‘Personio’s journey with n8n’ - n8n Business Lab (November 2025)

My name is Jay. I'm the global IT manager at Personio. — Yeah. And my name is Rob. I'm a senior systems engineer. — Yeah. And we're here today to talk to you about our journey with NATO at Personio. So, little bit of the agenda here. We're just going to — You can't hear Rob? — How's that? — Great. — There we go. Awesome. So, uh just a little bit of a look at the agenda. We're just going to look at the approach and the infrastructure that we set up. uh the training and enablement side for people who are nontechnical and then finally — yeah I'm going to talk a little bit about our security our approach challenges and how we solved it at Personia — there we go — a little bit loud is it — more power yeah thank you ah there we go — thanks

— so I guess the what and the why so why NAN? Well, we are a small IT team and it's not just me and Rob. There's a few others. Um, but we basically needed to automate a lot of our manual processes and at that time Personio was also shifting toward more AI and automation. And so with that, we realized we were going to get a lot of IT tickets. So we had to rethink our approach here. — So what we did was we decided to open the platform to everyone. M — and that was a little bit scary in the beginning. So to do that we decided to pilot it with our people operations team. So with this we got a lot of learnings um especially for the security side of things uh which Rob will cover in a bit but um from I guess the non-technical user side it was a big kind of a gap for them to fill. Uh so we kind of ran the pilot over about three months and as I said a lot of discovery, a lot of learnings um and you're just in the way of the user experience. — So we had to balance between user experience and of course compliance and um yeah so for this we just wanted to make sure people could build with freedom, confidence but also staying within the guard rails uh of our system. So after we kind of got past that stage, — thanks Rob. Sorry buddy. — I apologize.

— Um yeah, we decided to create some content and with that we used the YouTube content that's uh available [clears throat] for everyone and with that we created custom quizzes as well just to make sure that nontechnical users could kind of land with the concepts. Um so far we have 116 participants which is really great perfectly honest with you. I don't think we'd be able to take that many tickets and build that many workflows. So 15 departments are in our project at the moment and like with that we also as I said took the learnings from earlier and placed that into the training itself. So yeah this was a kind of complicated but less uh easy part. Um but we're kind of getting there. I would say it's definitely it's a still a learning kind of a journey for us. — Of course. — Um but overall um we have our office hours every week. Teams are very like excited about the idea of being able to build their own processes and automate. They're also learning and our learning and development team are very excited about all of the upskilling. Um but I guess the main takeaways here is that a small IT team can balance you know a very high influx of users. now and with that as well our security posture is very well managed by Rob which you'll cover very soon um and the thing that all the sea levels love to see is time saved and this is 150 hours give or take at the moment uh per month and that's growing as more and more teams come on board so overall it's uh it's a pretty great journey so far over to you Rob — thank you Jay let's switch places — I stand over here now Thank you.

— Great. So, I'm going to talk a little bit about security and some of the challenges um I had um deploying NA10 within our enterprise. So, one of the first things that I thought about or a lot of people would think about is security. Hopefully, it's one of the main concerns. Um so, in terms of what we've already done with the platform, we've already uh implemented SSO. Um we have project level access so users can um segregate access to credentials. Um we also have uh many other challenges as well though. So what we really needed was to get a little bit deeper in terms of how we have visibility on users and what they're really doing in the workflows because as I say we're rolling this out to many users who may be technical and nontechnical. So that was my primary concern uh when developing a solution. So here you can see an example. Um this is our uh IT security dinosaur workflow. That will become clear in next slide. Um so broadly um I solved this problem uh by using NA10's really useful feature uh which is the integrated security report. Um this is a tool call within the AI agent nodes. Um I segregated credentials and workflows. Um and broadly what's happening here for these workflows is um it's classifying the risk uh based on the security tool output. Um and since the output can be non-deterministic, we're enforcing a strict schema uh via the structured output uh as you see here. So this really gives us um a high level of confidence um and we can use the already integrated uh NA10 security port report which is already part of the tool. So it was really a no-brainer to use this so we can pass all those workflows really understand what users are getting up to if they're doing anything risky. So after we've done that and collected those results and classified that um we'll move on to the next uh stage of the flow which incidentally looks a little bit like a T-Rex. This wasn't intentional. This was completely by accident. Um so the business end of this flow or the dinosaur's mouth which you see is where we um handle critical workflows. So if you find a critical failure or a critical risk within a workflow, we'll deactivate that flow. Um we'll also notify the user and we'll give context based on the security report and say hey you have this risky node or you have for example an unprotected web hook in there. So, we've disabled your flow. We're also as IT um specialists, we're also notified of this as well. Uh the bottom flow is essentially just formatting the results of the report. Um and um passing that on to Dave's dog, which is our seam solution that we use uh across many services uh in person. Um so that brings me neatly on to

observability. Um so within data dog we can build um really comprehensive dashboards that give us a really great view um over NA10 uh event logs so we can really visualize and see what workflows are failing over time um if there's any anomalies as well we can uh craft our alerts uh and we'll be on top of the any issues which might be happening uh in any workflows for example if they're erroring out of control we have full visibility on our credentials as well um if cred entials aren't used in active flows. Um so we can follow up with users and say hey you haven't used this in a long time. Do you want to disable it or remove it in um completely? So that's something which we can manage. And finally the results of our um security audit report. We're classifying risk and we can really visualize and see which workflows are high risk, medium critical or low as well. So in a nutshell, this really helps us um and we've utilized um already existing tools um within NA10 to make sure that we're on top of all our monitoring and logging all kind of nicely nested within our observability stack within data log. Cool. But we're not really finished yet. We're really, as Jay mentioned, we're really at the start of our journey. So in terms of environment management, we really need to separate our concerns. So um that means we in the future we plan to implement two instances um and also enforce source control as well for that so users can happily develop um we can ensure only live or active workflows are pushed to our production instance. Yeah. And uh thanks Rob. And at the moment then we're the next step is automating the reviewer process for um any of the workflows because at the moment we're manually doing it. So we actually sitting with uh people — every week and just going through how we're going to more or less put it uh put it on live. — Um and yeah, that's a lot of time invested from both sides uh that we'd like to automate. So, um, if anyone has any ideas on how to do that, that would be awesome from talking to you a little bit later. Um, but yeah, it's, uh, that's where we're at right now. — Thank you for listening. How many questions? —