoke n8n's access to your account at any time.

Some third-party applications don't provide an OAuth interface. To access these services, you must provide the required authorization mechanism (often an API key). As a best practice, if your application provides such functionality, n8n recommends limiting that API key's access to only the resources you need to access within n8n.

When you use credentials in a workflow, n8n loads them into the execution environment of your n8n instance. For n8n Cloud, customer instances are logically isolated from one another. n8n doesn't log or export credentials by default. If you log their values you can always delete the data for that execution. The platform deletes execution data automatically based on your account’s retention settings.

You can delete your OAuth grants or key-based credentials at any time. Deleting OAuth grants within n8n doesn't revoke n8n’s access to your account. You must revoke that access wherever you manage OAuth grants in your third-party application.

User authentication

A username and password are required to authenticate into the app, with MFA optional for external uses. SSO, SAML, and LDAP are available with n8n’s Enterprise plan.

Role-based authorization

Advanced RBAC permissions are available on all paid plans to ensure governance, including designating super admin user roles.

Cloud hosting & storage

n8n cloud uses Microsoft Azure for hosting. The physical hardware powering n8n, and the data stored by the platform, is currently hosted in the Azure Germany West Central data center in Frankfurt. Microsoft controls and secures this location. We’re preparing to host in additional locations too. You can read more about Azure’s security practices and compliance certifications.

n8n further secures access to Azure resources through a series of controls, including:

  • Using multi-factor authentication to access Azure
  • Hosting services within a private network that’s inaccessible to the public internet.

n8n stores all OAuth tokens, key-based credentials, and the rest of your Cloud instance's database on a disk that's encrypted at rest using Azure server side encryption (at the time of writing, using AES256 and a FIPS-140-2 compliant implementation). For n8n cloud, this database also resides in a private network. Backups of that database are also encrypted.

Data encryption

n8n Cloud

When you use the n8n web application, it encrypts traffic between your client and n8n services in transit. The same applies for traffic related to the public API or webhook trigger nodes. n8n uses Cloudflare to manage and renew SSL certificates.

Data encryption at rest: n8n encrypts customer data at rest in your instance's mounted volume. n8n uses Azure Storage server-side encryption (using AES256 and a FIPS-140-2 compliant implementation). Azure Storage has achieved a wide range of compliance certifications. Refer to Azure Storage compliance offerings for more information.

Self-hosted n8n

Self-hosters must:

  • Ensure data is encrypted in transit by setting up a reverse proxy in front of the n8n instance to handle TLS.
  • Handle encrypting data at rest. This can be achieved by using encrypted partitions, or encryption at the hardware level, and ensuring n8n and its database is written to that location. Cloud providers typically offer storage systems with disk encryption built-in.

Network protection

An operational audit system constantly monitors n8n's cloud infrastructure and sends alerts to appropriate personnel when necessary. We only use configurations that implement approved networking ports and protocols, including firewalls. For example, we maintain a Web Application Firewall to protect n8n’s web application from malicious traffic and outside threats. And an Intrusion Detection System to detect potential intrusions.

Audit logging

n8n collects and stores all your server logs in a central location. Authorized users can query the log info as necessary to trace actions to individual users. We keep audit log history and historical activity records for at least 12 months, with at least the last three months immediately available for analysis.

Secure development practices

Version control system

n8n uses a version control system to manage source code, documentation, release labeling, and other change management tasks. Any employee must get their access approved by a system admin to make code changes.

Code review process

When n8n's application code changes, someone other than the person who made the change reviews and tests the new code.

Separate testing and production environments

n8n uses separate environments for testing and production for our application.

Restricted production code changes

Only authorized n8n personnel can push or make changes to production code.

Static Application Security Testing (SAST)

n8n uses static application security testing (SAST) or an equivalent tool as part of the CI/CD pipeline to detect vulnerabilities in its code base. When vulnerabilities are identified, corrections are implemented before release as appropriate based on the nature of the vulnerability.

Systems Monitoring

n8n monitors its code, infrastructure, and core applications for known vulnerabilities and addresses critical vulnerabilities promptly.

Access controls

Strictly ‘need-to-know’ access to data

n8n grants employees access to systems containing sensitive data on a least-privilege basis. This means employees only have access to the data they need to perform their job. The company reviews system access quarterly, on any change in role, and upon termination.

Restricted production code access

n8n uses GitHub to store and version all production code. Employees use multi-factor authentication to access the GitHub organization. And only authorized n8n personnel can deploy or make changes to production code.

Required multi-factor authentication

We require MFA wherever it is available.

Encrypted web-based access

n8n uses encryption to protect user authentication and admin sessions of the internal admin tool transmitted over the Internet. All connections happen over SSL/TLS with a valid certificate from a reliable Certificate Authority.

Corporate security

Rigorous hiring process

Job candidates must pass through multiple stages of comprehensive background checks and interviews to ensure they comply with relevant laws, regulations, and ethics. All new employees must sign our data protection policy on hire.

Strict offboarding process

When an employee leaves n8n, we use a termination checklist to ensure that the employee's system access, including physical access, gets removed within one business day and all organization assets (physical or electronic) get returned.

Workstation security

n8n provides hardware to all new hires. These machines run a local agent that sets the configuration of the operating system to hardened standards, including

  • Automatic OS updates
  • Hard disk encryption
  • A password manager
  • Anti-malware software
  • Screen lock of no more than 15 minutes

Employee security training & awareness

Employees receive privacy and security training during onboarding and annually thereafter. In addition, all new employees and contractors sign contracts that include terms around data protection policy and confidentiality.

Threat & vulnerability management

Vulnerability scans

n8n conducts third-party vulnerability scans of its production environment at least once every 90 days.

Penetration tests

n8n conducts third-party penetration tests of its production environment at least once a year.

Intrusion detection

N8n operates an intrusion detection system (IDS) to detect potential intrusions and alert personnel when a potential intrusion is detected. Including a continuously updated anti-malware solution that scans continuously to detect, remove, or block all types of known malware.

Phishing simulations

n8n conducts periodic phishing simulations as part of the company's security awareness initiatives.

Threat intelligence

n8n has implemented mechanisms to collect threat information and produce threat intelligence (e.g., commercial cyber threat intelligence tools, security product/vendor intelligence feeds, open source feeds, etc.) in accordance with defined threat intelligence objectives.

Backup, recovery, and business continuity

n8n stores customer data in a secure production account in Azure, using a combination of Azure Blob Storage and PostgreSQL databases. n8n automatically backs up all customer and system data daily to protect against catastrophic loss due to unforeseen events that impact the entire system. This process backs up or replicates data to a separate region in the same country. And the backups are encrypted in the same way as live production data.

n8n’s backup service monitors the entire backup process, and any failures automatically trigger an alert to the Incident Response Team.

n8n has a defined and regularly tested Business Continuity Plan outlining the procedures to respond, recover, resume, and restore operations following a major natural disaster or catastrophic system failure.

Disaster recovery plan

n8n has formulated a detailed disaster recovery plan outlining the roles, responsibilities, and detailed procedures for recovering systems in case of failure.

Security logs

n8n collects and stores server logs in a central location. The system can be queried in an ad hoc fashion by authorized users.

Information security policy

n8n has an Information Security Policy to define security obligations for employees and contractors, together with its disciplinary process for violations of the policy.

Vulnerability disclosure

n8n has a dedicated process for employees to report security, confidentiality, integrity, and availability failures, incidents, and concerns.

In addition, n8n maintains customer-accessible support documentation where you can find support contact information. We’re committed to ensuring n8n is a safe and secure tool for all our users. So should you find any operational or security failures, incidents, system problems, concerns, or other issues/complaints, please don’t hesitate to contact the relevant n8n personnel.