Is n8n GDPR-compliant? Self-hosting makes the difference
n8n can run in a GDPR-compliant way, but it is not automatically compliant. What sets cloud and self-hosting apart, and where workflows leak data.
As soon as customer data flows through your n8n workflows, names, email addresses, invoice amounts, sometimes job applications, the question lands on your desk: is n8n GDPR-compliant? The short answer: n8n can be operated in a GDPR-compliant way, but it is not so on its own. The GDPR assesses how you operate it and the workflows, not the tool, which is why your setup decides and not the software alone.
You should clarify this, by the way, before the first workflow goes live, not afterwards. Three things are decisive: where n8n runs, which services your workflows connect to, and what happens to the execution data. Self-hosting on a server in Germany is the most direct path to full data sovereignty, but it does not solve every question.
Why “GDPR-compliant” is not a property of a piece of software
The GDPR governs processing activities, not products, which is why no vendor can seriously claim that its software is GDPR-compliant across the board. As a company, you remain responsible for the data processing. An n8n workflow that sends customer data to a US service without asking violates the GDPR on the very same server on which a cleanly built workflow runs entirely without concern. So the question is not “Is n8n compliant?” but “Is my n8n setup, including the workflows, compliant?”. That is not splitting hairs, it is the reason why the hosting decision and the workflow design have to be looked at separately.
n8n Cloud: German company, EU servers, US cloud provider
According to n8n's official security page (as of July 2026), n8n Cloud stores customer data on Microsoft Azure infrastructure in the European Union, and the pricing page names Frankfurt as the location. Behind the product stands n8n GmbH, based in Berlin, so a German company. n8n provides a data processing agreement (DPA, German AVV) for signing, including EU standard contractual clauses and a public list of sub-processors. That is a solid foundation for many SMEs.
The point you should be aware of: Azure belongs to Microsoft, a US corporation. Even with storage in Frankfurt, a US provider therefore remains in the chain. For most business data this is justifiable with a DPA and standard contractual clauses; for especially sensitive data, for example in the case of professionals bound by confidentiality or in the health sector, it becomes a point of discussion with the data protection officer. No software takes that assessment off your hands, and this article is no substitute for legal advice.
Self-hosting: your data stays on your server
With self-hosting, n8n runs on a server that you control, and personal data from your workflows does not leave your infrastructure as long as the workflows do not connect to external services. The Community Edition can be used without a license fee and can be run via Docker on a server at a German host. You then only need a DPA with the host, not with n8n itself, because n8n has no access to your instance. This is exactly the setup we build by default at NordFlux: n8n on a server in Germany, with updates, backups and monitoring, so that running it does not end up resting on your shoulders.
To be honest about it: self-hosting shifts the responsibility for security onto you. An unpatched n8n server with an open login is a bigger data protection risk than any seriously operated cloud. Anyone who has no one in-house for server maintenance should hand operations over to a service provider or deliberately choose the cloud option with a DPA.
Whether n8n runs in a GDPR-compliant way is decided not by the software but by your setup. Self-hosting in Germany solves the hosting question. The question of where your workflows send data is solved only by clean workflow design.
Three data protection traps in workflow design
Most data protection problems with n8n arise not during hosting but in the workflows themselves. Three patterns keep coming up in practice:
- AI nodes: as soon as a workflow sends customer data to an AI model such as OpenAI or Anthropic, that provider processes the data. You then need a DPA with the AI provider, exclusion from model training and, where possible, data minimization before the node.
- Third-party nodes to US services: Google Sheets, Slack or Airtable as a workflow destination mean a transfer to a third country. The self-hosted server is of little use if the workflow then copies the data into a US spreadsheet.
- Execution logs: by default, n8n stores the input and output data of every workflow execution. Without a limited retention period, personal data that no one thinks about anymore piles up there.
The AI connection in particular deserves a close look, because complete data sets often flow there even though the model only needs two fields. How to connect AI services in a data protection-compliant way in general, from choosing a provider to the DPA, is described in detail in our article on GDPR-compliant AI in the company.
Running n8n in a GDPR-compliant way: what a clean setup looks like
A robust n8n setup for mid-sized companies consists of four building blocks: a server at a German or European host with a signed DPA, access control with personal accounts and two-factor authentication, a deletion rule for execution data (n8n can automatically clean up old execution data) and data minimization in every workflow that addresses external services. Part of this is adding the workflows to the record of processing activities, so that your data protection officer knows what has been automated. This sounds like paperwork, but it is done within one to two working days and afterwards only needs to be maintained.
The effort pays off twice over: a documented setup speeds up every later extension, because the fundamental questions are settled and new workflows only need to be checked against the existing rules.
Frequently asked questions
Can n8n Cloud be used in a GDPR-compliant way?
Yes, for many use cases. n8n offers a DPA with EU standard contractual clauses, and according to n8n the data is stored on Azure servers in the EU. What remains to be assessed is that, with Microsoft, a US provider supplies the infrastructure. For sensitive data you should clarify this with your data protection officer.
Do I need a DPA with n8n when self-hosting?
No. With a self-hosted instance, n8n does not process any data for you; the software runs entirely on your server. Instead, you need a DPA with the hosting provider on whose server the instance runs, unless you operate your own server in-house.
May I use AI nodes such as OpenAI in n8n workflows?
In principle yes, if the framework is right: a DPA with the AI provider, exclusion of the data from model training, and transferring only the fields the model really needs. Anyone who wants to avoid transfers to third countries can switch to European providers or locally operated models.
What does n8n cost when self-hosting?
The Community Edition is free of license costs; you pay for the server and for operations, that is, updates, backups and monitoring. For smaller setups, a simple cloud server at a German host is enough. The honest calculation, however, also includes the working time for maintenance, whether in-house or via a service provider.
Does self-hosting make n8n automatically GDPR-compliant?
No. Self-hosting only clarifies where the software runs and who has access to the instance. Whether the processing is compliant additionally depends on which services your workflows connect to, how long execution data is stored and whether there is a legal basis for the processing.
NordFlux UG (haftungsbeschränkt)
NordFlux builds digital employees for organisations: automations and AI agents that take over repetitive work. You stay in control.
Should n8n run cleanly on data protection at your company?
In the free initial analysis we review your processes and tell you honestly whether n8n is a fit and what a setup with German data sovereignty looks like.
- n8n on a server in Germany, you keep control
- Workflow design with data minimization instead of data leakage
- One fixed contact person, no call center