Is n8n GDPR-compliant? Self-hosting makes the difference
n8n can run in a GDPR-compliant way, but it is not automatically compliant. What sets cloud and self-hosting apart, and where workflows leak data.
Since when does Power Automate store data in the EU? Facts about the EU Data Boundary and what it means for your operations.

Whoever uses Power Automate for invoice approvals, HR workflows, or customer data almost always receives the same question from the legal department at the next data protection impact assessment: Where exactly is the data when a Cloud Flow runs? Many IT managers in small and medium-sized companies cannot answer this cleanly because Microsoft has distributed the answer across multiple years and multiple documents.
This article brings together the facts: what the EU Data Boundary at Power Automate concretely means, where the boundaries lie and what that practically means for your operations.
The EU Data Boundary is the geographical boundary guaranteed by Microsoft, within which customer data and personal data for Microsoft Online Services such as Power Automate are stored and processed, and it comprises the 27 EU states as well as the four EFTA countries Liechtenstein, Iceland, Norway, and Switzerland (Source: Microsoft Learn, EU Data Boundary).
Since November 2024, all newly created Power Automate Cloud Flows are automatically stored and processed within this boundary, regardless of whether they are part of a Solution (Source: Microsoft Learn, Power Automate and the EU Data Boundary). For flows that were created before this date, Microsoft provides a migration tool for Power Platform administrators, because older flows outside of Solutions were originally created in globally replicated resource groups.
Decisive is the so-called Home Geo of your Microsoft Entra tenant: The geographical region that is assigned when setting up the tenant based on the billing address determines in which Azure geography your Power Platform environments and thus also your Flow data lie (Source: Microsoft Learn, Data storage and governance).
A special case shows how carefully one must look: In Copilot Studio, data lands by default in the USA if the tenant region is not explicitly listed in the EU list, with an exception for France, whose data remains in Europe (Source: Microsoft Learn, Dynamics 365 and Power Platform Data Residency). Anyone who combines Power Automate flows with Copilot Studio agents must therefore check both components separately.
Even within the EU Data Boundary, there are exceptions: Table and column names as well as app names, descriptions, and logos are globally replicated for support and performance reasons, but the actual data content remains in the assigned geography (Source: Microsoft Learn, Ongoing Partial Transfers).
Three steps are sufficient for most small and medium-sized companies: first, check the Home Geo of your own tenant in the Power Platform Admin Center, second, search for older, not yet migrated flows with the PowerShell cmdlet Get-AdminFlow -IncludeEUDBNonCompliantFlows, third, subsequently migrate found flows via Start-EUDBMigration.
At a customer in the logistics industry, we used exactly this cmdlet call before a GDPR audit: Several flows created before November 2024 were still outside the EU boundary and were subsequently moved via the migration tool without interrupting the automated runs. During migration, affected flows cannot temporarily be edited or manually started, but automated and scheduled runs continue without interruption (Source: Microsoft Learn, Perform Migration).
The difference lies in the type of control: Power Automate provides a contractual commitment from Microsoft that data remains within the EU boundary, self-hosted n8n gives you physical control over the server on which the data is created in the first place. Read more about the self-hosting perspective in our article Is n8n GDPR-compliant? Self-hosting makes the difference.
This question touches a sore point in the German economy: 78 percent of companies consider Germany too dependent on US cloud providers, 82 percent would like large cloud providers from Germany or Europe (Source: Bitkom, Cloud Report 2025).
For most small and medium-sized companies, therefore, the question is not "Power Automate or n8n" but rather "where do I need what control": In particularly sensitive core processes, self-hosting can be useful, in the Microsoft 365 environment, where work is done anyway, a properly configured EU Data Boundary is often the more pragmatic way. We examine exactly that at NordFlux before every Power Automate automation and every more comprehensive Microsoft 365 automation.
Since November 2024, Power Automate automatically stores new Cloud Flows within the EU Data Boundary, older flows can be retrofitted via PowerShell migration tool. The Home Geo of the tenant remains decisive, exceptions exist for globally replicated metadata and for Copilot Studio without explicit EU assignment.
Power Automate can be operated in a GDPR-compliant manner if the tenant is located in an EU geography and all Cloud Flows are stored and processed within the EU Data Boundary. For flows from before November 2024, this typically requires migration via Microsoft's PowerShell tool.
For customers with an EU tenant and migrated flows, customer data and personal data remain within the EU Data Boundary. Exceptions concern globally functioning components such as Content Delivery Networks, Microsoft Entra ID, or replicated table and column names, but not the actual data content.
Using the PowerShell cmdlet Get-AdminFlow -IncludeEUDBNonCompliantFlows in Power Platform Administrator PowerShell, you can list all flows that have not yet been migrated within the EU Data Boundary, individually or per environment.
Not automatically more secure, but more controllable: Self-hosting gives physical sovereignty over the infrastructure, Power Automate with correctly configured EU Data Boundary provides a contractual commitment with lower operational effort. Which solution fits depends on the sensitivity of the data and existing IT resources.
Yes. Before every Power Automate or Microsoft 365 automation, we check tenant geo, legacy flows requiring migration, and connectors that could process data outside the EU, and document the result for your data protection impact assessment.
NordFlux builds digital employees for organisations: automations and AI agents that take over repetitive work. You stay in control.
n8n can run in a GDPR-compliant way, but it is not automatically compliant. What sets cloud and self-hosting apart, and where workflows leak data.
Three tools, three philosophies. An honest comparison of cost, data ownership and effort — without vendor bias.
In a free initial analysis we discuss your case directly. No strings attached.