// Trust & Security Report

    n8n GmbH logo

    n8n GmbH

    Workflow automation / AI agent orchestration platform, available as n8n Cloud (managed SaaS) and self-hosted (open-source and licensed Enterprise editions), with tiers spanning Starter, Pro, Business and Enterprise.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    n8n aligns its security program to SOC 2 ... We undergo continuous evaluation and annual audits by an independent auditor as part of ongoing compliance with this standard. Our SOC 2 report is available to enterprise customers.

    Verify on n8n.io
    SOC 3
    HELD

    You can download our SOC 3 report here. The report contains the auditor's opinion, management assertion, and system description.

    Verify on n8n.io
    GDPR
    HELD

    For more details about privacy, security and how we comply with GDPR at n8n, please visit our docs. [security page] ... For Cloud versions of n8n, n8n is considered both a Controller and a Processor as defined by the GDPR [docs privacy-and-security page]

    Verify on n8n.io
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence: n8n's own Trust Center (trust.n8n.io) lists only SOC 2 Type 2, SOC 3, and GDPR badges/reports; ISO 27001 does not appear anywhere on the vendor's security page, legal pages, or trust center. Third-party comparison content explicitly notes n8n does not hold ISO 27001 itself (customers can only get ISO 27001-aligned posture by self-hosting on a certified host).

    source: trust.n8n.io
    HIPAA
    NOT CONFIRMED

    No public evidence of a vendor-signed BAA or HIPAA attestation; HIPAA is not listed on trust.n8n.io or n8n.io/legal/security/. Independent guidance confirms n8n does not sign Business Associate Agreements and HIPAA use requires self-hosting on BAA-covered infrastructure the customer controls.

    source: trust.n8n.io
    PCI DSS
    NOT CONFIRMED

    No public evidence; not referenced on trust.n8n.io, the security page, or legal pages. n8n does not process cardholder payment data directly (billing is handled by a payment processor), so PCI DSS is out of scope for the core product.

    source: trust.n8n.io
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    No public evidence; not listed on trust.n8n.io or the security page alongside SOC 2/SOC 3/GDPR badges.

    source: trust.n8n.io
    CSA STAR
    NOT CONFIRMED

    No public evidence; not listed on trust.n8n.io. n8n does publish CAIQ (Consensus Assessments Initiative Questionnaire) self-assessments for cloud and self-hosted customers, which is CSA-related but not a CSA STAR registry listing or certification.

    source: trust.n8n.io

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    n8n Cloud is hosted on Microsoft Azure with production data in the EU; the subprocessor list additionally shows Hetzner Online (Germany) as a cloud provider. Self-hosted deployments can be located anywhere the customer chooses.

    n8n's Privacy Policy states directly: 'We do not use personal data processed in connection with the Website or Services, including data from third-party services or integrations, to train n8n or third party machine learning (ML) models.' The separate AI Terms reiterate this for AI Features specifically: 'n8n will not: Use Customer Data to train any AI models operated by n8n' and 'n8n will not use AI Output to train AI models operated by n8n,' with AI-related processing data described elsewhere as deleted after 30 days. Both documents agree; no legacy-ToS vs current-AI-page contradiction found. Note that when a user wires a workflow to a third-party LLM (OpenAI, Anthropic, Google Vertex, etc.), that provider's own data-use terms govern what happens to the data once it leaves n8n.

    // Security controls

    Encryption in transit

    TLS/SSL for all client-to-service traffic, public API and webhook traffic; n8n uses Cloudflare to manage and renew SSL certificates.

    n8n.io

    Encryption at rest

    n8n Cloud data encrypted at rest via Azure Storage server-side encryption (AES256, FIPS-140-2 compliant implementation); self-hosted users are responsible for configuring their own disk/volume encryption.

    n8n.io

    Authentication / SSO

    Username/password with optional MFA on all plans; SSO, SAML, and LDAP available on Business/Enterprise plans; 2FA enforcement available on Enterprise.

    n8n.io

    Access control (RBAC)

    Role-based access control available on all paid plans; full RBAC with project/instance admin roles on Business and Enterprise.

    n8n.io

    Audit logging

    Server logs centrally collected; audit log history retained at least 12 months, with the last 3 months immediately available for analysis.

    n8n.io

    Vulnerability management

    Third-party vulnerability scans at least every 90 days; third-party penetration tests at least annually; SAST integrated into CI/CD; public vulnerability disclosure program.

    n8n.io

    Backup & disaster recovery

    Daily automated backups replicated to a separate region in the same country, encrypted the same as production data; documented Business Continuity Plan and Disaster Recovery Plan.

    n8n.io

    Self-hosting option

    Full source available on GitHub; can be deployed entirely on customer infrastructure (Docker/on-prem) so sensitive data never leaves customer control.

    n8n.io

    // Products & data scope

    n8n CloudManaged SaaS workflow/AI-agent automation

    data: Customer workflow data, credentials, and execution logs hosted on n8n-managed Azure infrastructure in the EU; instances are logically isolated per customer.

    Subject to n8n's SOC 2/SOC 3 program and GDPR Controller/Processor obligations; SSO/SAML/LDAP only on Business+ tiers.

    Self-hosted n8n (open-source / Enterprise license)Self-managed workflow/AI-agent automation, deployable via Docker or source

    data: All data stays on customer-controlled infrastructure; encryption at rest and network security are the customer's responsibility.

    Only self-hosted deployments let a customer claim their own ISO 27001/HIPAA posture, since n8n itself does not hold those certifications and does not sign BAAs.

    AI Features / agent workflowsIn-product AI orchestration (calls to OpenAI, Anthropic, Google Vertex AI, LangChain, etc.)

    data: Prompts/outputs pass through n8n to the customer's configured third-party model provider; governed by the separate n8n AI Terms plus each model provider's own terms.

    n8n contractually commits not to use Customer Data or AI Output to train its own models; data tied to AI Feature processing is deleted after 30 days per documentation.

    // What to watch

    • n8n does not hold ISO 27001 or HIPAA itself; marketing material and third-party integrator content occasionally implies broader compliance ('ISO 27001, or SOC 2 compliance' achievable via self-hosting) that should not be read as n8n holding those certifications directly - list only what the vendor's own trust center shows.
    • The security page's phrase 'n8n aligns its security program to SOC 2' is softer language than a certification claim, but the same page and trust.n8n.io both confirm an actual SOC 2 Type II report exists and is available to enterprise customers under NDA/request, so held=true is supported; flagging the soft wording for awareness.
    • SOC 2 report itself was not directly viewable (gated to enterprise customers), so its scope/type was confirmed via the trust.n8n.io badge ('SOC 2 Type 2') rather than the underlying report; treat as vendor-attested rather than independently read.
    • HIPAA/BAA posture was corroborated primarily via third-party sources (not vendor domain) since n8n's own pages simply omit HIPAA rather than explicitly disclaiming it; absence-based held=false, not a vendor statement.

    // At a glance

    Pricing model

    Tiered subscription (Starter/Pro/Business self-serve, custom Enterprise), self-hosted free/open-source option, priced per active workflow/execution volume plus tier features

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on n8n GmbH's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.n8n.io

    > Browse all vendor trust reports