BioSecurity and AgBio SaaS vendors operate in one of the most tightly regulated sectors in software. A 42 CFR §73.19 select agent theft or loss must be reported to the FBI and CDC/APHIS "immediately" — the statute contains no grace period. A USDA APHIS 7 CFR §340.8 unauthorized release of a regulated article triggers the same immediate clock. An EPA TSCA §14 confidential business information disclosure carries criminal liability up to one year imprisonment plus $25,000/day civil penalties.
Yet most AgBio SaaS vendors run their compliance workflows on cloud iPaaS platforms that sit outside every one of these regulatory boundaries.
This article covers five production-ready n8n automation workflows for BioSecurity and AgBio SaaS vendors — covering USDA APHIS 7 CFR Part 340 (GMO/biotech permits), 42 CFR §73 Federal Select Agent Program, EPA TSCA (15 USC §2601), FDA 21 CFR Part 58 GLP, NIH rDNA Guidelines / IBC registration, and EPA FIFRA biopesticide compliance.
All five workflows are self-hostable. All five include production JSON you can import into n8n today.
The Cloud iPaaS BioSecurity Problem
Before the workflows, here is why architecture matters for this vertical:
42 CFR §73.15 — Select Agent Personnel Access Logs
The Federal Select Agent Program (FSAP) requires that personnel with authorized access to select agents be maintained as a regulatory record. Every system that touches select agent operational data is implicitly part of your access audit trail. A cloud iPaaS platform processing select agent workflow events is an undocumented node in your authorized-access boundary — exactly the kind of gap that FSAP inspectors flag during unannounced facility inspections under 42 CFR §73.8.
EPA TSCA §14 — CBI Confidential Business Information
Premanufacture Notice (PMN) data submitted to EPA is CBI-protected under TSCA §14. Routing PMN-related workflow automation through a cloud iPaaS vendor creates an undocumented processor in your CBI chain — potentially a §14(d) criminal disclosure violation even if no data was intentionally shared. Cloud vendors' SOC 2 reports do not address TSCA §14 CBI obligations because they are not designed to.
NIH rDNA Guidelines — IBC Registration Security Boundary
Institutional Biosafety Committee registration with NIH's Office of Science Policy requires a defined security boundary around recombinant DNA research data. A cloud iPaaS platform processing IBC-related compliance workflows sits outside that boundary by architecture, not by breach. NIH OSP audits of IBC programs look for these documentation gaps.
USDA 7 CFR §340 — GMO Permit Authorized-Access Controls
USDA APHIS Biotechnology Regulatory Services requires permit holders to maintain authorized-access controls over regulated article data. Cloud iPaaS adds an undocumented node to your documented control structure — creating a §340 compliance documentation gap that APHIS inspectors will find.
Self-hosted n8n resolves all four gaps: biosafety compliance data stays inside your defined security perimeter, your access logs reflect only documented personnel, and your regulatory audit trails remain intact.
The Seven Compliance Tiers
| Customer Tier | Fastest Clock | Regulatory Authority |
|---|---|---|
| ENTERPRISE_AGBIO_PLATFORM | SELECT_AGENT_THEFT IMMEDIATE | 42 CFR §73.19 — FBI + CDC/APHIS |
| GENE_EDITING_SAAS_VENDOR | USDA_APHIS_UNAUTHORIZED_RELEASE IMMEDIATE | 7 CFR §340.8 |
| BIOPESTICIDE_SAAS_VENDOR | EPA_FIFRA_ADVERSE_INCIDENT 15 days | FIFRA §6(a)(2) |
| SELECT_AGENT_PROGRAM_SAAS | SELECT_AGENT_INVENTORY_SEMIANNUAL | 42 CFR §73.11 |
| VETERINARY_BIOLOGICS_SAAS | USDA_APHIS_BIOLOGICS_LICENSE annual | 9 CFR Part 113 |
| AGRICULTURAL_BIOTECH_STARTUP | EPA_TSCA_SNUR_NOTICE_90DAY | 15 USC §2601 |
| BIOSAFETY_COMPLIANCE_SAAS | FDA_GLP_INSPECTION_FINDING 24h | 21 CFR §58.35 |
Fastest single clock: SELECT_AGENT_THEFT_LOSS = IMMEDIATE (42 CFR §73.19 — upon discovery, no grace period). USDA_APHIS_UNAUTHORIZED_RELEASE = IMMEDIATE (7 CFR §340.8). These are the two hardest clocks in the biosafety regulatory framework.
Workflow 1 — Tier-Segmented Onboarding Drip
New customer webhook → parse tier + compliance flags → Day 0 welcome with tier-specific regulatory priorities → 4-day wait → Day 4 compliance clock briefing → 4-day wait → Day 8 self-hosting ROI email.
Flag injections on Day 0:
-
SELECT_AGENT_PROGRAM_REGISTERED→ 42 CFR §73.19 IMMEDIATE clock, semi-annual inventory calendar -
USDA_APHIS_GMO_PERMIT_REQUIRED→ 7 CFR §340.8 unauthorized release clock, annual permit renewals -
EPA_TSCA_BIOTECH_SUBJECT→ TSCA §14 CBI protection briefing, SNUR 90-day advance clock -
FDA_GLP_21CFR58_APPLICABLE→ GLP inspection readiness, QAU annual review -
EPA_FIFRA_BIOPESTICIDE_REGISTRANT→ FIFRA §6(a)(2) 15-day adverse incident clock
Day 8 email delivers the four self-hosting procurement arguments that close AgBio enterprise deals: 42 CFR §73.15 access log integrity, EPA TSCA §14 CBI perimeter, NIH rDNA IBC boundary, USDA §340 authorized-access controls.
{
"name": "AgBio SaaS \u2014 Tier-Segmented Onboarding Drip",
"nodes": [
{
"id": "1",
"name": "Customer Created Webhook",
"type": "n8n-nodes-base.webhook",
"position": [
100,
300
],
"parameters": {
"path": "agbio-customer-created",
"httpMethod": "POST"
}
},
{
"id": "2",
"name": "Parse Customer",
"type": "n8n-nodes-base.set",
"position": [
300,
300
],
"parameters": {
"values": {
"string": [
{
"name": "tier",
"value": "={{ $json.tier }}"
},
{
"name": "email",
"value": "={{ $json.email }}"
},
{
"name": "company",
"value": "={{ $json.company }}"
},
{
"name": "selectAgentRegistered",
"value": "={{ $json.flags?.includes('SELECT_AGENT_PROGRAM_REGISTERED') ? 'true' : 'false' }}"
},
{
"name": "usda7cfr340",
"value": "={{ $json.flags?.includes('USDA_APHIS_GMO_PERMIT_REQUIRED') ? 'true' : 'false' }}"
},
{
"name": "epaTsca",
"value": "={{ $json.flags?.includes('EPA_TSCA_BIOTECH_SUBJECT') ? 'true' : 'false' }}"
},
{
"name": "fdaGlp",
"value": "={{ $json.flags?.includes('FDA_GLP_21CFR58_APPLICABLE') ? 'true' : 'false' }}"
},
{
"name": "epiFifra",
"value": "={{ $json.flags?.includes('EPA_FIFRA_BIOPESTICIDE_REGISTRANT') ? 'true' : 'false' }}"
}
]
}
}
},
{
"id": "3",
"name": "Day 0 \u2014 Send Welcome",
"type": "n8n-nodes-base.emailSend",
"position": [
500,
200
],
"parameters": {
"toEmail": "={{ $json.email }}",
"subject": "Welcome to {{ $json.company }} \u2014 Your BioSecurity Compliance Priorities",
"text": "={{ 'Welcome to FlowKit.\\n\\n' + ($json.selectAgentRegistered === 'true' ? 'SELECT AGENT PROGRAM REGISTERED (42 CFR \u00a773): Your personnel access logs and inventory records are subject to immediate reporting (42 CFR \u00a773.19 \u2014 notify FBI + CDC/APHIS immediately on theft/loss). We have configured your select agent incident pipeline.\\n\\n' : '') + ($json.usda7cfr340 === 'true' ? 'USDA APHIS 7 CFR PART 340 (GMO PERMITS): Your regulated article permit data requires defined authorized-access boundaries. Any unauthorized release must be reported immediately (7 CFR \u00a7340.8). Field trial permit renewals tracked automatically.\\n\\n' : '') + ($json.epaTsca === 'true' ? 'EPA TSCA BIOTECH (15 USC \u00a72601): Premanufacture Notice (PMN) CBI data is protected under \u00a714 \u2014 routing through undocumented processors creates disclosure risk. SNUR 90-day advance notice clock configured.\\n\\n' : '') + ($json.fdaGlp === 'true' ? 'FDA 21 CFR PART 58 GLP: Non-clinical study records must be retained per \u00a758.195 and accessible during FDA inspection. Inspection readiness monitor active.\\n\\n' : '') + ($json.epiFifra === 'true' ? 'EPA FIFRA BIOPESTICIDE (40 CFR PART 158): Adverse incident reporting mandatory within 15 days (\u00a76(a)(2)). Pesticide registration renewal calendar configured.\\n\\n' : '') + 'Your compliance dashboard: https://app.flowkit.io\\nStore: https://stripeai.gumroad.com\\n\\nFlowKit Team' }}"
}
},
{
"id": "4",
"name": "Day 4 Wait",
"type": "n8n-nodes-base.wait",
"position": [
700,
200
],
"parameters": {
"amount": 4,
"unit": "days"
}
},
{
"id": "5",
"name": "Email Day 4",
"type": "n8n-nodes-base.emailSend",
"position": [
900,
200
],
"parameters": {
"toEmail": "={{ $json.email }}",
"subject": "BioSecurity Compliance Briefing \u2014 Fastest Regulatory Clocks for Your Tier",
"text": "={{ 'Day 4 BioSecurity Compliance Briefing for ' + $json.company + ':\\n\\n' + ($json.selectAgentRegistered === 'true' ? '42 CFR \u00a773.19 SELECT AGENT THEFT/LOSS: Notify FBI field office + CDC/APHIS immediately (no defined window \u2014 \"immediately\" in statute). This is the single fastest clock in the biosafety regulatory framework.\\n\\nSELECT AGENT INVENTORY: Semi-annual physical inventory required (42 CFR \u00a773.11). Our deadline tracker fires 30 days before each window.\\n\\n' : '') + ($json.usda7cfr340 === 'true' ? 'USDA APHIS 7 CFR \u00a7340.8 UNAUTHORIZED RELEASE: Report immediately to APHIS Biotechnology Regulatory Services. \"Immediately\" is defined as upon discovery \u2014 no grace period.\\n\\nUSDA FIELD TRIAL PERMIT RENEWAL: Annual renewals tracked. 90-day advance alerts configured.\\n\\n' : '') + 'Full compliance calendar available in your FlowKit dashboard.' }}"
}
},
{
"id": "6",
"name": "Day 8 Wait",
"type": "n8n-nodes-base.wait",
"position": [
1100,
200
],
"parameters": {
"amount": 4,
"unit": "days"
}
},
{
"id": "7",
"name": "Email Day 8",
"type": "n8n-nodes-base.emailSend",
"position": [
1300,
200
],
"parameters": {
"toEmail": "={{ $json.email }}",
"subject": "Why AgBio SaaS Vendors Self-Host Their Compliance Automation",
"text": "Day 8 \u2014 Why self-hosted n8n is the standard for regulated AgBio SaaS:\\n\\n1. 42 CFR \u00a773.15 SELECT AGENT ACCESS LOGS: Personnel authorized list is a regulatory record. Cloud iPaaS = undocumented user node in your access audit trail.\\n\\n2. EPA TSCA \u00a714 CBI PROTECTION: PMN confidential business information routed through cloud iPaaS = potential unauthorized disclosure = criminal \u00a714(d) liability.\\n\\n3. NIH rDNA GUIDELINES (IBC Registration): IBC registration requires defined security boundary. Cloud iPaaS = gap in that boundary = NIH Office of Science Policy finding.\\n\\n4. USDA 7 CFR \u00a7340 PERMIT DATA: Regulated article permit data requires authorized-access controls \u2014 cloud iPaaS adds an undocumented node outside your documented control structure.\\n\\nFull template pack: https://stripeai.gumroad.com\\nFlowKit Team"
}
}
],
"connections": {
"Customer Created Webhook": {
"main": [
[
{
"node": "Parse Customer",
"type": "main",
"index": 0
}
]
]
},
"Parse Customer": {
"main": [
[
{
"node": "Day 0 \u2014 Send Welcome",
"type": "main",
"index": 0
}
]
]
},
"Day 0 \u2014 Send Welcome": {
"main": [
[
{
"node": "Day 4 Wait",
"type": "main",
"index": 0
}
]
]
},
"Day 4 Wait": {
"main": [
[
{
"node": "Email Day 4",
"type": "main",
"index": 0
}
]
]
},
"Email Day 4": {
"main": [
[
{
"node": "Day 8 Wait",
"type": "main",
"index": 0
}
]
]
},
"Day 8 Wait": {
"main": [
[
{
"node": "Email Day 8",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 2 — USDA APHIS / EPA TSCA / Select Agent Deadline Tracker
12 deadline types, 6-hour polling cron, $getWorkflowStaticData deduplication prevents duplicate alerts on the same calendar day.
| Deadline Type | Window | Regulation |
|---|---|---|
| SELECT_AGENT_INVENTORY_SEMIANNUAL | Semi-annual | 42 CFR §73.11 |
| USDA_APHIS_GMO_PERMIT_RENEWAL | Annual | 7 CFR §340 |
| EPA_TSCA_SNUR_NOTICE_90DAY | 90-day advance | 15 USC §2601 |
| NIH_IBC_REGISTRATION_ANNUAL | Annual | NIH rDNA Guidelines |
| USDA_APHIS_VETERINARY_BIOLOGICS_LICENSE_RENEWAL | Annual | 9 CFR §113 |
| EPA_FIFRA_BIOPESTICIDE_REGISTRATION_RENEWAL | Annual | 40 CFR §158 |
| USDA_APHIS_FIELD_TRIAL_PERMIT_ANNUAL | Annual | 7 CFR §340.4 |
| SELECT_AGENT_PROGRAM_INSPECTION_PREP | Unannounced | 42 CFR §73 + 9 CFR §121 |
| EPA_TSCA_ANNUAL_CDR_REPORT | Annual | 15 USC §2607 |
| FDA_GLP_AUDIT_ANNUAL_REVIEW | Annual | 21 CFR §58.35 |
| SOC2_TYPE2_RENEWAL | Annual | AICPA SOC 2 |
| ANNUAL_PENETRATION_TEST | Annual | SOC 2 CC7.1 |
{
"name": "AgBio SaaS \u2014 USDA APHIS / EPA TSCA / Select Agent Deadline Tracker",
"nodes": [
{
"id": "1",
"name": "Every 6 Hours",
"type": "n8n-nodes-base.scheduleTrigger",
"position": [
100,
300
],
"parameters": {
"rule": {
"interval": [
{
"field": "hours",
"minutesInterval": 6
}
]
}
}
},
{
"id": "2",
"name": "Check Deadlines",
"type": "n8n-nodes-base.code",
"position": [
300,
300
],
"parameters": {
"jsCode": "const store = $getWorkflowStaticData('global');\nif (!store.notified) store.notified = {};\nconst now = new Date();\nconst deadlines = [\n { type: 'SELECT_AGENT_INVENTORY_SEMIANNUAL', label: 'Select Agent Semi-Annual Physical Inventory (42 CFR \u00a773.11)', daysUntil: 14, priority: 'P0', regulation: '42 CFR \u00a773.11 \u2014 2x/year physical inventory of all select agents and toxins' },\n { type: 'USDA_APHIS_GMO_PERMIT_RENEWAL', label: 'USDA APHIS 7 CFR Part 340 GMO/Biotech Permit Renewal', daysUntil: 21, priority: 'P0', regulation: '7 CFR \u00a7340 \u2014 USDA BRS permit for regulated articles; lapse = unlicensed possession' },\n { type: 'EPA_TSCA_SNUR_NOTICE_90DAY', label: 'EPA TSCA SNUR 90-Day Advance Notice (15 USC \u00a72601)', daysUntil: 30, priority: 'P1', regulation: '15 USC \u00a72601 \u2014 SNUR: 90-day advance notice before manufacturing/importing' },\n { type: 'NIH_IBC_REGISTRATION_ANNUAL', label: 'NIH IBC Annual Registration Renewal', daysUntil: 45, priority: 'P1', regulation: 'NIH rDNA Guidelines \u2014 IBC registration renewal with NIH Office of Science Policy' },\n { type: 'USDA_APHIS_VETERINARY_BIOLOGICS_LICENSE_RENEWAL', label: 'USDA APHIS Veterinary Biologics License Renewal (9 CFR \u00a7113)', daysUntil: 60, priority: 'P1', regulation: '9 CFR Part 113 \u2014 USDA APHIS VS biologics license annual renewal' },\n { type: 'EPA_FIFRA_BIOPESTICIDE_REGISTRATION_RENEWAL', label: 'EPA FIFRA Biopesticide Registration Renewal (40 CFR Part 158)', daysUntil: 60, priority: 'P1', regulation: '40 CFR \u00a7158 \u2014 EPA biopesticide registration renewal; lapse = unlawful sale \u00a712(a)' },\n { type: 'USDA_APHIS_FIELD_TRIAL_PERMIT_ANNUAL', label: 'USDA APHIS Field Trial Permit Annual Renewal (7 CFR \u00a7340)', daysUntil: 45, priority: 'P1', regulation: '7 CFR \u00a7340.4 \u2014 field trial notification/permit for GM crops; annual renewal' },\n { type: 'SELECT_AGENT_PROGRAM_INSPECTION_PREP', label: 'FSAP Inspection Readiness (42 CFR \u00a773 + 9 CFR \u00a7121)', daysUntil: 30, priority: 'P1', regulation: '42 CFR \u00a773 \u2014 USDA/CDC unannounced inspections; no advance notice required by statute' },\n { type: 'EPA_TSCA_ANNUAL_CDR_REPORT', label: 'EPA TSCA Chemical Data Reporting (CDR) Submission', daysUntil: 60, priority: 'P1', regulation: '15 USC \u00a72607 \u2014 TSCA CDR: chemical manufacturers report volumes/uses' },\n { type: 'FDA_GLP_AUDIT_ANNUAL_REVIEW', label: 'FDA 21 CFR Part 58 GLP Annual Study Director Review', daysUntil: 30, priority: 'P1', regulation: '21 CFR \u00a758.35 \u2014 QAU annual inspection of in-progress studies' },\n { type: 'SOC2_TYPE2_RENEWAL', label: 'SOC 2 Type II Renewal', daysUntil: 45, priority: 'P2', regulation: 'AICPA SOC 2 \u2014 annual renewal required for enterprise AgBio SaaS contracts' },\n { type: 'ANNUAL_PENETRATION_TEST', label: 'Annual Penetration Test', daysUntil: 60, priority: 'P2', regulation: 'SOC 2 CC7.1' }\n];\nconst alerts = [];\nfor (const d of deadlines) {\n const key = d.type + '_' + now.toISOString().slice(0, 10);\n if (d.daysUntil <= 30 && !store.notified[key]) {\n store.notified[key] = true;\n alerts.push(d);\n }\n}\n$setWorkflowStaticData('global', store);\nreturn alerts.map(a => ({ json: a }));"
}
},
{
"id": "3",
"name": "Has Alert?",
"type": "n8n-nodes-base.if",
"position": [
500,
300
],
"parameters": {
"conditions": {
"string": [
{
"value1": "={{ $json.type }}",
"operation": "isNotEmpty"
}
]
}
}
},
{
"id": "4",
"name": "Send Alert",
"type": "n8n-nodes-base.emailSend",
"position": [
700,
200
],
"parameters": {
"toEmail": "compliance@yourcompany.com",
"subject": "={{ '[' + $json.priority + '] BioSecurity Deadline: ' + $json.label + ' \u2014 ' + $json.daysUntil + ' days' }}",
"text": "={{ 'AGBIO COMPLIANCE DEADLINE\\n\\nDeadline: ' + $json.label + '\\nPriority: ' + $json.priority + '\\nDays Until Due: ' + $json.daysUntil + '\\nRegulation: ' + $json.regulation }}"
}
}
],
"connections": {
"Every 6 Hours": {
"main": [
[
{
"node": "Check Deadlines",
"type": "main",
"index": 0
}
]
]
},
"Check Deadlines": {
"main": [
[
{
"node": "Has Alert?",
"type": "main",
"index": 0
}
]
]
},
"Has Alert?": {
"main": [
[
{
"node": "Send Alert",
"type": "main",
"index": 0
}
],
[]
]
}
}
}
Workflow 3 — BioSafety Regulatory API Health Monitor
15-minute polling of five biosafety regulatory portals. 30-minute cooldown via $getWorkflowStaticData prevents alert floods during extended outages.
| Endpoint | DOWN = | Risk Annotation |
|---|---|---|
| USDA APHIS BRS Portal | Permit status gap | 7 CFR §340 unauthorized release reporting capability compromised |
| Select Agent Program API | Inventory records inaccessible | 42 CFR §73.15 FBI/CDC reporting capability at risk |
| EPA TSCA Chemical Registry | SNUR search gap | New chemical status verification unavailable |
| NIH rDNA/IBC Database | IBC status unverifiable | NIH OSP compliance posture gap |
| FDA GLP Portal | Inspection notice gap | 21 CFR §58.35 unannounced GLP inspection readiness compromised |
{
"name": "AgBio SaaS \u2014 BioSafety Regulatory API Health Monitor",
"nodes": [
{
"id": "1",
"name": "Every 15 Minutes",
"type": "n8n-nodes-base.scheduleTrigger",
"position": [
100,
300
],
"parameters": {
"rule": {
"interval": [
{
"field": "minutes",
"minutesInterval": 15
}
]
}
}
},
{
"id": "2",
"name": "Check USDA APHIS BRS Portal",
"type": "n8n-nodes-base.httpRequest",
"position": [
300,
100
],
"parameters": {
"url": "https://www.aphis.usda.gov/biotechnology/regulatory-framework",
"method": "GET",
"options": {
"timeout": 10000
}
}
},
{
"id": "3",
"name": "Check Select Agent Program",
"type": "n8n-nodes-base.httpRequest",
"position": [
300,
250
],
"parameters": {
"url": "https://www.selectagents.gov/sat/list.htm",
"method": "GET",
"options": {
"timeout": 10000
}
}
},
{
"id": "4",
"name": "Check EPA TSCA Registry",
"type": "n8n-nodes-base.httpRequest",
"position": [
300,
400
],
"parameters": {
"url": "https://www.epa.gov/tsca-inventory",
"method": "GET",
"options": {
"timeout": 10000
}
}
},
{
"id": "5",
"name": "Check NIH rDNA IBC Database",
"type": "n8n-nodes-base.httpRequest",
"position": [
300,
550
],
"parameters": {
"url": "https://osp.od.nih.gov/biotechnology/biosafety-institutional-biosafety-committee-ibc/",
"method": "GET",
"options": {
"timeout": 10000
}
}
},
{
"id": "6",
"name": "Check FDA GLP Portal",
"type": "n8n-nodes-base.httpRequest",
"position": [
300,
700
],
"parameters": {
"url": "https://www.fda.gov/science-research/field-science-and-laboratories/good-laboratory-practice-glp-compliance",
"method": "GET",
"options": {
"timeout": 10000
}
}
},
{
"id": "7",
"name": "Evaluate Health",
"type": "n8n-nodes-base.code",
"position": [
600,
400
],
"parameters": {
"jsCode": "const store = $getWorkflowStaticData('global');\nif (!store.alertedAt) store.alertedAt = {};\nconst now = Date.now();\nconst COOLDOWN = 30 * 60 * 1000;\nconst checks = [\n { name: 'USDA APHIS BRS Portal', status: $('Check USDA APHIS BRS Portal').item?.json?.statusCode || 0, risk: '7 CFR \u00a7340 permit status gap \u2014 unauthorized release reporting capability compromised' },\n { name: 'Select Agent Program', status: $('Check Select Agent Program').item?.json?.statusCode || 0, risk: '42 CFR \u00a773.15 select agent inventory records inaccessible \u2014 FBI/CDC reporting capability at risk' },\n { name: 'EPA TSCA Registry', status: $('Check EPA TSCA Registry').item?.json?.statusCode || 0, risk: 'TSCA SNUR search gap \u2014 new chemical status verification unavailable' },\n { name: 'NIH rDNA IBC Database', status: $('Check NIH rDNA IBC Database').item?.json?.statusCode || 0, risk: 'IBC registration status unverifiable \u2014 NIH OSP compliance posture gap' },\n { name: 'FDA GLP Portal', status: $('Check FDA GLP Portal').item?.json?.statusCode || 0, risk: '21 CFR \u00a758.35 inspection notice gap \u2014 unannounced GLP inspection readiness compromised' }\n];\nconst alerts = [];\nfor (const c of checks) {\n const isDown = c.status < 200 || c.status >= 400 || c.status === 0;\n const key = c.name;\n if (isDown && (!store.alertedAt[key] || now - store.alertedAt[key] > COOLDOWN)) {\n store.alertedAt[key] = now;\n alerts.push({ ...c, down: true });\n } else if (!isDown) {\n delete store.alertedAt[key];\n }\n}\n$setWorkflowStaticData('global', store);\nreturn alerts.map(a => ({ json: a }));"
}
},
{
"id": "8",
"name": "Send Alert",
"type": "n8n-nodes-base.emailSend",
"position": [
800,
400
],
"parameters": {
"toEmail": "biosafety-ops@yourcompany.com",
"subject": "={{ '[P0] BioSafety API DOWN: ' + $json.name }}",
"text": "={{ 'BIOSAFETY SYSTEM ALERT\\n\\nSystem: ' + $json.name + '\\nStatus: DOWN\\nRisk: ' + $json.risk + '\\nDetected: ' + new Date().toISOString() }}"
}
}
],
"connections": {
"Every 15 Minutes": {
"main": [
[
{
"node": "Check USDA APHIS BRS Portal",
"type": "main",
"index": 0
},
{
"node": "Check Select Agent Program",
"type": "main",
"index": 0
},
{
"node": "Check EPA TSCA Registry",
"type": "main",
"index": 0
},
{
"node": "Check NIH rDNA IBC Database",
"type": "main",
"index": 0
},
{
"node": "Check FDA GLP Portal",
"type": "main",
"index": 0
}
]
]
},
"Check USDA APHIS BRS Portal": {
"main": [
[
{
"node": "Evaluate Health",
"type": "main",
"index": 0
}
]
]
},
"Check Select Agent Program": {
"main": [
[
{
"node": "Evaluate Health",
"type": "main",
"index": 1
}
]
]
},
"Check EPA TSCA Registry": {
"main": [
[
{
"node": "Evaluate Health",
"type": "main",
"index": 2
}
]
]
},
"Check NIH rDNA IBC Database": {
"main": [
[
{
"node": "Evaluate Health",
"type": "main",
"index": 3
}
]
]
},
"Check FDA GLP Portal": {
"main": [
[
{
"node": "Evaluate Health",
"type": "main",
"index": 4
}
]
]
},
"Evaluate Health": {
"main": [
[
{
"node": "Send Alert",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 4 — BioSecurity Incident Response Pipeline
Webhook → route by incident type → tier-appropriate response with correct regulatory clock and statutory notification chain.
| Incident Type | Priority | Clock | Statutory Authority |
|---|---|---|---|
| SELECT_AGENT_THEFT_LOSS | P0 | IMMEDIATE | 42 CFR §73.19 — FBI + CDC/APHIS |
| USDA_APHIS_UNAUTHORIZED_RELEASE | P0 | IMMEDIATE | 7 CFR §340.8 |
| EPA_TSCA_CBI_DISCLOSURE | P0 | IMMEDIATE | TSCA §14(d) — criminal liability |
| FDA_GLP_INSPECTION_FINDING | P1 | 24h | 21 CFR §58.35(b)(7) |
| NIH_IBC_PROTOCOL_DEVIATION | P1 | 24h | NIH rDNA Guidelines §IV-B-7-a |
| EPA_FIFRA_ADVERSE_INCIDENT | P1 | 15 days | FIFRA §6(a)(2) |
| USDA_APHIS_FIELD_TRIAL_NONCOMPLIANCE | P1 | 72h | 7 CFR §340 |
| GENERAL | P2 | 48h | Triage |
The SELECT_AGENT_THEFT_LOSS handler explicitly outputs the three required contacts with phone numbers: FBI field office + CDC Emergency Operations Center (770-488-7100) + USDA APHIS Emergency (844-820-2234). The statute uses the word "immediately" without defining a window — the handler makes that explicit.
{
"name": "AgBio SaaS \u2014 BioSecurity Incident Response Pipeline",
"nodes": [
{
"id": "1",
"name": "BioSecurity Incident Webhook",
"type": "n8n-nodes-base.webhook",
"position": [
100,
300
],
"parameters": {
"path": "agbio-incident",
"httpMethod": "POST"
}
},
{
"id": "2",
"name": "Route by Incident Type",
"type": "n8n-nodes-base.switch",
"position": [
300,
300
],
"parameters": {
"dataType": "string",
"value1": "={{ $json.incident_type }}",
"rules": {
"rules": [
{
"value2": "SELECT_AGENT_THEFT_LOSS",
"output": 0
},
{
"value2": "USDA_APHIS_UNAUTHORIZED_RELEASE",
"output": 1
},
{
"value2": "EPA_TSCA_CBI_DISCLOSURE",
"output": 2
},
{
"value2": "FDA_GLP_INSPECTION_FINDING",
"output": 3
},
{
"value2": "NIH_IBC_PROTOCOL_DEVIATION",
"output": 4
},
{
"value2": "EPA_FIFRA_ADVERSE_INCIDENT",
"output": 5
},
{
"value2": "USDA_APHIS_FIELD_TRIAL_NONCOMPLIANCE",
"output": 6
}
]
},
"fallbackOutput": 7
}
},
{
"id": "3",
"name": "P0 Select Agent IMMEDIATE",
"type": "n8n-nodes-base.emailSend",
"position": [
600,
50
],
"parameters": {
"toEmail": "biosafety-officer@yourcompany.com,legal@yourcompany.com",
"subject": "[P0 IMMEDIATE] SELECT AGENT THEFT/LOSS \u2014 42 CFR \u00a773.19 \u2014 Notify FBI + CDC/APHIS Now",
"text": "={{ 'CRITICAL: SELECT AGENT THEFT OR LOSS\\n\\n42 CFR \u00a773.19 requires IMMEDIATE notification:\\n1. FBI Field Office (nearest your facility)\\n2. CDC Emergency: 770-488-7100 (CDC-regulated agents)\\n3. USDA APHIS Emergency: 844-820-2234 (APHIS-regulated agents)\\n\\nIncident: ' + $json.description + '\\nAgent: ' + $json.agent_name + '\\nDiscovery: ' + $json.discovery_time + '\\n\\n\"IMMEDIATELY\" = upon discovery. No statutory grace period.' }}"
}
},
{
"id": "4",
"name": "P0 USDA Unauthorized Release IMMEDIATE",
"type": "n8n-nodes-base.emailSend",
"position": [
600,
150
],
"parameters": {
"toEmail": "biosafety-officer@yourcompany.com,regulatory@yourcompany.com",
"subject": "[P0 IMMEDIATE] USDA APHIS Unauthorized Release \u2014 7 CFR \u00a7340.8",
"text": "={{ 'P0: UNAUTHORIZED RELEASE OF REGULATED ARTICLE\\n\\n7 CFR \u00a7340.8: Report IMMEDIATELY to USDA APHIS BRS.\\nContact: BRS.Permits@usda.gov | 844-820-2234\\n\\nRegulated Article: ' + $json.article_name + '\\nPermit: ' + $json.permit_number + '\\nDiscovery: ' + $json.discovery_time }}"
}
},
{
"id": "5",
"name": "P0 EPA TSCA CBI Disclosure IMMEDIATE",
"type": "n8n-nodes-base.emailSend",
"position": [
600,
250
],
"parameters": {
"toEmail": "legal@yourcompany.com,cso@yourcompany.com",
"subject": "[P0 IMMEDIATE] EPA TSCA \u00a714 CBI Disclosure Risk \u2014 Criminal Liability",
"text": "={{ 'P0 TSCA: CBI DISCLOSURE\\n\\nEPA TSCA \u00a714(d): Unauthorized disclosure of CBI = criminal offense (1yr imprisonment + $25,000/day civil penalty).\\n\\nIncident: ' + $json.description + '\\nPMN: ' + ($json.pmn_number || 'unknown') + '\\nDiscovery: ' + $json.discovery_time + '\\n\\nPreserve evidence. Legal hold. Notify EPA TSCA if confirmed. Engage outside counsel.' }}"
}
},
{
"id": "6",
"name": "P1 FDA GLP Inspection Finding 24h",
"type": "n8n-nodes-base.emailSend",
"position": [
600,
350
],
"parameters": {
"toEmail": "qa@yourcompany.com,regulatory@yourcompany.com",
"subject": "[P1 24H] FDA 21 CFR Part 58 GLP Inspection Finding",
"text": "={{ 'P1 GLP: INSPECTION FINDING\\n\\n21 CFR \u00a758.35(b)(7): QAU must respond to inspection findings within correction window.\\n\\nFinding: ' + $json.description + '\\nInspector: ' + ($json.inspector || 'TBD') + '\\nDate: ' + $json.discovery_time + '\\n24h Deadline: ' + new Date(new Date($json.discovery_time).getTime() + 86400000).toISOString() }}"
}
},
{
"id": "7",
"name": "P1 NIH IBC Protocol Deviation 24h",
"type": "n8n-nodes-base.emailSend",
"position": [
600,
450
],
"parameters": {
"toEmail": "biosafety-officer@yourcompany.com,ibc-chair@yourcompany.com",
"subject": "[P1 24H] NIH rDNA Protocol Deviation \u2014 IBC Notification Required",
"text": "={{ 'P1 NIH rDNA: PROTOCOL DEVIATION\\n\\nNIH rDNA Guidelines \u00a7IV-B-7-a: PI must report significant deviations to IBC promptly.\\n\\nDeviation: ' + $json.description + '\\nProtocol: ' + ($json.protocol_number || 'TBD') + '\\nRisk Group: ' + ($json.risk_group || 'TBD') + '\\n\\nIf exposure occurred: notify NIH OSP at OD-OSP@od.nih.gov within 24h.' }}"
}
},
{
"id": "8",
"name": "P1 EPA FIFRA Adverse Incident 15d",
"type": "n8n-nodes-base.emailSend",
"position": [
600,
550
],
"parameters": {
"toEmail": "regulatory@yourcompany.com",
"subject": "={{ '[P1] EPA FIFRA \u00a76(a)(2) Adverse Incident \u2014 15-Day Deadline: ' + new Date(new Date($json.discovery_time).getTime() + 15*86400000).toISOString().slice(0,10) }}",
"text": "={{ 'P1 FIFRA: ADVERSE INCIDENT\\n\\nEPA FIFRA \u00a76(a)(2): Submit within 15 days via EPA Pesticide Submissions Portal.\\n\\nPesticide: ' + ($json.pesticide_name || 'TBD') + '\\nReg #: ' + ($json.reg_number || 'TBD') + '\\nDiscovery: ' + $json.discovery_time + '\\nDeadline: ' + new Date(new Date($json.discovery_time).getTime() + 15*86400000).toISOString().slice(0,10) }}"
}
},
{
"id": "9",
"name": "P1 USDA Field Trial Noncompliance 72h",
"type": "n8n-nodes-base.emailSend",
"position": [
600,
650
],
"parameters": {
"toEmail": "regulatory@yourcompany.com,biosafety-officer@yourcompany.com",
"subject": "[P1 72H] USDA APHIS Field Trial Noncompliance \u2014 7 CFR \u00a7340",
"text": "={{ 'P1 USDA: FIELD TRIAL NONCOMPLIANCE\\n\\n7 CFR Part 340: Notify APHIS BRS within 72h.\\nContact: BRS.Permits@usda.gov\\n\\nViolation: ' + $json.description + '\\nPermit: ' + ($json.permit_number || 'TBD') + '\\nDeadline: ' + new Date(new Date($json.discovery_time).getTime() + 72*3600000).toISOString() }}"
}
},
{
"id": "10",
"name": "P2 General 48h",
"type": "n8n-nodes-base.emailSend",
"position": [
600,
750
],
"parameters": {
"toEmail": "compliance@yourcompany.com",
"subject": "={{ '[P2] BioSecurity Incident: ' + $json.incident_type }}",
"text": "={{ 'P2 BIOSECURITY INCIDENT\\n\\nType: ' + $json.incident_type + '\\nDescription: ' + $json.description + '\\nDiscovery: ' + $json.discovery_time + '\\n\\nAssign owner within 48h.' }}"
}
}
],
"connections": {
"BioSecurity Incident Webhook": {
"main": [
[
{
"node": "Route by Incident Type",
"type": "main",
"index": 0
}
]
]
},
"Route by Incident Type": {
"main": [
[
{
"node": "P0 Select Agent IMMEDIATE",
"type": "main",
"index": 0
}
],
[
{
"node": "P0 USDA Unauthorized Release IMMEDIATE",
"type": "main",
"index": 0
}
],
[
{
"node": "P0 EPA TSCA CBI Disclosure IMMEDIATE",
"type": "main",
"index": 0
}
],
[
{
"node": "P1 FDA GLP Inspection Finding 24h",
"type": "main",
"index": 0
}
],
[
{
"node": "P1 NIH IBC Protocol Deviation 24h",
"type": "main",
"index": 0
}
],
[
{
"node": "P1 EPA FIFRA Adverse Incident 15d",
"type": "main",
"index": 0
}
],
[
{
"node": "P1 USDA Field Trial Noncompliance 72h",
"type": "main",
"index": 0
}
],
[
{
"node": "P2 General 48h",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 5 — Weekly BioSecurity KPI Dashboard
Monday 8AM cron → pull KPI data → build structured report → email CEO + CSO, BCC Compliance + Legal.
Report sections:
- Customer portfolio by tier (Enterprise AgBio / Gene Editing / Biopesticide / Select Agent / Vet Biologics / Startups) + MRR
- Biosecurity compliance flags: Select Agent registered, GMO permits active, TSCA SNUR pending, NIH IBC registered, FIFRA biopesticide registered
- Open P0/P1 incidents + incidents resolved this week
- Upcoming deadlines (30-day window): select agent inventory, APHIS permit renewals, TSCA SNUR windows, NIH IBC renewals, GLP study reviews
{
"name": "AgBio SaaS \u2014 Weekly BioSecurity KPI Dashboard",
"nodes": [
{
"id": "1",
"name": "Every Monday 8AM",
"type": "n8n-nodes-base.scheduleTrigger",
"position": [
100,
300
],
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 8 * * 1"
}
]
}
}
},
{
"id": "2",
"name": "Pull KPI Data",
"type": "n8n-nodes-base.httpRequest",
"position": [
300,
300
],
"parameters": {
"url": "https://app.yourcrm.com/api/agbio-kpis",
"method": "GET",
"authentication": "predefinedCredentialType",
"nodeCredentialType": "httpBearerAuth"
}
},
{
"id": "3",
"name": "Build Report",
"type": "n8n-nodes-base.code",
"position": [
500,
300
],
"parameters": {
"jsCode": "const d = $json;\nconst report = [\n 'AGBIO SAAS WEEKLY BIOSECURITY KPI \u2014 ' + new Date().toISOString().slice(0,10),\n '',\n '=== CUSTOMER PORTFOLIO ===',\n 'Enterprise AgBio Platforms: ' + (d.enterprise_agbio || 0),\n 'Gene Editing SaaS: ' + (d.gene_editing || 0),\n 'Biopesticide SaaS: ' + (d.biopesticide || 0),\n 'Select Agent Program SaaS: ' + (d.select_agent || 0),\n 'Veterinary Biologics SaaS: ' + (d.vet_biologics || 0),\n 'AgBio Startups: ' + (d.startups || 0),\n 'Total MRR: $' + (d.mrr || 0).toLocaleString(),\n '',\n '=== BIOSECURITY COMPLIANCE FLAGS ===',\n 'Select Agent Registered Customers: ' + (d.select_agent_registered_count || 0),\n 'USDA APHIS GMO Permits Active: ' + (d.gmo_permits_active || 0),\n 'EPA TSCA SNUR Pending: ' + (d.tsca_snur_pending || 0),\n 'NIH IBC Registered: ' + (d.nih_ibc_registered || 0),\n 'EPA FIFRA Biopesticide Registered: ' + (d.fifra_registered || 0),\n '',\n '=== OPEN INCIDENTS ===',\n 'P0 Incidents Open: ' + (d.p0_open || 0),\n 'P1 Incidents Open: ' + (d.p1_open || 0),\n 'Resolved This Week: ' + (d.resolved_this_week || 0),\n '',\n '=== UPCOMING DEADLINES (30d) ===',\n 'Select Agent Inventory Due: ' + (d.select_agent_inventory_due || 0),\n 'USDA APHIS Permit Renewals: ' + (d.aphis_permit_renewals || 0),\n 'EPA TSCA SNUR Windows: ' + (d.tsca_snur_windows || 0),\n 'NIH IBC Renewals: ' + (d.nih_ibc_renewals || 0),\n 'FDA GLP Study Reviews: ' + (d.glp_study_reviews || 0),\n '',\n 'FlowKit BioSecurity Compliance | https://stripeai.gumroad.com'\n].join('\\n');\nreturn [{ json: { report } }];"
}
},
{
"id": "4",
"name": "Email Leadership",
"type": "n8n-nodes-base.emailSend",
"position": [
700,
300
],
"parameters": {
"toEmail": "ceo@yourcompany.com,cso@yourcompany.com",
"bcc": "compliance@yourcompany.com,legal@yourcompany.com",
"subject": "={{ 'AgBio SaaS Weekly BioSecurity KPI \u2014 ' + new Date().toISOString().slice(0,10) }}",
"text": "={{ $json.report }}"
}
}
],
"connections": {
"Every Monday 8AM": {
"main": [
[
{
"node": "Pull KPI Data",
"type": "main",
"index": 0
}
]
]
},
"Pull KPI Data": {
"main": [
[
{
"node": "Build Report",
"type": "main",
"index": 0
}
]
]
},
"Build Report": {
"main": [
[
{
"node": "Email Leadership",
"type": "main",
"index": 0
}
]
]
}
}
}
Why Self-Host n8n for BioSecurity and AgBio SaaS
| Requirement | Cloud iPaaS | Self-Hosted n8n |
|---|---|---|
| 42 CFR §73.15 personnel access logs | Undocumented node in access audit trail | All execution inside your documented access boundary |
| EPA TSCA §14 CBI protection | PMN data transits undocumented vendor | CBI stays inside your perimeter — no §14 disclosure risk |
| NIH rDNA IBC security boundary | Cloud node sits outside IBC-defined boundary | Runs inside your IBC-documented security perimeter |
| USDA 7 CFR §340 authorized-access controls | Undocumented node in §340 control structure | Documented internal system — no permit gap |
| FSAP unannounced inspections (42 CFR §73.8) | Cloud vendor audit rights unknown | Your Postgres, your audit trail, your inspection response |
The sharpest argument for enterprise deals: FSAP inspects without advance notice (42 CFR §73.8). Inspectors audit access control documentation. A cloud iPaaS vendor processing your select agent compliance workflow events is not on your authorized-access list. It is an undocumented node. That is an inspection finding — not a risk level, not a best practice gap. A finding.
Get All 15 n8n Workflows
These five workflows are part of the FlowKit n8n template pack — 15 production-ready workflows across compliance, AI automation, and business operations.
Get the full pack: stripeai.gumroad.com
Import any workflow: Settings → Import Workflow → paste JSON.
Top comments (0)