Hello,
Our company is planning to deploy a self-hosted instance of n8n on a company-managed laptop as part of an internal AI agent project. Our security team is conducting a vendor risk assessment (VRA), and we need to clarify several points before we can proceed. I’ve reviewed the documentation and existing forum posts, but I couldn’t find complete answers to the following:
-
SOC 2 Report
- Is there a SOC 2 report available that applies to self-hosted environments (even partially), or is it exclusively for n8n Cloud?
-
Latest Penetration Test Report
- Is there a recent penetration test report or a public summary available for review?
-
Default Outbound Endpoints
-
For a self-hosted deployment, what is the default outbound endpoint list?
-
If “Isolate n8n” is enabled, does it completely block all external communications?
-
-
Credential Encryption and Key Management
-
How are credentials encrypted in a self-hosted environment?
-
Any recommendations for encryption key management and backup best practices?
-
-
Community Node Security Process
-
What is the vetting and signing process for community nodes?
-
What is the recommended enterprise policy — default block or allowlist?
-
In our case, full telemetry disablement will be required. Please confirm if this is possible for self-hosted instances and how to configure it.
If anyone has links to official documentation, prior forum threads, or direct experience with these requirements, that would be greatly appreciated.
Thank you!