create sections

docs/privacy-security/cloud-hosting.md

@@ -1,13 +0,0 @@
----
-title: Cloud hosting
-description: Background on n8n's Cloud hosting, and its implications for privacy and security.
----
-
-# Cloud hosting
-
-n8n cloud is hosted on the [Microsoft Azure](https://aws.amazon.com/){:target=_blank .external-link} platform. The physical hardware powering n8n, and the data stored by our platform, is hosted in the Azure Germany West Central data center in Frankfurt. This is controlled and secured by Microsoft. You can read more about [Azure’s security practices](https://learn.microsoft.com/en-us/azure/security/fundamentals/physical-security){:target=_blank .external-link} and [compliance certifications](https://learn.microsoft.com/en-us/azure/compliance/){:target=_blank .external-link}.
-
-n8n further secures access to Azure resources through a series of controls, including but not limited to: 
-
-* Using multi-factor authentication to access Azure
-* Hosting services within a private network inaccessible to the public internet

docs/privacy-security/data-encryption.md

@@ -1,21 +0,0 @@
----
-title: Data encryption
-description: How n8n encrypts data in transit and at rest.
----
-
-n8n handles data encryption for n8n Cloud users. 
-
-Self-hosters must:
-
-* Set up a reverse proxy in front of your n8n instance to handle TLS.
-* Ensure data is encrypted at rest.
-
-## Encryption of data in transit: TLS (SSL) Certificates
-
-When you use the n8n web application, traffic between your client and n8n services is encrypted in transit. The same applies for traffic related to the public API or webhook trigger nodes. SSL certificates are managed and renewed by n8n.
-
-
-## Encryption of data at rest
-
-n8n encrpts customer data at rest in your instance's mounted volume. n8n uses Azure Storage server side encryption (using AES256 and a FIPS-140-2 compliant implementation). Azure Storage has achieved a wide range of compliance certifications which can be seen in detail at: [https://learn.microsoft.com/en-us/azure/storage/common/storage-compliance-offerings](https://learn.microsoft.com/en-us/azure/storage/common/storage-compliance-offerings){:target=_blank .external-link}.
-

docs/privacy-security/incident-response.md

@@ -9,4 +9,4 @@ n8n implements incident response best practices for identifying, documenting, re
 
 n8n publishes incident notifications to a status page at [https://status.n8n.cloud/](https://status.n8n.cloud/){:target=_blank .external-link}.
 
-n8n notifies customers of any data breaches according to our [Data Protection Addendum](https://n8n.io/legal/){:target=_blank .external-link}.
+n8n notifies customers of any data breaches according to the company's [Data Protection Addendum](https://n8n.io/legal/){:target=_blank .external-link}.

docs/privacy-security/payment-processor.md

@@ -1,8 +0,0 @@
----
-title: Payment processor
-description: How n8n handles payments and payment methods.
----
-
-# Payment processor
-
-n8n uses Paddle.com as our payment processor. When you sign up for a paid plan, the details of your payment method are transmitted to and stored by Paddle according to their security policy. n8n stores no information about your payment method.

docs/privacy-security/privacy/gdpr.md

@@ -7,9 +7,9 @@ description: n8n's GDPR policy
 
 ## Data protection addendum
 
-n8n is considered both a Controller and a Processor as defined by the GDPR. As a Processor, n8n implements policies and practices that secure the personal data you send to the platform, and includes a [Data Protection Addendum](https://n8n.io/legal/){:target=_blank .external-link} as part of our standard [Terms of Service](https://n8n.io/legal/){:target=_blank .external-link}.
+n8n is considered both a Controller and a Processor as defined by the GDPR. As a Processor, n8n implements policies and practices that secure the personal data you send to the platform, and includes a [Data Protection Addendum](https://n8n.io/legal/){:target=_blank .external-link} as part of the company's standard [Terms of Service](https://n8n.io/legal/){:target=_blank .external-link}.
 
-The n8n Data Protection Addendum includes the [Standard Contractual Clauses (SCCs)](https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en){:target=_blank .external-link}. These clarify how n8n handles your data, and they update our GDPR policies to cover the latest standards set by the European Commission.
+The n8n Data Protection Addendum includes the [Standard Contractual Clauses (SCCs)](https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en){:target=_blank .external-link}. These clarify how n8n handles your data, and they update n8n's GDPR policies to cover the latest standards set by the European Commission.
 
 You can find a list of n8n subprocessors [here](https://n8n.io/legal/){:target=_blank .external-link}.
 

docs/privacy-security/privacy/identifying-data.md

@@ -4,17 +4,17 @@ title: Retention and deletion of personal identifiable data
 
 # Retention and deletion of personal identifiable data
 
-PID (personal identifiable data) is data that is personal to you and would identify you as an individual.
+PID (personal identifiable data) is data that's personal to you and would identify you as an individual.
 
 ## n8n Cloud
 
 ### PID retention
 
-n8n retains data only for as long as necessary to provide the core service. 
+n8n only retains data for as long as necessary to provide the core service. 
 
-For n8n Cloud, n8n stores your workflow code, credentials, and other data indefinitely, until you choose to delete it or close your account. Execution data is stored according to the retention rules on your account.
+For n8n Cloud, n8n stores your workflow code, credentials, and other data indefinitely, until you choose to delete it or close your account. The platform stores execution data according to the retention rules on your account.
 
-n8n deletes most internal application logs and logs tied to subprocessors within 30 days. We retain a subset of logs for longer periods where required for security investigations.
+n8n deletes most internal application logs and logs tied to subprocessors within 30 days. The company retains a subset of logs for longer periods where required for security investigations.
 
 ### PID deletion
 

docs/privacy-security/privacy/index.md

@@ -0,0 +1,16 @@
+---
+title: Privacy
+description: Data privacy at n8n
+---
+
+# Privacy
+
+This section describes n8n's data privacy practices.
+
+- [GDPR](/privacy-security/privacy/gdpr/)
+- [Data collection](/privacy-security/privacy/data-collection/)
+- [PID retention and deletion](/privacy-security/privacy/identifying-data/)
+- [Payment processor](/privacy-security/privacy/payment-processor/)
+
+
+

docs/privacy-security/privacy/payment-processor.md

@@ -0,0 +1,8 @@
+---
+title: Payment processor
+description: How n8n handles payments and payment methods.
+---
+
+# Payment processor
+
+n8n uses Paddle.com to process payments. When you sign up for a paid plan, Paddle transmits and stores the details of your payment method according to their security policy. n8n stores no information about your payment method.

docs/privacy-security/security/cloud-hosting.md

@@ -0,0 +1,13 @@
+---
+title: Cloud hosting
+description: n8n uses Azure for hosting.
+---
+
+# Cloud hosting
+
+n8n cloud uses [Microsoft Azure](https://aws.amazon.com/){:target=_blank .external-link} for hosting. The physical hardware powering n8n, and the data stored by the platform, is hosted in the Azure Germany West Central data center in Frankfurt. Microsoft controls and secures this. You can read more about [Azure’s security practices](https://learn.microsoft.com/en-us/azure/security/fundamentals/physical-security){:target=_blank .external-link} and [compliance certifications](https://learn.microsoft.com/en-us/azure/compliance/){:target=_blank .external-link}.
+
+n8n further secures access to Azure resources through a series of controls, including: 
+
+* Using multi-factor authentication to access Azure
+* Hosting services within a private network inaccessible to the public internet

docs/privacy-security/security/corporate-security.md

@@ -20,12 +20,11 @@ n8n provides hardware to all new hires. These machines run a local agent that se
 - Anti-malware software
 - Screen lock
 
-and more.
 
 ### System access
 
-n8n grants employees access to systems on a least-privilege basis. This means that employees only have access to the data they need to perform their job. System access is reviewed quarterly, on any change in role, or upon termination.
+n8n grants employees access to systems on a least-privilege basis. This means that employees only have access to the data they need to perform their job. The company reviews system access quarterly, on any change in role, and upon termination.
 
 ### Security training
 
-Employees receive privacy and security training during onboarding as well as on an ongoing basis. All employees are required to read and sign n8n's comprehensive information security policy covering the security, availability, and confidentiality of n8n services.
+Employees receive privacy and security training during onboarding as well as on an ongoing basis. n8n requires all employees to read and sign n8n's comprehensive information security policy covering the security, availability, and confidentiality of n8n services.

docs/privacy-security/security/data-encryption.md

@@ -0,0 +1,27 @@
+---
+title: Data encryption
+description: How n8n encrypts data in transit and at rest.
+---
+
+# Data encryption
+
+## n8n Cloud
+
+n8n handles data encryption for n8n Cloud users. 
+
+### Encryption of data in transit: TLS and SSL certificates
+
+When you use the n8n web application, it encrypts traffic between your client and n8n services in transit. The same applies for traffic related to the public API or webhook trigger nodes. n8n manages and renews SSL certificates.
+
+
+### Encryption of data at rest
+
+n8n encrypts customer data at rest in your instance's mounted volume. n8n uses Azure Storage server side encryption (using AES256 and a FIPS-140-2 compliant implementation). Azure Storage has achieved a wide range of compliance certifications. Refer to [Azure Storage compliance offerings](https://learn.microsoft.com/en-us/azure/storage/common/storage-compliance-offerings){:target=_blank .external-link} for more information.
+
+## Self-hosted n8n
+
+Self-hosters must:
+
+* Set up a reverse proxy in front of your n8n instance to handle TLS.
+* Handle encrypting data at rest.
+

docs/privacy-security/security/development.md

@@ -5,7 +5,7 @@ description: Security practices in software development.
 
 # Development
 
-n8n uses GitHub to store and version all production code. Employee access to n8n’s GitHub organization is protected by multi-factor authentication.
+n8n uses GitHub to store and version all production code. Employees use multi-factor authentication to access the GitHub organization.
 
-Only authorized employees are able to deploy code to production. Deploys are tested and monitored before and after release.
+Only authorized employees are able to deploy code to production. n8n tests and monitors deploys before and after release. [TODO: really think it would be good to say more here]
 

docs/privacy-security/security/index.md

@@ -0,0 +1,17 @@
+---
+title: Security
+description: Data security at n8n
+---
+
+# Security
+
+This section describes n8n's security practices.
+
+- [User accounts](/privacy-security/security/user-accounts/)
+- [Third-party accounts](/privacy-security/security/third-party-auth/)
+- [Cloud hosting](/privacy-security/security/cloud-hosting/)
+- [Data encryption](/privacy-security/security/data-encryption/)
+- [Development](/privacy-security/security/development/)
+- [Monitoring](/privacy-security/security//monitoring/)
+- [Email security](/privacy-security/security/email-security/)
+- [Corporate security](/privacy-security/security/corporate-security/)

docs/privacy-security/security/monitoring.md

@@ -5,4 +5,4 @@ description: n8n's security monitoring practices
 
 # Monitoring
 
-n8n monitors code, infrastructure and core application for known vulnerabilities and addresses critical vulnerabilities in a timely manner.
+n8n monitors code, infrastructure and core application for known vulnerabilities and addresses critical vulnerabilities in a timely manner. [TODO: can we say more?]

docs/privacy-security/security/third-party-auth.md

@@ -5,19 +5,19 @@ description: Connecting to third-party accounts
 
 # Third-party accounts
 
-A key part of n8n's functionality is to link third-party services. When you link an account from a third party application, you may be asked to either authorize  n8n OAuth application access to your account, or provide an API key or other credentials. This section describes how we handle these grants and keys.
+A key part of n8n's functionality is to link third-party services. When you link an account from a third party application, you may need to either authorize n8n OAuth application access to your account, or provide an API key or other credentials. This section describes how n8n handles these grants and keys.
 
 n8n recommends using [OAuth](https://oauth.net/2/){:target=_blank .external-link} for third-party applications that support it. The OAuth protocol allows n8n to request scoped access to specific resources in your third party account without you having to provide long-term credentials directly. n8n must request short-term access tokens at regular intervals, and most applications provide a way to revoke n8n's access to your account at any time.
 
-Some third-party applications do not provide an OAuth interface. To access these services, you must provide the required authorization mechanism (often an API key). As a best practice, if your application provides such functionality, n8n recommends you limit that API key's access to only the resources you need access to within n8n.
+Some third-party applications don't provide an OAuth interface. To access these services, you must provide the required authorization mechanism (often an API key). As a best practice, if your application provides such functionality, n8n recommends you limit that API key's access to only the resources you need access to within n8n.
 
 When you use credentials in a workflow, n8n loads them into the execution environment of your n8n instance. For n8n Cloud, customer instances are logically isolated from another.
 
-n8n doesn't log or export credentials by default. If you log their values you can always delete the data for that execution. Execution data is deleted automatically based on the retention settings for your account.
+n8n doesn't log or export credentials by default. If you log their values you can always delete the data for that execution. The platform deletes execution data automatically based on the retention settings for your account.
 
 You can delete your OAuth grants or key-based credentials at any time. Deleting OAuth grants within n8n doesn't revoke n8ns access to your account. You must revoke that access wherever you manage OAuth grants in your third party application.
 
 ### n8n Cloud storage and encryption
 
-n8n stores all OAuth tokens, key-based credentials, and the rest of your Cloud instance's database on a disk that is encrypted at rest using Azure server-side encryption (at the time of writing, using AES256 and a FIPS-140-2 compliant implementation). For n8n cloud that database also resides in a private network. Backups of that database are also encrypted.
+n8n stores all OAuth tokens, key-based credentials, and the rest of your Cloud instance's database on a disk that's encrypted at rest using Azure server-side encryption (at the time of writing, using AES256 and a FIPS-140-2 compliant implementation). For n8n cloud that database also resides in a private network. Backups of that database are also encrypted.
 

mkdocs.yml

@@ -195,18 +195,22 @@ nav:
     - Log streaming: log-streaming.md
     - Privacy and security:
         - privacy-security/index.md
-        - GDPR: privacy-security/gdpr.md
-        - Data collection: privacy-security/data-collection.md
-        - PID retention and deletion: privacy-security/identifying-data.md
-        - Payment processor: privacy-security/payment-processor.md
-        - User accounts: privacy-security/user-accounts.md
-        - Third-party accounts: privacy-security/third-party-auth.md
-        - Cloud hosting: privacy-security/cloud-hosting.md
-        - Data encryption: privacy-security/data-encryption.md
-        - Email security: privacy-security/email-security.md
-        - Corporate security: privacy-security/corporate-security.md
-        - Development: privacy-security/development.md
-        - Monitoring: privacy-security/monitoring.md
+        - Privacy:
+          - privacy-security/privacy/index.md
+          - GDPR: privacy-security/privacy/gdpr.md
+          - Data collection: privacy-security/privacy/data-collection.md
+          - PID retention and deletion: privacy-security/privacy/identifying-data.md
+          - Payment processor: privacy-security/privacy/payment-processor.md
+        - Security:
+          - privacy-security/security/index.md
+          - User accounts: privacy-security/security/user-accounts.md
+          - Third-party accounts: privacy-security/security/third-party-auth.md
+          - Cloud hosting: privacy-security/security/cloud-hosting.md
+          - Data encryption: privacy-security/security/data-encryption.md
+          - Development: privacy-security/security/development.md
+          - Monitoring: privacy-security/security//monitoring.md
+          - Email security: privacy-security/security/email-security.md
+          - Corporate security: privacy-security/security/corporate-security.md
         - Incident response: privacy-security/incident-response.md
         - What you can do: privacy-security/what-you-can-do.md
     - Release notes: release-notes.md