Breach Notification

    How we notify you about security incidents, timelines, and what to expect.

    Breach Notification Policy

    Effective Date: December 10, 2025
    Last Updated: December 10, 2025
    Version: 1.0

    Introduction

    This Breach Notification Policy describes how ManageN8N handles security incidents that may affect your data, including how and when we will notify you. We are committed to transparency and prompt communication in the event of a security breach.

    Definitions

    TermDefinition
    Security IncidentAny event that may compromise the security of our systems or your data
    Data BreachUnauthorized access to, disclosure of, or loss of personal data
    Personal DataInformation that identifies or could identify an individual
    Affected UsersUsers whose data was or may have been compromised

    Our Commitment

    1. Act Quickly - Contain the breach and begin investigation immediately
    2. Be Transparent - Provide honest and complete information
    3. Notify Promptly - Contact affected users within required timeframes
    4. Assist Recovery - Help you take steps to protect yourself
    5. Learn and Improve - Implement measures to prevent future incidents

    Notification Timeline

    Confirmed Data Breach

    StakeholderTimelineMethod
    Regulatory authorities (GDPR)Within 72 hoursOfficial channels
    Affected usersWithout undue delay, max 30 daysEmail
    All users (significant breach)Within 72 hoursEmail + status page

    Security Incident (No Data Breach)

    StakeholderTimelineMethod
    Affected usersAs appropriateEmail
    All usersNot requiredStatus page if service affected

    Delay Exceptions

    Notification may be delayed if requested by law enforcement, if it would compromise ongoing security efforts, or if the law requires delayed notification. We will notify you as soon as the exception no longer applies.

    What We Will Tell You

    Initial Notification

    When we notify you of a breach, we will include:

    1. What Happened
      • Nature of the incident
      • When it occurred
      • When we discovered it
    2. What Data Was Affected
      • Types of data involved
      • Whether your data was specifically affected (if known)
    3. What We're Doing
      • Steps taken to contain the breach
      • Investigation status
      • Measures to prevent recurrence
    4. What You Should Do
      • Recommended protective actions
      • How to check for suspicious activity
      • Resources available to you
    5. How to Get Help
      • Contact information
      • FAQ or additional resources

    Follow-Up Communications

    We will provide updates when investigation reveals new information, when we implement additional protections, at resolution of the incident, and if recommendations change.

    Notification Methods

    Primary: Email

    • Sent to your registered email address
    • Subject line clearly indicates security notification
    • Plain language, no marketing content
    • Links to detailed information on our website

    Secondary Methods

    MethodWhen Used
    In-app notificationFor active users
    Status pageFor service-affecting incidents
    Website bannerFor major incidents
    Phone callFor high-impact enterprise customers
    Postal mailIf email bounces, as required by law

    Ensuring You Receive Notifications

    • Keep your email address current
    • Add security@managen8n.com to your contacts
    • Check spam/junk folders
    • Enable in-app notifications

    Data Types and Risk Levels

    High Risk Data

    Breach of this data triggers immediate notification:

    • Passwords (even hashed)
    • Payment card information
    • TOTP secrets or backup codes
    • API keys or access tokens

    Medium Risk Data

    Breach requires notification within 72 hours:

    • Email addresses
    • Names and profile information
    • Instance configurations
    • Audit logs with user activity

    Lower Risk Data

    Breach assessed case-by-case:

    • Aggregated analytics
    • Public template metadata
    • System logs without PII

    Your Responsibilities

    After Receiving Notification

    1. Change Your Password
      • On ManageN8N
      • On any other service where you used the same password
    2. Enable/Verify 2FA
      • Ensure two-factor authentication is enabled
      • Generate new backup codes if recommended
    3. Review Account Activity
      • Check recent login history
      • Review any suspicious changes
    4. Monitor for Suspicious Activity
      • Watch for phishing attempts
      • Check other accounts for unauthorized access
    5. Rotate API Keys
      • If API keys may have been exposed
      • Update any integrations using those keys

    Reporting Suspicious Activity

    If you notice suspicious activity:
    Email: security@managen8n.com
    Subject: Suspicious Activity Report
    Include: Your account email, description of activity, timestamps

    Regulatory Compliance

    GDPR (EU/EEA)

    • Notification to supervisory authority within 72 hours
    • Notification to affected users without undue delay
    • Documentation of breach and response

    CCPA (California)

    • Notification of unauthorized access to unencrypted personal information
    • Notification method as prescribed by California Civil Code

    Other Jurisdictions

    We comply with breach notification requirements in all jurisdictions where we operate, including UK (UK GDPR), Canada (PIPEDA), Australia (Notifiable Data Breaches scheme), and other applicable state/national laws.

    What We Do Internally

    Incident Response Process

    1. Detection
      • Monitoring systems alert on anomalies
      • User reports investigated promptly
    2. Containment
      • Immediate steps to stop ongoing breach
      • Preserve evidence for investigation
    3. Assessment
      • Determine scope and impact
      • Identify affected data and users
      • Assess risk level
    4. Notification
      • Prepare notification content
      • Send to affected parties
      • File regulatory notices if required
    5. Remediation
      • Fix vulnerabilities
      • Implement additional controls
      • Update affected credentials
    6. Review
      • Post-incident analysis
      • Lessons learned
      • Process improvements

    Documentation

    We document all breaches and security incidents, investigation findings, notification records, remediation actions, and post-incident reviews. Records retained for 5 years minimum.

    Third-Party Breaches

    Our Third-Party Providers

    If a breach affects our service providers: we will notify you if your data was affected, provide information as we receive it, and may not be able to share all details immediately.

    Your Third-Party Integrations

    If a breach affects services you've connected to your n8n workflows: this is outside our visibility; monitor notifications from those services; we can assist with disconnecting compromised integrations.

    Preventing Breaches

    What We Do

    • Encryption of sensitive data
    • Regular security assessments
    • Employee security training
    • Monitoring and alerting
    • Incident response planning

    What You Can Do

    • Use strong, unique passwords
    • Enable two-factor authentication
    • Keep your email address current
    • Report suspicious activity promptly
    • Follow security best practices

    Contact

    Security Incidents: security@managen8n.com
    Privacy Inquiries: privacy@managen8n.com
    General Support: support@managen8n.com

    Related Policies

    Revision History

    VersionDateChanges
    1.0December 10, 2025Initial policy