// Trust & Security Report
n8n GmbH
Workflow automation / AI agent orchestration platform, available as n8n Cloud (managed SaaS) and self-hosted (open-source and licensed Enterprise editions), with tiers spanning Starter, Pro, Business and Enterprise.
Certifications held
3
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on n8n.io“n8n aligns its security program to SOC 2 ... We undergo continuous evaluation and annual audits by an independent auditor as part of ongoing compliance with this standard. Our SOC 2 report is available to enterprise customers.”
Verify on n8n.io“You can download our SOC 3 report here. The report contains the auditor's opinion, management assertion, and system description.”
Verify on n8n.io“For more details about privacy, security and how we comply with GDPR at n8n, please visit our docs. [security page] ... For Cloud versions of n8n, n8n is considered both a Controller and a Processor as defined by the GDPR [docs privacy-and-security page]”
> Show 5 unconfirmed / not-held certifications
source: trust.n8n.ioNo public evidence: n8n's own Trust Center (trust.n8n.io) lists only SOC 2 Type 2, SOC 3, and GDPR badges/reports; ISO 27001 does not appear anywhere on the vendor's security page, legal pages, or trust center. Third-party comparison content explicitly notes n8n does not hold ISO 27001 itself (customers can only get ISO 27001-aligned posture by self-hosting on a certified host).
source: trust.n8n.ioNo public evidence of a vendor-signed BAA or HIPAA attestation; HIPAA is not listed on trust.n8n.io or n8n.io/legal/security/. Independent guidance confirms n8n does not sign Business Associate Agreements and HIPAA use requires self-hosting on BAA-covered infrastructure the customer controls.
source: trust.n8n.ioNo public evidence; not referenced on trust.n8n.io, the security page, or legal pages. n8n does not process cardholder payment data directly (billing is handled by a payment processor), so PCI DSS is out of scope for the core product.
source: trust.n8n.ioNo public evidence; not listed on trust.n8n.io or the security page alongside SOC 2/SOC 3/GDPR badges.
source: trust.n8n.ioNo public evidence; not listed on trust.n8n.io. n8n does publish CAIQ (Consensus Assessments Initiative Questionnaire) self-assessments for cloud and self-hosted customers, which is CSA-related but not a CSA STAR registry listing or certification.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
n8n Cloud is hosted on Microsoft Azure with production data in the EU; the subprocessor list additionally shows Hetzner Online (Germany) as a cloud provider. Self-hosted deployments can be located anywhere the customer chooses.
n8n's Privacy Policy states directly: 'We do not use personal data processed in connection with the Website or Services, including data from third-party services or integrations, to train n8n or third party machine learning (ML) models.' The separate AI Terms reiterate this for AI Features specifically: 'n8n will not: Use Customer Data to train any AI models operated by n8n' and 'n8n will not use AI Output to train AI models operated by n8n,' with AI-related processing data described elsewhere as deleted after 30 days. Both documents agree; no legacy-ToS vs current-AI-page contradiction found. Note that when a user wires a workflow to a third-party LLM (OpenAI, Anthropic, Google Vertex, etc.), that provider's own data-use terms govern what happens to the data once it leaves n8n.
// Security controls
Encryption in transit
TLS/SSL for all client-to-service traffic, public API and webhook traffic; n8n uses Cloudflare to manage and renew SSL certificates.
n8n.ioEncryption at rest
n8n Cloud data encrypted at rest via Azure Storage server-side encryption (AES256, FIPS-140-2 compliant implementation); self-hosted users are responsible for configuring their own disk/volume encryption.
n8n.ioAuthentication / SSO
Username/password with optional MFA on all plans; SSO, SAML, and LDAP available on Business/Enterprise plans; 2FA enforcement available on Enterprise.
n8n.ioAccess control (RBAC)
Role-based access control available on all paid plans; full RBAC with project/instance admin roles on Business and Enterprise.
n8n.ioAudit logging
Server logs centrally collected; audit log history retained at least 12 months, with the last 3 months immediately available for analysis.
n8n.ioVulnerability management
Third-party vulnerability scans at least every 90 days; third-party penetration tests at least annually; SAST integrated into CI/CD; public vulnerability disclosure program.
n8n.ioBackup & disaster recovery
Daily automated backups replicated to a separate region in the same country, encrypted the same as production data; documented Business Continuity Plan and Disaster Recovery Plan.
n8n.ioSelf-hosting option
Full source available on GitHub; can be deployed entirely on customer infrastructure (Docker/on-prem) so sensitive data never leaves customer control.
n8n.io// Products & data scope
data: Customer workflow data, credentials, and execution logs hosted on n8n-managed Azure infrastructure in the EU; instances are logically isolated per customer.
Subject to n8n's SOC 2/SOC 3 program and GDPR Controller/Processor obligations; SSO/SAML/LDAP only on Business+ tiers.
data: All data stays on customer-controlled infrastructure; encryption at rest and network security are the customer's responsibility.
Only self-hosted deployments let a customer claim their own ISO 27001/HIPAA posture, since n8n itself does not hold those certifications and does not sign BAAs.
data: Prompts/outputs pass through n8n to the customer's configured third-party model provider; governed by the separate n8n AI Terms plus each model provider's own terms.
n8n contractually commits not to use Customer Data or AI Output to train its own models; data tied to AI Feature processing is deleted after 30 days per documentation.
// What to watch
- n8n does not hold ISO 27001 or HIPAA itself; marketing material and third-party integrator content occasionally implies broader compliance ('ISO 27001, or SOC 2 compliance' achievable via self-hosting) that should not be read as n8n holding those certifications directly - list only what the vendor's own trust center shows.
- The security page's phrase 'n8n aligns its security program to SOC 2' is softer language than a certification claim, but the same page and trust.n8n.io both confirm an actual SOC 2 Type II report exists and is available to enterprise customers under NDA/request, so held=true is supported; flagging the soft wording for awareness.
- SOC 2 report itself was not directly viewable (gated to enterprise customers), so its scope/type was confirmed via the trust.n8n.io badge ('SOC 2 Type 2') rather than the underlying report; treat as vendor-attested rather than independently read.
- HIPAA/BAA posture was corroborated primarily via third-party sources (not vendor domain) since n8n's own pages simply omit HIPAA rather than explicitly disclaiming it; absence-based held=false, not a vendor statement.
// At a glance
Pricing model
Tiered subscription (Starter/Pro/Business self-serve, custom Enterprise), self-hosted free/open-source option, priced per active workflow/execution volume plus tier features
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on n8n GmbH's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.n8n.io