n8n Legal

Security at n8n

Based in Berlin, prioritizing security and privacy is baked into our culture. Many of the world's most well-known Enterprises trust n8n with their data – we don’t take that lightly. Here are some of the measures, systems, and controls we’ve put in place – both at product and company level – to ensure security always underpins everything we do.

Compliance

n8n aligns its security program to SOC 2, a standard framework for security compliance. That means we have implemented processes and follow procedures that uphold high standards of security for our customers' data. We undergo continuous evaluation and annual audits by an independent auditor as part of ongoing compliance with this standard.

SOC2 badge 150px.png

SOC 2 report

Our SOC 2 report is available to enterprise customers. Others can refer to our SOC 3 report and the details about our security program below.

SOC 3 report

You can download our SOC 3 report here. The report contains the auditor’s opinion, management assertion, and system description.

Documentation

For more details about privacy, security and how we comply with GDPR at n8n, please visit our docs.

Customer data protection & encryption

User accounts, authentication, and authorization

n8n Cloud

When you sign up for an n8n cloud account, you create an account directly with n8n. When you create an account on n8n.cloud with a username and password, n8n implements best practices for account management. For example, n8n salts and hashes your password, then stores the hashed password in a database that’s encrypted at rest.

Self-hosted

n8n salts and hashes the passwords of self-hosted users on account creation. However, encrypting other data at rest is the responsibility of the user. Refer to Data Encryption | Self-hosted n8n for more information.

n8n supports custom session timeouts on self-hosted.

Third-party accounts

A key part of n8n's functionality is linking third-party services. When you link an account from a third-party application, you may need to either authorize n8n OAuth application access to your account, or provide an API key or other credentials.

n8n recommends using OAuth for third-party applications that support it. The OAuth protocol allows n8n to request scoped access to specific resources in your third-party account without you having to provide long-term credentials directly. n8n must request short-term access tokens at regular intervals, and most applications provide a way to revoke n8n's access to your account at any time.

Some third-party applications don't provide an OAuth interface. To access these services, you must provide the required authorization mechanism (often an API key). As a best practice, if your application provides such functionality, n8n recommends limiting that API key's access to only the resources you need to access within n8n.

When you use credentials in a workflow, n8n loads them into the execution environment of your n8n instance. For n8n Cloud, customer instances are logically isolated from one another. n8n doesn't log or export credentials by default. If you log their values you can always delete the data for that execution. The platform deletes execution data automatically based on your account’s retention settings.

You can delete your OAuth grants or key-based credentials at any time. Deleting OAuth grants within n8n doesn't revoke n8n’s access to your account. You must revoke that access wherever you manage OAuth grants in your third-party application.

User authentication

A username and password are required to authenticate into the app, with MFA optional for external uses. SSO, SAML, and LDAP are available with n8n’s Enterprise plan.

Role-based authorization

Advanced RBAC permissions are available on all paid plans to ensure governance, including designating super admin user roles.

Cloud hosting & storage

n8n cloud uses Microsoft Azure for hosting. The physical hardware powering n8n, and the data stored by the platform, is currently hosted in the Azure Germany West Central data center in Frankfurt. Microsoft controls and secures this location. We’re preparing to host in additional locations too. You can read more about Azure’s security practices and compliance certifications.

n8n further secures access to Azure resources through a series of controls, including:

Using multi-factor authentication to access Azure
Hosting services within a private network that’s inaccessible to the public internet.

n8n stores all OAuth tokens, key-based credentials, and the rest of your Cloud instance's database on a disk that's encrypted at rest using Azure server side encryption (at the time of writing, using AES256 and a FIPS-140-2 compliant implementation). For n8n cloud, this database also resides in a private network. Backups of that database are also encrypted.

Data encryption

n8n Cloud

When you use the n8n web application, it encrypts traffic between your client and n8n services in transit. The same applies for traffic related to the public API or webhook trigger nodes. n8n uses Cloudflare to manage and renew SSL certificates.

Data encryption at rest: n8n encrypts customer data at rest in your instance's mounted volume. n8n uses Azure Storage server-side encryption (using AES256 and a FIPS-140-2 compliant implementation). Azure Storage has achieved a wide range of compliance certifications. Refer to Azure Storage compliance offerings for more information.

Self-hosted n8n

Self-hosters must:

Ensure data is encrypted in transit by setting up a reverse proxy in front of the n8n instance to handle TLS.
Handle encrypting data at rest. This can be achieved by using encrypted partitions, or encryption at the hardware level, and ensuring n8n and its database is written to that location. Cloud providers typically offer storage systems with disk encryption built-in.

Network protection

An operational audit system constantly monitors n8n's cloud infrastructure and sends alerts to appropriate personnel when necessary. We only use configurations that implement approved networking ports and protocols, including firewalls. For example, we maintain a Web Application Firewall to protect n8n’s web application from malicious traffic and outside threats. And an Intrusion Detection System to detect potential intrusions.

Audit logging

n8n collects and stores all your server logs in a central location. Authorized users can query the log info as necessary to trace actions to individual users. We keep audit log history and historical activity records for at least 12 months, with at least the last three months immediately available for analysis.

Secure development practices

Version control system

n8n uses a version control system to manage source code, documentation, release labeling, and other change management tasks. Any employee must get their access approved by a system admin to make code changes.

Code review process

When n8n's application code changes, someone other than the person who made the change reviews and tests the new code.

Separate testing and production environments

n8n uses separate environments for testing and production for our application.

Restricted production code changes

Only authorized n8n personnel can push or make changes to production code.

Static Application Security Testing (SAST)

n8n uses static application security testing (SAST) or an equivalent tool as part of the CI/CD pipeline to detect vulnerabilities in its code base. When vulnerabilities are identified, corrections are implemented before release as appropriate based on the nature of the vulnerability.

Systems Monitoring

n8n monitors its code, infrastructure, and core applications for known vulnerabilities and addresses critical vulnerabilities promptly.

Access controls

Strictly ‘need-to-know’ access to data

n8n grants employees access to systems containing sensitive data on a least-privilege basis. This means employees only have access to the data they need to perform their job. The company reviews system access quarterly, on any change in role, and upon termination.

Restricted production code access

n8n uses GitHub to store and version all production code. Employees use multi-factor authentication to access the GitHub organization. And only authorized n8n personnel can deploy or make changes to production code.

Required multi-factor authentication

We require MFA wherever it is available.

Encrypted web-based access

n8n uses encryption to protect user authentication and admin sessions of the internal admin tool transmitted over the Internet. All connections happen over SSL/TLS with a valid certificate from a reliable Certificate Authority.

Corporate security

Rigorous hiring process

Job candidates must pass through multiple stages of comprehensive background checks and interviews to ensure they comply with relevant laws, regulations, and ethics. All new employees must sign our data protection policy on hire.

Strict offboarding process

When an employee leaves n8n, we use a termination checklist to ensure that the employee's system access, including physical access, gets removed within one business day and all organization assets (physical or electronic) get returned.

Workstation security

n8n provides hardware to all new hires. These machines run a local agent that sets the configuration of the operating system to hardened standards, including

Automatic OS updates
Hard disk encryption
A password manager
Anti-malware software
Screen lock of no more than 15 minutes

Employee security training & awareness

Employees receive privacy and security training during onboarding and annually thereafter. In addition, all new employees and contractors sign contracts that include terms around data protection policy and confidentiality.

Threat & vulnerability management

Vulnerability scans

n8n conducts third-party vulnerability scans of its production environment at least once every 90 days.

Penetration tests

n8n conducts third-party penetration tests of its production environment at least once a year.

Intrusion detection

N8n operates an intrusion detection system (IDS) to detect potential intrusions and alert personnel when a potential intrusion is detected. Including a continuously updated anti-malware solution that scans continuously to detect, remove, or block all types of known malware.

Phishing simulations

n8n conducts periodic phishing simulations as part of the company's security awareness initiatives.

Threat intelligence

n8n has implemented mechanisms to collect threat information and produce threat intelligence (e.g., commercial cyber threat intelligence tools, security product/vendor intelligence feeds, open source feeds, etc.) in accordance with defined threat intelligence objectives.

Backup, recovery, and business continuity

n8n stores customer data in a secure production account in Azure, using a combination of Azure Blob Storage and PostgreSQL databases. n8n automatically backs up all customer and system data daily to protect against catastrophic loss due to unforeseen events that impact the entire system. This process backs up or replicates data to a separate region in the same country. And the backups are encrypted in the same way as live production data.

n8n’s backup service monitors the entire backup process, and any failures automatically trigger an alert to the Incident Response Team.

n8n has a defined and regularly tested Business Continuity Plan outlining the procedures to respond, recover, resume, and restore operations following a major natural disaster or catastrophic system failure.

Disaster recovery plan

n8n has formulated a detailed disaster recovery plan outlining the roles, responsibilities, and detailed procedures for recovering systems in case of failure.

Security logs

n8n collects and stores server logs in a central location. The system can be queried in an ad hoc fashion by authorized users.

Information security policy

n8n has an Information Security Policy to define security obligations for employees and contractors, together with its disciplinary process for violations of the policy.

Vulnerability disclosure

n8n has a dedicated process for employees to report security, confidentiality, integrity, and availability failures, incidents, and concerns.

In addition, n8n maintains customer-accessible support documentation where you can find support contact information. We’re committed to ensuring n8n is a safe and secure tool for all our users. So should you find any operational or security failures, incidents, system problems, concerns, or other issues/complaints, please don’t hesitate to contact the relevant n8n personnel.

Privacy Policy

We are n8n GmbH (registered with number HRB 212509 B) trading as n8n.

Our registered address is:
Novalisstr. 10
10115 Berlin
Germany

If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact us at privacy@n8n.io.

How do we use your data?

When you register for n8n cloud. When you sign up for an account with us, we collect your name and email. We collect these details to put the contract in place between us that enables you to access our platform. We use PostHog in order to better understand how people use our product and to optimize our service and experience. You can click here to learn more about PostHog. Additional data including address and credit card information will be collected by our Merchant of Record, Paddle, in order to process your payment. We do not use any personal data, including data received through any third-party services, for developing, improving, or training AI and/or ML models. We do not transfer or disclose your information to third parties for purposes other than the ones provided. You can delete your n8n cloud account via the product. You can learn more about the data we collect on cloud in our docs.
When you use/run your own n8n deployment. If you install n8n on your own server, and you opt-in, we collect your email address, and may use it to contact you about your usage of the product. If you sign up for a paid plan, we collect your name, email address, company address, and the name and email address of others in your company (e.g. a billing contact). We collect these details to put a contract in place between us. If you use our credit card billing feature, our Merchant of Record, Paddle, collects information including your address and credit card information, in order to process your payment. In addition, we collect selected, anonymous information about how n8n is used. We use this information to improve your experience with our services and to protect from potential security attacks and abuse. We do not use any personal data, including data received through any third-party services, for developing, improving, or training AI and/or ML models. We do not transfer or disclose your information to third parties for purposes other than the ones provided. You can learn more about the data we collect, and how to disable this information collection in our docs.
When you sign up for the community forum. We collect your email address or social media handle in order to assign you with an account to use our forum. You can delete your forum account by emailing us at privacy@n8n.io.
When you attend one of our events or a third party event. When you attend one of our events or a third party event, we may collect your personal information including your name, address, email address and phone number. We collect this information because it’s in our legitimate interests to know who’s attending our events and to help promote our business at third party events. Where you attend one of our events we may take pictures or videos of you. We do this as we have a legitimate interest to promote our business. You can opt out of having your photo taken in this way both when you attend our events and at any time by contacting us at privacy@n8n.io.
When you contact us. When you contact us either by email or via our website or product with general queries, we will usually collect your name and contact details, because it’s in our legitimate interest to make sure we can properly respond to your query.
On social media. When you connect with us on social media including on Facebook, Twitter, YouTube and LinkedIn we will process your handle, name and email address under our legitimate interest to respond to your comments and queries promptly.
When you receive our news updates. We will handle your personal information (such as your name and email address) to provide you with our news updates in line with any preferences you have told us about.
When we send you our news updates because you have opted-in to receive them, we rely on your consent to contact you. If you have not opted-in and we send you our news updates emails, we do this because of our legitimate interest to promote our business.
You can unsubscribe from our updates at any time by clicking the unsubscribe link at the bottom of any of our emails, or by emailing privacy@n8n.io.
When you register as an expert. We collect your name, email address, and details about your company in order to communicate with you about the n8n expert program.
When you register as an affiliate. We collect your name and email address in order to communicate with you about the n8n affiliate program.
Technical information when you use our website. When you consent, we collect information about how you use our website. We use this information to improve our website and to better understand how people use it. More detail on the information we collect and how we do this is set out in our cookie policy. If you have given consent to the use of cookies, we will use Google Analytics in order to better understand our users’ needs and to optimize our service and experience. You can click here to learn more about how Google uses this data.
When you apply for a job with us. When you enter into the recruitment process with us we may collect your name, contact details, recruitment information (e.g. right to work documentation and references), qualifications, accreditations, test results (inc. psychometric and coding) and any additional information we may receive from our recruitment partners.
We will use your personal information to assess your suitability for our available roles. We do this to perform a contract or to take steps at your request, before entering into a contract. Where we process your right to work documentation, we will do so to comply with our legal obligations.
If our business is sold. We process your personal information for this purpose because we have a legitimate interest to ensure our business can be continued by the buyer. If you object to our use of your personal information in this way, the buyer of our business may not be able to provide services to you.

Where is my data stored?

We store your data in the EU.

Whenever we transfer your personal information outside of the EU, we ensure it receives additional protection as required by law. To keep this privacy policy as short and easy to understand as possible, we haven’t set out the specific circumstances when each of these protection measures are used. You can contact us at privacy@n8n.io for more detail on this.

How long do we keep your data for?

We store your personal information for no longer than necessary for the purposes for which it was collected, including for the purposes of satisfying any legal or reporting requirements, and in accordance with our legal obligations and legitimate business interests. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data; the potential risk of harm from unauthorized use or disclosure of your personal data; the purposes for which we process your personal data; and the applicable legal requirements.

In some circumstances we may carefully anonymise your personal data so that it can no longer be associated with you, and we may use this anonymised information indefinitely without notifying you. We use this anonymised information to analyse our programmes and support other similar programmes around the world.

What are my rights under data protection laws?

You have various other rights under applicable data protection laws, including the right to:

access your personal data (also known as a “subject access request”)
correct incomplete or inaccurate data we hold about you
ask us to erase the personal data we hold about you
ask us to restrict our handling of your personal data
ask us to transfer your personal data to a third party
object to how we are using your personal data
withdraw your consent to us handling your personal data

You also have the right to lodge a complaint with your relevant supervisory authority, you can find which one applies to you here.

Please keep in mind that privacy law is complicated, and these rights will not always be available to you all of the time.

Questions, comments and more detail

Your feedback and suggestions on this notice are welcome.

More information about n8n's data privacy practices, including GDPR compliance, data processing agreements, sub-processors, data collection, and AI integration, with distinctions between n8n Cloud and self-hosted versions is here.

We’ve worked hard to create a notice that’s easy to read and clear. But if you feel that we have overlooked an important perspective or used language which you think we could improve, please let us know by email at privacy@n8n.io.

This privacy policy was last updated on the 11th of November 2024. The previous version of our privacy policy can be seen here.

Terms of Service

PLEASE READ THESE TERMS AND CONDITIONS (“Terms”) CAREFULLY BEFORE USING THIS PLATFORM

We are n8n GmbH (registered with number HRB 212509 B) trading as n8n.

Our registered address is:
Novalisstr. 10, 10115, Berlin, Germany

If you have any questions about these Terms, please contact us at support@n8n.io.

By using our Platform you accept these Terms. If you do not agree to these Terms, you must not use our Platform.

In using our Platform we may process your personal data, more information about this can be found here.

Where you are not a consumer, you confirm that you have authority to bind the business on behalf of which you are accepting these Terms. In that context, references to “you” or “your” will be to that business. Otherwise it will refer to you, the individual entering into these Terms.

ACCOUNT CREATION AND SECURITY

You must create an account to use our Platform. When you register for an account on our Platform you must ensure that all information you provide to us is accurate and kept up to date. Upon registration we grant to you the personal, non-transferable right and licence to use the Platform for your own internal business purposes, until terminated as set out in these Terms.
You must keep your account details safe. Any piece of information as part of our security procedures including your username and password must be treated as confidential. We have the right to disable any user identification code or password at any time. If you know or suspect that anyone other than you knows your user identification code or password, you must promptly notify us at support@n8n.io.
These terms are binding. By using our Platform and downloading any of our Website Content you acknowledge that these terms will apply and you have legal capacity to enter into contracts in the country you live. You also confirm that when acting on behalf of a business you have authority to bind them to these terms. If this is not the case, you should not use our Platform.
Subscription fees. Where you wish to set up a paid subscription, a certain number of days will be made available to you at no cost as a free trial period. The duration of the free trial period will be clearly communicated to you in Platform. During the free trial period, the Platform will be provided to you as is, and we will not provide any guarantees or protections as to its performance or your use of it. Upon expiration of the free trial period, you will only be able to continue using the premium services if you pay the relevant fees. You will be liable to pay for all taxes and duties imposed by the relevant authorities, all prices listed on our Platform are exclusive of these.
Payment terms. Where you sign up to a monthly plan with us, all subscription fees will be payable in advance at the beginning of each month. You will be able to cancel your monthly subscription at any time which will give you access to our Platform until the end of that month, after which no further payments will be taken. If you sign up to an annual plan, this is a non-refundable payment which will be payable in advance. This will then provide you with access for a 12 month period.
Third party subscriptions. Some features on our Platform require you to have a paid subscription with third parties. These fees are separate to any monies paid to us, and you must create these accounts subject to any third party provider’s terms.
Upgrades and downgrades. Where you upgrade or downgrade the services you can access on our Platform and you are on a monthly plan, we will amend your fees payable on the next billing cycle. Where you are on an annual plan, you must pay for these in advance prior to the upgrade taking place. Please note that you will only be able to downgrade monthly services and by downgrading your services it may cause you to lose features and/ or data. We will in no way be liable for this.

In the event you exceed the limit of your current plan, we may decide to upgrade your account accordingly to facilitate your usage. We will provide you with 14 days’ notice prior to upgrading your account in which you can choose to object to this change of Platform access.

Merchant of record. Where you pay fees for the services we provide to you as part of your access to our Platform, we will use a merchant of record: Paddle, to recover these fees and any applicable taxes. Any invoices or payments from your account will be under the name “Paddle”.

OUR WORKFLOW AUTOMATION PLATFORM

What is our platform? Our “Platform” refers to our workflow automation platform and all other related services and documentation that gives you access to products and services which will automate workflows (“Website Content”), except for User Content.
User Content. You can use our Platform to create automated workflows to enable actions to take place across multiple software applications based on trigger events. In addition, you can also interact with the community by posting (including posting your workflows) on our forum (together the “User Content”).

Any workflows created on the Platform will require programming interfaces or software scripts to facilitate these transfers between applications. Our Platform also enables our users to upload their own workflows. You can also access and view User Content created and posted by others to use in your own projects as well as share your own User Content publically on the Platform, for the same purposes.

Performance of the Platform. During your use of the Platform, we will take steps to ensure that the Platform functions as described at the point you signed up. Although we will introduce technology to prevent malware and viruses we do not guarantee that our Platform will be secure or free from bugs or viruses. You are responsible for configuring your information technology, computer programmes and platform to access our Platform.
What happens when the Platform stops working as described. In the event you report to us a substantial error with the Platform, we will seek to correct this within a reasonable amount of time – where legally permitted, this will be your sole remedy.
We may suspend or withdraw our Platform. We do not guarantee that our Platform, or any of the Website Content or the User Content, will always be available or be uninterrupted. We may suspend or withdraw or restrict the availability of all or any part of our Platform for business and operational reasons.

You are also responsible for ensuring that all persons who access our Platform through your internet connection are aware of and comply with these Terms.

What action we may take in the event of a breach. When we consider that a breach of these Terms has occurred, we may take such action as we deem appropriate including:
- immediate, temporary or permanent withdrawal of your right to use our Platform;
- immediate, temporary or permanent removal of any User Content uploaded by you to our Platform;
- legal action against you; and/or
- disclosure of such information to law enforcement authorities as we reasonably feel is necessary or as required by law.
You must maintain a secure internet connection. Where you lose access to the Platform and any User Content due to a disruption in your telecommunications or internet services, we will in no way be liable for any losses suffered.
Where our Platform contains links to other sites, User Content and resources provided by third parties. These are provided for your information only. They should not be interpreted as approval by us of those linked websites or information you may obtain from them.

CONTENT ON OUR AUTOMATION PLATFORM

n8n Website Content: We are the owner or the licensee of all intellectual property rights in all of the Website Content on our Platform, and in the material published on it. Those works are protected by copyright laws and treaties around the world. All such rights are reserved. You may download Website Content from our Platform for your personal use and you may draw the attention of others within your organisation to Website Content posted on our Platform. You must not modify any n8n Website Content you download.
User Content you upload to our Platform must be the following: (i) accurate (where it states facts); (ii) be genuinely held (where it states opinions); and comply with the law applicable in England and Wales.
User Content you upload to our Platform must not be the following: (i) Defamatory of anyone or could bully, insult, intimidate, discriminate or humiliate someone; (ii) unlawful; (iii) promote sexually explicit material; (iv) promote violence; (v) infringe any copyright, database right or trade mark; (vi) like to deceive; (vii) give the impression that the Services originates from us or another person for which you do not have authority from; (viii) contain any advertising or promotion for another company and/ or site; and (ix) knowingly introduce viruses, trojans, worms, logic bombs or other material that is malicious or technologically harmful.
Do not reverse engineer any of the Platform. You will not reverse engineer or otherwise attempt to derive or obtain information about the functioning, manufacture or operation of the Platform. Nor will you attempt to modify, translate, or create derivative works based on the Platform; or copy (save for archival purposes), rent, lease, distribute, pledge, assign or otherwise transfer or encumber rights to the Platform.
Internal business use only. You acknowledge and agree that you can only use the Platform for internal business purposes only and may not transfer, sell, distribute, lease, sublease, assign or licence to any third parties.
You must not attempt to gain unauthorised access. Whether this is to our Platform, the server on which our Platform is stored or any server, computer or database connected to our Platform. You must not attack our Platform via a denial-of-service attack or a distributed denial-of service attack. By breaching this provision, you would commit a criminal offence under the Computer Misuse Act 1990. We will report any such breach to the relevant law enforcement authorities and we will co-operate with those authorities by disclosing your identity to them. In the event of such a breach, your right to use our Platform will cease immediately.

INTELLECTUAL PROPERTY

Our Platform. We are the owner or the licensee of all intellectual property rights in the Platform including any modifications and improvements, whether made by us or suggested by you. Those works are protected by copyright laws and treaties around the world. All such rights are reserved. We provide you with a worldwide, non-exclusive, non-transferable, non-sublicensable, revocable limited term licence for internal use only to use the Platform in accordance with these Terms. Such a right to use the Platform and any User Content on the Platform will expire at the point your subscription ends or when we terminate the Agreement, whichever is sooner.
Data you transmit through the Platform. All documents, messages, logos, images, files and other information you transmit through our Platform, will remain yours and you shall retain all rights, titles and interest in those. You do however provide us with a worldwide, royalty-free, non-exclusive, transferable and sublicensable right to use your data to improve our Platform.
User Content. We will retain all intellectual property rights in the User Content on the Platform, save for those created by you and our other users. We grant to you a non-exclusive licence to make, use and share User Content publically with other users via the Platform. Any User Content created by you are private, and it is your choice as to whether or not you share these with the n8n community publically to use, share and modify. You grant to us a worldwide, royalty-free, non-exclusive, transferable and sub-licensable right to use, modify and distribute any User Content you choose to share on our Platform. You acknowledge that where we create User Content materially similar to or the same as any User Content you have made public on our Platform, you will have no claims against us including for infringement or misappropriation.

CANCELLATION, TERMINATION AND SUSPENSION

Termination of your subscription term. Your subscription will start on the date you sign up as a user of the Platform and agree to these Terms. Your access to the Platform will continue until the earlier of you cancelling your subscription; we terminate your right to access the Platform; or you commit a material breach of these Terms.
Where you wish to terminate your subscription. You can do this via the Platform or by email at: support@n8n.io.
Deletion of data. We will only retain your data for as long as we need it. Your data is usually deleted 6 months after the deactivation of your account with us, unless we are required to keep it for longer to comply with our legal, accounting or regulatory requirements. We will contact you by email 30 days before deactivating and deleting your account.
Survival of important terms. Please note that all rights under this Agreement, which by nature should survive termination, will, including Indemnity, Liability, Governing Law, Notices and Intellectual Property.

INDEMNITY

Your indemnity to us. You agree to indemnify us, our affiliates, directors, officers and employees against all loss, costs, damages liabilities and expenses that arise out of your breach of these Terms and/ or use of the Platform.

LIABILITY

We do not limit any losses that we are not allowed to limit: We do not exclude or limit in any way our liability to you where it would be unlawful to do so including death or personal injury caused by our negligence.
What we do limit: We exclude all implied conditions, warranties, representations or other terms that may apply to our Platform or any Services on it. We will not be liable to you for any loss or damage, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, even if foreseeable, arising under or in connection with the use of, or inability to use, our Platform; or use of or reliance on any Services displayed on our Platform.

In particular, we will not be liable for loss of profits, sales, business, or revenue; business interruption; loss of anticipated savings; loss of business opportunity, goodwill or reputation; or any indirect or consequential loss or damage.

No Services guarantees. The Platform is provided “as is”. We make no guarantee as to the quality of the Platform and its suitability for your individual purposes, and will not be liable in the event you do not undertake your own prior due diligence.
Severability. Each of the paragraphs of these terms operates separately. If any court or relevant authority decides that any of them are unlawful or unenforceable, the remaining paragraphs will remain in full force and effect.

NOTICES

Where do we issue notices to you. We will issue all notices to you via the Platform save for any that will materially impact your rights or your use of the Platform which we will email to you, via the email you use to subscribe to the Platform.
Complaints and legal disputes. Where you have any complaints, are subject to insolvency (or similar) proceedings or wish to issue legal proceedings against us, you should send notice of these to:

n8n GmbH
Borsigstr. 27
10115 Berlin
Germany

GOVERNING LAW

What laws apply to these Terms? These terms are governed by English law and you can bring legal proceedings in the English courts.

However if you are a consumer you may also benefit from any mandatory provisions of the law of the country in which you are resident. Nothing in these Terms affects your rights as a consumer to rely on such mandatory provisions of local law.

Changes to these Terms. As our service grows and improves, we might have to make changes to these Terms. We will do this by uploading the latest version with a date confirming when they went live.

17 July 2020

You can see current and previous versions of our terms here

Data Processing Agreement

If you would like to sign our Data Processing Agreement, please download the PDF here, ensure someone authorized from your organization signs it, and then email a copy from your company email address to privacy@n8n.io.

Please email us at privacy@n8n.io if you have any questions.

Vulnerability Disclosure Policy

Introduction

This vulnerability disclosure policy applies to any vulnerabilities you are considering reporting to n8n.

We recommend reading this vulnerability disclosure policy fully before you report a vulnerability and always acting in compliance with it.

We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not offer monetary rewards for vulnerability disclosures.

Reporting

If you believe you have found a security vulnerability relating to the n8n's systems, please submit a vulnerability report via email to security@n8n.io.

In your report please include details of:

The website, IP or page where the vulnerability can be observed.
A brief description of the type of vulnerability, for example; “XSS vulnerability”.
Steps to reproduce. These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.

What to expect

After you have submitted your report, we will respond to your report within 5 working days and aim to triage your report within 10 working days. We’ll also aim to keep you informed of our progress.

Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the remediation.

We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.

Once your vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify our guidance, so please do continue to coordinate public release with us.

Guidance

You must NOT:

Break any applicable law or regulations.
Access unnecessary, excessive or significant amounts of data.
Modify data in n8n's systems or services.
Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
Disrupt n8n's services or systems.
Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers.
Submit reports detailing TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS1.0 support.
Disclose any found vulnerabilities or associated details to others without our explicit consent.
Social engineer, ‘phish’ or physically attack n8n's staff or infrastructure.
Demand financial compensation in order to disclose any vulnerabilities.

You must:

Always comply with data protection rules and must not violate the privacy of any data n8n holds. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.
Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).

Legalities

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause n8n or partner organisations to be in breach of any legal obligations.