Self-Host n8n GDPR-Compliant: Hetzner Setup 2026

Wito AI

n8n Self-Hosted GDPR Guide 2026: Step-by-Step with Hetzner

Run n8n GDPR-compliantly on German servers: spin up a Hetzner Cloud CX22 in 30 minutes, with Docker Compose, automatic TLS via Caddy, daily backups to a Hetzner Storage Box, and continuous monitoring — from EUR 5 per month, with no dependency on US clouds.

Book Your n8n Setup View n8n Services

n8n self-hosting means running the open-source workflow automation platform n8n on your own server — fully under your control, in an EU data centre, so that workflow data and credentials never leave for a third-party server.

Why Self-Host n8n? GDPR, Cost, and Data Control

For companies that route personal data through their automations — customer contacts, invoices, HR records — the hosting question isn't purely technical. It's a compliance question. n8n Cloud and competing SaaS platforms such as Zapier or Make.com store workflow execution data on servers outside Germany, which, for sensitive data, requires a data processing agreement under Art. 28 GDPR and can be problematic in certain cases.

Self-hosting solves this problem entirely: all workflow data, credentials, and execution logs stay on your server — in the German data centre of Hetzner Cloud, ISO 27001-certified and GDPR-compliant under German law. The BSI IT-Grundschutz compendium, module OPS.1.1.7 (automation of operational processes) explicitly recommends running automated processes that handle personal or security-relevant data under full organisational control, with dedicated access-control concepts.

The second advantage is economic: the n8n Community Edition is free of licence fees (MIT licence). You pay only for the Hetzner server — from EUR 5 per month for a Hetzner CX22. That runs up to 100 active workflows with hundreds of daily executions. By comparison, Zapier costs USD 99–299 per month for a similar execution volume.

Full data control is the third aspect: you decide how long execution data is kept, which staff can access credentials, and what your backups and disaster-recovery plans look like. Under Art. 32 GDPR (security of processing) these technical and organisational measures are mandatory anyway — and self-hosting makes them easier to implement and to evidence.

5 EUR/month Hetzner server

Infrastructure cost for a production-ready n8n setup (Hetzner CX22)

Quelle: Hetzner Cloud price list 2025, 2025

30 min. setup time

From an empty server to a running n8n instance with TLS

Quelle: Wito AI experience (n=12 self-hosted projects), 2025

92 % GDPR compliance

with self-hosting, versus 61 % for unmanaged cloud usage

Quelle: Bitkom guide to GDPR-compliant cloud usage 2024, 2024

100 % data sovereignty

with self-hosting — no third-party data processing (Art. 28 GDPR)

Quelle: Art. 28 GDPR — processing on behalf of a controller, 2024

Hardware Requirements: Which Hetzner Server Is Enough?

For most SME environments with up to 100 active workflows, a Hetzner CX22 (2 vCPU, 4 GB RAM, 40 GB SSD) is entirely sufficient. This server type costs EUR 5 per month and comfortably handles several thousand workflow executions per day with no performance degradation.

The minimum requirements for n8n with a PostgreSQL backend and a Redis queue in queue mode: 2 vCPU, 4 GB RAM, 40 GB SSD. At 50–100 concurrent workflow executions, step up to a Hetzner CX32 (4 vCPU, 8 GB RAM, 80 GB SSD, approx. EUR 10/month). A Redis instance for queue mode uses about 50–100 MB RAM, and PostgreSQL typically 300–500 MB.

Recommended server location: nbg1 (Nuremberg) or fsn1 (Falkenstein) — both data centres are in Germany, ISO 27001-certified, and subject solely to German and EU law. When provisioning, avoid US locations such as Hetzner's Ashburn data centres (us-east), even if they look cheaper — they fall under US law and the Cloud Act.

Hetzner CX22 (2 vCPU / 4 GB / 40 GB): EUR 5/month — for up to 100 workflows, ~5,000 executions/day
Hetzner CX32 (4 vCPU / 8 GB / 80 GB): EUR 10/month — for up to 300 workflows, ~50,000 executions/day
Hetzner CCX23 (4 dedicated vCPU / 16 GB): EUR 22/month — for production-critical, high-volume setups

n8n Self-Hosted Setup in 6 Steps: From Provisioning to Monitoring

Schritt 1

Step 1: Provision the Hetzner server

Open the Hetzner Cloud console (console.hetzner.cloud) and create a new project. Choose server type CX22, the "Ubuntu 24.04 LTS" image, and location "nbg1" (Nuremberg, Germany). Add your SSH key. Create firewall rules: port 22 (SSH, restricted to your own IP), ports 80 and 443 (HTTP/HTTPS, public). A floating IP is optional for a fixed address. Time: 5 minutes.

Schritt 2

Step 2: Install Docker + Docker Compose

Connect to the server via SSH. Install Docker Engine using the official installation script from pkg.docker.com (curl -fsSL https://get.docker.com | sh). The Docker Compose plugin has been bundled since Docker 23 (docker compose instead of docker-compose). Add your user to the docker group (usermod -aG docker $USER). Apply system updates (apt update && apt upgrade). Enable the Docker service (systemctl enable docker). Time: 10 minutes.

Schritt 3

Step 3: Start the n8n + PostgreSQL containers

Use the docker-compose.yml from the official n8n documentation (docs.n8n.io/hosting/installation/server-setups/docker-compose/) as a template. Services: n8n (latest version), postgres:16-alpine, redis:7-alpine. Move environment variables into a .env file: N8N_ENCRYPTION_KEY (a random 32-byte string), DB_TYPE=postgresdb, DB_POSTGRESDB_*, QUEUE_BULL_REDIS_HOST. Keep the n8n port internal on 5678, with no direct external port mapping (the reverse proxy handles that). Time: 10 minutes.

Schritt 4

Step 4: TLS via Caddy or Traefik

Caddy is the simplest option for automatic TLS via Let's Encrypt: a two-line Caddyfile (domain + reverse_proxy n8n:5678) is enough. Alternatively, run Traefik as a further Docker service with labels on the n8n container. Point a DNS record for the n8n domain to the Hetzner server IP. Caddy or Traefik automatically requests a Let's Encrypt certificate and renews it every 60 days. Important: no real credentials should be stored in n8n without TLS. Time: 10 minutes.

Schritt 5

Step 5: Set up backups (Hetzner Storage Box)

Set up a Hetzner Storage Box BX11 (1 TB, EUR 3.81/month) as the backup target. Run a daily cron job on the server: a PostgreSQL dump via pg_dump plus compression, uploaded via rclone or rsync to the Hetzner Storage Box over SFTP/Samba. Also back up the /home/node/.n8n folder (which may hold local data). Retention policy: 7 daily, 4 weekly. BSI IT-Grundschutz OPS.1.1.7 recommends an RPO of max. 24 hours for business-critical automations. Time: 15 minutes.

Schritt 6

Step 6: Monitoring + automatic updates

Use Uptime Kuma (free, self-hosted, also run via Docker) for availability monitoring: an HTTP check against the n8n URL every 60 seconds, with an alert by email or Telegram on an outage. Enable n8n's built-in error workflow: send a Slack message or email to the responsible team whenever a production workflow fails. Updates: a Watchtower container for automatic Docker image updates, or a manual update script (docker compose pull && docker compose up -d) run monthly during a maintenance window. Time: 15 minutes.

Docker Compose Configuration: The Complete Setup

The official n8n documentation at docs.n8n.io/hosting/installation/server-setups/docker-compose/ provides a complete `docker-compose.yml` template. The production-ready SME setup comprises four services: n8n (workflow engine), postgres (persistent data storage), redis (queue backend for parallel executions), and caddy (reverse proxy with automatic TLS).

The most critical element of the configuration is the N8N_ENCRYPTION_KEY: this 32-byte key encrypts every credential stored in n8n (API keys, OAuth tokens, passwords) in the PostgreSQL database. It must be generated before the first start (`openssl rand -hex 32`), kept securely in the `.env` file, and backed up separately — ideally in a password manager such as Bitwarden or 1Password. Without this key, stored credentials become unusable after a server migration.

For the privacy configuration under GDPR, two n8n environment variables are especially relevant: `N8N_EXECUTIONS_DATA_PRUNE=true` limits how long workflow execution data is retained, and `N8N_EXECUTIONS_DATA_MAX_AGE=720` sets the maximum retention to 30 days. For workflows handling especially sensitive data (health data, financial data), `N8N_EXECUTIONS_DATA_SAVE_ON_SUCCESS=none` is also advisable, so that successful executions are not persisted.

Example `.env` file (required fields):

All Docker images should be pinned to explicit version tags (e.g. `n8nio/n8n:1.85.0` rather than `n8nio/n8n:latest`) to prevent unexpected breaking changes from automatic updates. A monthly, manual update window with prior backup verification is the recommended maintenance strategy.

Automated workflows require dedicated access-control concepts and regular audits. For systems that process personal or confidential data automatically, logging, access control, and a documented contingency plan are mandatory parts of the security concept.

Bundesamt für Sicherheit in der Informationstechnik (BSI), IT-Grundschutz Compendium — Module OPS.1.1.7: Automation of Operational Processes, BSI — Bundesamt für Sicherheit in der Informationstechnik, 2024

TLS, Backups, Monitoring — the Three Mandatory Parts

Automatic TLS via Caddy or Traefik

Caddy is the simplest option for self-hosting newcomers: a two-line `Caddyfile` (`n8n.your-domain.com { reverse_proxy n8n:5678 }`) is enough for full automatic TLS via Let's Encrypt. Caddy renews certificates automatically before they expire. Traefik is the alternative for more complex setups with several services on the same server — configurable entirely through Docker labels on the n8n container. Both solutions are free, widely used, and documented across the n8n community.

Daily PostgreSQL Backups to the Hetzner Storage Box

The most critical data in an n8n setup is the PostgreSQL database (workflow definitions, execution history, credentials) and the `.env` file with the encryption key. A daily cron job (`pg_dump | gzip | rclone copy`) backs up the database to a Hetzner Storage Box BX11 (1 TB, EUR 3.81/month). Retention: 7 daily, 4 weekly backups. Never leave the encryption key on the server alone — always back it up separately in a password manager.

Monitoring via Uptime Kuma

Uptime Kuma is a free, self-hosted monitoring service that runs as a Docker container on the same Hetzner server. An HTTP check against the n8n URL every 60 seconds, with an alert by email, Telegram, or Slack on an outage. Combined with n8n's built-in error workflow (a Slack message when production workflows fail), this gives you a complete monitoring setup with no additional SaaS costs.

Compliance Checklist Before Go-Live

Before your first n8n instance handling personal data goes into production, every item on this checklist should be met. It follows the requirements of Art. 32 GDPR (technical and organisational measures) and the recommendations of BSI IT-Grundschutz OPS.1.1.7.

Data processing agreement with Hetzner in place — a processing agreement under Art. 28 GDPR (free, available via the Hetzner customer portal)
n8n encryption key stored securely — in a password manager (Bitwarden, 1Password), not only in the .env file on the server
TLS active and verified — an SSL Labs test (ssllabs.com/ssltest) returns at least an A rating
Backup restore tested — at least one manual restore performed and backup completeness verified
Execution history limited — N8N_EXECUTIONS_DATA_PRUNE=true, with retention set to 30 days
Staff training documented — who may access n8n and who may not; credential management defined
Contingency plan in place — in writing: what happens if the server fails? How long does recovery take? Who is responsible?
Data protection impact assessment reviewed — for workflows with especially sensitive data (health, finance, employee data), a DPIA under Art. 35 GDPR may be required

Häufige Fragen zum n8n Self-Hosted DSGVO-Setup

n8n Cloud is a valid option if you'd rather not run your own IT infrastructure. Since 2024, n8n Cloud has had EU data centres in Frankfurt, and a GDPR-compliant Data Processing Agreement (DPA) under Art. 28 is available — which makes the cloud option sufficient for many SMEs. Self-hosting is preferable, however, when: (1) your GDPR requirements are especially strict (e.g. healthcare, financial services), (2) you'd rather avoid recurring cloud costs (n8n Cloud starts at EUR 20/month), or (3) you need maximum control over data-retention periods and access rights.

For up to 100 active workflows and ~5,000 executions per day, a Hetzner CX22 (2 vCPU, 4 GB RAM, 40 GB SSD, EUR 5/month) is entirely sufficient. For 50–300 workflows or a higher execution volume, we recommend the Hetzner CX32 (4 vCPU, 8 GB RAM, approx. EUR 10/month). For production-critical setups with strict SLA requirements, dedicated server types such as the CCX23 are a good fit. The server location should always be set to Germany (nbg1 or fsn1) to ensure GDPR compliance.

n8n ships new versions weekly. For production installations, we recommend a monthly update window: docker compose pull && docker compose up -d after a prior backup check. Security patches should be applied promptly (within 24–72 hours). Tip: subscribe to the n8n community newsletter or follow the GitHub repository (github.com/n8n-io/n8n/releases) to stay informed about important releases.

Infrastructure costs: Hetzner CX22 (EUR 5/month) + Hetzner Storage Box BX11 for backups (EUR 3.81/month) + a domain (~EUR 1/month) = approx. EUR 10/month. On top of that comes the one-off setup effort: roughly 4–8 hours if you do it yourself, or from approx. EUR 1,500 net if you commission a provider for a complete production-ready setup. By comparison: n8n Cloud for 100 workflows starts at EUR 50/month; Zapier for a similar execution volume starts at USD 99/month.

Immediate measures for a data breach: (1) stop the n8n instance at once (docker compose stop n8n) to halt further data processing. (2) Assess the scope of the breach: which workflows, which data, what time period? (3) Check your reporting obligation: data breaches that pose a risk to data subjects must be reported to the competent supervisory authority (e.g. the Bavarian Data Protection Authority) within 72 hours under Art. 33 GDPR. (4) Inform affected individuals if there is a high risk (Art. 34 GDPR). Do you have a written contingency plan? You should have prepared one before go-live.

A data protection officer is mandatory under Art. 37 GDPR if your company's core activity involves large-scale processing of personal data (e.g. professional data processing, health data), or if you permanently employ more than 20 people in automated data processing (a German national specification, BDSG §38). For most SMEs that use n8n for internal processes, a DPO is not strictly required — but it is advisable. Even without a mandatory DPO, we recommend carrying out a data protection impact assessment (DPIA) for workflows with sensitive data before go-live.

The technical setup (server, Docker, n8n) takes one person with basic Linux skills 30–60 minutes using this guide. More demanding are: the GDPR-compliant configuration (processing agreement, data-retention periods, access-control concept), the monitoring setup, and ongoing maintenance (updates, backup verification). Wito AI offers a complete managed n8n setup: server provisioning, GDPR configuration, monitoring, the processing agreement, and ongoing maintenance — from EUR 1,500 net as a one-off, optionally with a monthly managed service from EUR 150.

The n8n encryption key encrypts every credential stored in n8n (API keys, passwords, OAuth tokens) in the PostgreSQL database. During a server migration, this key must be transferred to the new server — otherwise all stored credentials become permanently unreadable and every workflow has to be reconfigured. Recommendation: back up the key in a password manager (Bitwarden, 1Password) at initial setup and never leave it on the server alone. For managed setups by Wito AI, the key is held in an encrypted vault.