n8n self-hosting in Switzerland: a revDSG compliance guide
Every automation project I start with a Swiss client eventually reaches the same question: where does the data go?
For companies that automate HR workflows, process invoices, or route client emails, the answer matters under Swiss revDSG (the revised Federal Act on Data Protection, in force since September 2023) and EU GDPR. This guide explains the compliance landscape, when self-hosting n8n is the right answer, and how to set it up.
What does revDSG say about using cloud automation tools?
Under revDSG, processing personal data through a third-party service constitutes data disclosure to that third party. This applies whether you're using Zapier, Make, or a cloud-hosted n8n instance. The key obligations:
You need a legal basis for the data transfer. For most B2B automation (employee data, client data), this is either a contract or legitimate interests — but it must be documented.
You need a Data Processing Agreement (DPA) with your processor. If you route personal data through Make, Zapier, or a cloud n8n provider, you need a valid DPA with each. Zapier and Make both offer DPAs. Without one, you're in breach.
Cross-border transfer rules apply. Transferring personal data to a country without adequate data protection (the US, under most interpretations) requires additional safeguards: Standard Contractual Clauses (SCCs) or equivalent. OpenAI and Anthropic offer SCCs as part of their enterprise agreements.
Self-hosting eliminates the third-party processor question. If n8n runs on infrastructure you control — a VPS in Switzerland, a server in your own network — your automation data never leaves your defined perimeter. No DPA required with n8n itself. No cross-border transfer issue.
When is self-hosting the right choice?
Self-hosting adds operational overhead. It's not always the right answer. Use this decision framework:
Self-host when:
- You process personal employee data in your workflows (contracts, payroll inputs, onboarding documents)
- You process client data that your own client contracts restrict from leaving Switzerland or the EU
- You handle health data or data with special sensitivity under revDSG Article 5
- Your legal or security team has issued a policy against US-hosted processors for certain data categories
- You want no per-task pricing that scales with automation volume
Use cloud-hosted Make or n8n.cloud when:
- Your workflows handle only internal operational data (non-personal: pipeline reports, inventory checks, system alerts)
- You have a signed DPA with the provider and SCCs for US transfers
- Your team needs to edit workflows without technical support
- Simplicity and speed of setup outweigh data residency concerns
How to self-host n8n on Swiss infrastructure
This assumes a Linux VPS. Total setup time: 2–4 hours for a production-ready instance.
Step 1: Choose your infrastructure
Providers with servers in Switzerland or the EU:
| Provider | Location | Notes |
|---|---|---|
| Exoscale | Geneva, Zurich | Swiss provider, revDSG-friendly, ISO 27001 |
| Nine.ch | Switzerland | Swiss provider, strong data protection commitment |
| Hetzner | Germany, Finland | EU, low cost, strong compliance track record |
| Infomaniak | Geneva | Swiss provider, GDPR/revDSG compliant |
For most Swiss SMEs, Exoscale or Infomaniak are the cleanest compliance story. Hetzner is a cost-effective EU option.
Recommended VPS specs for n8n up to ~10,000 workflow executions/month: 2 vCPU, 4 GB RAM, 40 GB SSD.
Step 2: Install n8n with Docker Compose
# docker-compose.yml
version: '3.8'
services:
n8n:
image: n8nio/n8n
restart: always
ports:
- "5678:5678"
environment:
- N8N_BASIC_AUTH_ACTIVE=true
- N8N_BASIC_AUTH_USER=your_username
- N8N_BASIC_AUTH_PASSWORD=your_password
- N8N_HOST=n8n.yourdomain.ch
- N8N_PORT=5678
- N8N_PROTOCOL=https
- WEBHOOK_URL=https://n8n.yourdomain.ch/
- GENERIC_TIMEZONE=Europe/Zurich
- DB_TYPE=postgresdb
- DB_POSTGRESDB_HOST=postgres
- DB_POSTGRESDB_PORT=5432
- DB_POSTGRESDB_DATABASE=n8n
- DB_POSTGRESDB_USER=n8n
- DB_POSTGRESDB_PASSWORD=your_db_password
volumes:
- n8n_data:/home/node/.n8n
depends_on:
- postgres
postgres:
image: postgres:16
restart: always
environment:
- POSTGRES_USER=n8n
- POSTGRES_PASSWORD=your_db_password
- POSTGRES_DB=n8n
volumes:
- postgres_data:/var/lib/postgresql/data
volumes:
n8n_data:
postgres_data:
PostgreSQL over SQLite is recommended for production. Better concurrency, proper backup support.
Step 3: Set up HTTPS with a reverse proxy
Use Nginx + Let's Encrypt (Certbot) to terminate TLS. n8n must be served over HTTPS for webhook endpoints to function correctly.
server {
listen 443 ssl;
server_name n8n.yourdomain.ch;
ssl_certificate /etc/letsencrypt/live/n8n.yourdomain.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/n8n.yourdomain.ch/privkey.pem;
location / {
proxy_pass http://localhost:5678;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_cache_bypass $http_upgrade;
}
}
Step 4: Configure automated backups
Back up the PostgreSQL database and the n8n data volume daily. For Swiss-hosted instances, Exoscale and Infomaniak both offer managed backup solutions. Alternatively, use a simple cron job to dump and encrypt:
# /etc/cron.daily/n8n-backup
#!/bin/bash
BACKUP_DIR="/backups/n8n"
DATE=$(date +%Y-%m-%d)
docker exec postgres pg_dump -U n8n n8n | gzip > "$BACKUP_DIR/n8n-$DATE.sql.gz"
find "$BACKUP_DIR" -name "*.sql.gz" -mtime +30 -delete
Step 5: Restrict access
- Enable n8n's built-in user management (available since n8n 0.221)
- Restrict the instance to your company's IP range using your VPS firewall rules or Nginx
allow/denydirectives - Rotate credentials on a defined schedule
- Enable Two-Factor Authentication for n8n user accounts
What about AI models in self-hosted workflows?
If your n8n workflows call OpenAI or Anthropic APIs, the data still leaves your infrastructure when the API call is made, even though n8n itself is self-hosted. For data that can't leave Switzerland, use n8n's HTTP Request node to call a locally-hosted Ollama instance instead.
Ollama setup on the same server or an adjacent VPS:
# Install Ollama
curl -fsSL https://ollama.com/install.sh | sh
# Pull a model (Llama 3.1 8B is sufficient for most classification/extraction tasks)
ollama pull llama3.1:8b
# Ollama listens on localhost:11434 by default
# Call from n8n via HTTP Request node: POST http://your-server-ip:11434/api/generate
For document extraction tasks (invoices, contracts), Llama 3.1 8B handles structured JSON output reliably. For complex reasoning or multilingual tasks, Mistral 7B or Mixtral 8x7B perform better.
What does a revDSG-compliant automation architecture look like?
A complete setup for a Swiss SME:
- n8n self-hosted on Exoscale in Zurich — all workflow execution stays in Switzerland
- PostgreSQL on the same VPS — workflow history and execution logs never leave the server
- Locally-hosted Ollama for AI tasks involving personal data — HR documents, client contracts, employee emails
- OpenAI/Anthropic API for non-personal operational data — internal reports, anonymised metrics, public-source data — with signed DPA and SCCs
- Automated daily backups encrypted at rest — stored on Swiss infrastructure
- n8n user accounts with 2FA — access restricted to named individuals
This setup satisfies revDSG requirements for personal data processing, eliminates cross-border transfer concerns for sensitive data categories, and still allows you to use frontier AI models where the data permits it.
Do I need a lawyer to set this up?
For the infrastructure and technical setup: no. For the legal documentation (the data processing register, DPA templates for any third-party processors you do use, and the privacy notice update), a lawyer or data protection officer review is recommended. This is typically a two-to-four hour engagement for a standard SME setup.
Where to start
If you're currently running automation workflows through a US-hosted SaaS tool and handle personal data in those workflows, the first step is an audit: map which workflows touch personal data, check whether you have a valid DPA with each tool, and identify which flows are highest-risk.
If you want help designing a revDSG-compliant automation architecture, get in touch. I work with Swiss companies on this regularly. Related services: workflow automation → · AI integration with local models →