If you sell automation software to insurance carriers, MGAs, claims platforms, or insurance distribution SaaS — the regulatory surface area your customers face is unlike any other vertical.
State DOI market conduct examiners have broad subpoena powers. NAIC Model Cybersecurity Law §15 requires 72-hour breach notification to the home state DOI. OFAC SDN violations require IMMEDIATE internal escalation. HIPAA applies to health insurers handling PHI. And if you have UK or EU customers, Solvency II and FCA regulatory returns add a second compliance calendar on top.
When your product's data flows through a cloud automation vendor like Zapier or Make, the examiner's document request doesn't stop at your perimeter. The iPaaS vendor holds copies of every policy data payload, every claims record, every OFAC screening log — outside your legal control. That's a market conduct exam scope expansion your legal team will hear about.
Here are five n8n workflows — self-hosted, with full import-ready JSON — for InsurTech and insurance compliance SaaS vendors.
The InsurTech Regulatory Surface
| Customer Tier | Primary Compliance Obligations |
|---|---|
| ENTERPRISE_INSURER_PLATFORM | NAIC Model Holding Company Act §820 / State DOI exam / HIPAA §164 PHI (health lines) / OFAC SDN / NAIC ORSA |
| MGA_SAAS_VENDOR | NAIC PLMA producer licensing / State DOI delegation filings / E&O coverage docs |
| CLAIMS_MANAGEMENT_SAAS | HIPAA §164 PHI / State prompt payment laws (CA 45d / TX 15d / NY 30d) / DOI market conduct |
| REINSURANCE_ANALYTICS_SAAS | NAIC Schedule F cession logs / Solvency II Art.38 group supervisor notify / treaty confidentiality |
| INSURANCE_DISTRIBUTION_SAAS | NAIC PLMA §11 license renewal (all 50 states) / FINRA for variable products / state appointment filings |
| ACTUARIAL_COMPLIANCE_SAAS | NAIC ORSA Oct 31 deadline / State rate filing (prior approval vs use-and-file) / actuarial opinion privilege |
| INSURTECH_STARTUP | State DOI digital insurance license / MGA appointment / NAIC Model Cybersecurity Law registration |
Fastest Regulatory Clocks
| Event | Notification Deadline | Regulation |
|---|---|---|
| State DOI market conduct exam commences | IMMEDIATE document production | State insurance code (all 50 states) |
| OFAC potential sanctions violation | IMMEDIATE internal escalation; 10-day report | 31 CFR §501.604 |
| HIPAA PHI breach discovered | IMMEDIATE risk assessment; 60d HHS OCR | HITECH §13402 |
| NAIC cybersecurity incident | 72 hours to home state DOI | NAIC Model Cybersecurity Law §15 |
| Solvency II SCR breach | Immediate FCA notification; 2 months to restore | Art.138 Directive 2009/138/EC |
| NAIC ORSA annual report | October 31 to lead state DOI | NAIC ORSA Guidance Manual |
| State rate filing objection | State-specific (typically 30d) | State insurance code |
Compliance Flags Your Platform Should Track
| Flag | What It Triggers |
|---|---|
NAIC_HOLDING_COMPANY_ACT_SUBJECT |
Annual §820 group supervision report workflow |
STATE_DOI_MARKET_CONDUCT_EXAM_SUBJECT |
Exam commencement → document hold + production workflow |
HIPAA_HEALTH_INSURER_PHI_PROCESSOR |
HIPAA §164 PHI pipeline isolation + HITECH breach clock |
OFAC_SDN_SCREENING_REQUIRED |
Real-time SDN screen on every policy issuance |
NAIC_ORSA_SUBJECT |
October 31 ORSA filing → 60d pre-deadline workflow |
FCA_SOLVENCY_II_APPLICABLE |
SFCR annual disclosure + SCR breach monitoring |
SOC2_REQUIRED |
Annual SOC2 Type II audit renewal workflow |
Workflow 1: Tier-Segmented Customer Onboarding Drip
{
"name": "InsurTech Tier-Segmented Customer Onboarding Drip",
"nodes": [
{
"id": "1",
"name": "Webhook \u2014 New Customer Signed Up",
"type": "n8n-nodes-base.webhook",
"parameters": {
"path": "insurtech-onboard",
"responseMode": "responseNode"
}
},
{
"id": "2",
"name": "Log to Sheets \u2014 Customer DB",
"type": "n8n-nodes-base.googleSheets",
"parameters": {
"operation": "appendOrUpdate",
"sheetId": "INSURTECH_CUSTOMERS",
"columns": {
"mappingMode": "defineBelow",
"value": {
"customerId": "={{$json.customerId}}",
"companyName": "={{$json.companyName}}",
"customerTier": "={{$json.customerTier}}",
"complianceFlags": "={{$json.complianceFlags.join(',')}}",
"onboardedAt": "={{$now.toISO()}}",
"onboardingStage": "STARTED"
}
}
}
},
{
"id": "3",
"name": "Switch \u2014 Route by Tier",
"type": "n8n-nodes-base.switch",
"parameters": {
"mode": "rules",
"rules": {
"values": [
{
"conditions": {
"options": {
"caseSensitive": false
},
"conditions": [
{
"leftValue": "={{$json.customerTier}}",
"operator": {
"type": "string",
"operation": "equals"
},
"rightValue": "ENTERPRISE_INSURER_PLATFORM"
}
]
},
"outputKey": "enterprise"
},
{
"conditions": {
"options": {
"caseSensitive": false
},
"conditions": [
{
"leftValue": "={{$json.customerTier}}",
"operator": {
"type": "string",
"operation": "equals"
},
"rightValue": "MGA_SAAS_VENDOR"
}
]
},
"outputKey": "mga"
},
{
"conditions": {
"options": {
"caseSensitive": false
},
"conditions": [
{
"leftValue": "={{$json.customerTier}}",
"operator": {
"type": "string",
"operation": "equals"
},
"rightValue": "CLAIMS_MANAGEMENT_SAAS"
}
]
},
"outputKey": "claims"
},
{
"conditions": {
"options": {
"caseSensitive": false
},
"conditions": [
{
"leftValue": "={{$json.customerTier}}",
"operator": {
"type": "string",
"operation": "equals"
},
"rightValue": "REINSURANCE_ANALYTICS_SAAS"
}
]
},
"outputKey": "reinsurance"
},
{
"conditions": {
"options": {
"caseSensitive": false
},
"conditions": [
{
"leftValue": "={{$json.customerTier}}",
"operator": {
"type": "string",
"operation": "equals"
},
"rightValue": "INSURANCE_DISTRIBUTION_SAAS"
}
]
},
"outputKey": "distribution"
},
{
"conditions": {
"options": {
"caseSensitive": false
},
"conditions": [
{
"leftValue": "={{$json.customerTier}}",
"operator": {
"type": "string",
"operation": "equals"
},
"rightValue": "ACTUARIAL_COMPLIANCE_SAAS"
}
]
},
"outputKey": "actuarial"
},
{
"conditions": {
"options": {
"caseSensitive": false
},
"conditions": [
{
"leftValue": "={{$json.customerTier}}",
"operator": {
"type": "string",
"operation": "equals"
},
"rightValue": "INSURTECH_STARTUP"
}
]
},
"outputKey": "startup"
}
]
}
}
},
{
"id": "4",
"name": "Gmail \u2014 Day 0 Welcome (Tier-Specific)",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"toList": "={{$json.adminEmail}}",
"subject": "Welcome to [YourPlatform] \u2014 your InsurTech automation environment is ready",
"message": "={{$json.customerTier === 'ENTERPRISE_INSURER_PLATFORM' ? 'Your NAIC Model Holding Company Act \u00a7820 group supervision architecture and state DOI market conduct exam document production pipeline are pre-configured. SOC2 Type II report available in your portal.' : $json.customerTier === 'MGA_SAAS_VENDOR' ? 'Your MGA program data flows are isolated. NAIC Model Act delegation authority logs and state DOI appointment filing timelines are pre-loaded.' : $json.customerTier === 'CLAIMS_MANAGEMENT_SAAS' ? 'Your claims workflow is HIPAA \u00a7164 PHI-aware. State prompt payment law clocks (CA 45d / TX 15d / NY 30d) are pre-configured for your jurisdictions.' : $json.customerTier === 'REINSURANCE_ANALYTICS_SAAS' ? 'Reinsurance treaty data and NAIC Schedule F cession logs stay within your compliance boundary. Solvency II Art.38 group supervisor notification workflows are ready.' : $json.customerTier === 'INSURANCE_DISTRIBUTION_SAAS' ? 'Producer appointment and license expiry workflows are ready. NAIC Producer Licensing Model Act \u00a711 renewal notices are pre-configured for all 50 states.' : $json.customerTier === 'ACTUARIAL_COMPLIANCE_SAAS' ? 'NAIC ORSA annual filing (October 31 deadline) and state rate filing timelines are loaded. Actuarial opinion data stays within your perimeter.' : 'Welcome to your InsurTech automation environment. State DOI filing APIs and NAIC submission endpoints are pre-connected.'}}"
}
},
{
"id": "5",
"name": "Wait \u2014 3 Days",
"type": "n8n-nodes-base.wait",
"parameters": {
"amount": 3,
"unit": "days"
}
},
{
"id": "6",
"name": "Gmail \u2014 Day 3 Setup Milestone",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"toList": "={{$json.adminEmail}}",
"subject": "Day 3: Complete your InsurTech compliance pipeline setup",
"message": "Three quick steps to activate your full compliance automation: (1) Connect your state DOI filing portal API. (2) Load your NAIC deadline calendar. (3) Configure your OFAC SDN screening webhook. Your CSM {{$json.csmName}} is available for a 20-minute setup call \u2014 reply to book."
}
},
{
"id": "7",
"name": "Wait \u2014 4 Days",
"type": "n8n-nodes-base.wait",
"parameters": {
"amount": 4,
"unit": "days"
}
},
{
"id": "8",
"name": "Gmail \u2014 Day 7 Full Activation",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"toList": "={{$json.adminEmail}}",
"subject": "Day 7: Your InsurTech compliance automation is live",
"message": "Your platform is fully activated. This week your automations will: monitor state DOI complaint response windows, track NAIC filing deadlines, screen OFAC SDN lists, and deliver your weekly compliance KPI briefing every Monday 8AM. Reply with any questions."
}
}
]
}
Each carrier, MGA, or distribution platform gets a Day 0 email with the specific compliance context for their tier — NAIC §820 group data boundary for enterprise carriers, HIPAA §164 prompt payment clock exposure for claims platforms, OFAC SDN gap for everyone. CSM handoff at Day 3.
Workflow 2: NAIC/DOI/HIPAA/OFAC Deadline Tracker
{
"name": "NAIC/DOI/HIPAA/OFAC/Solvency II Deadline Tracker",
"nodes": [
{
"id": "1",
"name": "Schedule \u2014 Daily 7:00 AM",
"type": "n8n-nodes-base.scheduleTrigger",
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 7 * * *"
}
]
}
}
},
{
"id": "2",
"name": "Google Sheets \u2014 Read Compliance Deadlines",
"type": "n8n-nodes-base.googleSheets",
"parameters": {
"operation": "readRows",
"sheetId": "INSURTECH_DEADLINES",
"filtersUI": {
"values": [
{
"lookupColumn": "status",
"lookupValue": "OPEN"
}
]
}
}
},
{
"id": "3",
"name": "Code \u2014 Classify Urgency",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "const today = new Date();\nconst items = $input.all();\nreturn items.map(item => {\n const d = item.json;\n const dl = new Date(d.deadlineDate);\n const daysLeft = Math.ceil((dl - today) / 86400000);\n let urgency;\n if (daysLeft < 0) urgency = 'OVERDUE';\n else if (daysLeft <= 1) urgency = 'CRITICAL';\n else if (daysLeft <= 3) urgency = 'URGENT';\n else if (daysLeft <= 7) urgency = 'WARNING';\n else if (daysLeft <= 14) urgency = 'NOTICE';\n else urgency = 'OK';\n const types = {\n 'STATE_DOI_COMPLAINT_RESPONSE': 'State DOI \u00a7complaint \u2014 10-15biz day response window (state-specific)',\n 'NAIC_CYBERSECURITY_72H': 'NAIC Model Cybersecurity Law \u00a715 \u2014 72h notification to DOI',\n 'HIPAA_PHI_BREACH_60D': 'HIPAA HITECH \u00a713402 \u2014 60d PHI breach notification to HHS OCR',\n 'OFAC_SDN_SELF_REPORT': 'OFAC \u2014 immediate self-report + 10-day report for apparent violations',\n 'NAIC_ORSA_OCT31': 'NAIC ORSA \u00a7iii \u2014 October 31 annual report to lead state DOI',\n 'NAIC_HOLDING_COMPANY_ACT_ANNUAL': 'NAIC Model Act \u00a7820 \u2014 annual group supervision report',\n 'STATE_DOI_RATE_FILING': 'State DOI rate filing \u2014 use/file or prior approval per state',\n 'DOI_EXAM_DOCUMENT_PRODUCTION': 'State DOI market conduct exam \u2014 IMMEDIATE document production',\n 'NAIC_PRODUCER_LICENSE_RENEWAL': 'NAIC PLMA \u00a711 \u2014 state-specific producer license renewal',\n 'SOLVENCY_II_SFCR': 'Solvency II Art.51 \u2014 SFCR annual public disclosure',\n 'FCA_REGULATORY_RETURN': 'FCA SUP 16 \u2014 quarterly/annual regulatory return',\n 'SOC2_TYPE2_RENEWAL': 'SOC2 Type II \u2014 annual audit renewal'\n };\n return { json: { ...d, daysLeft, urgency, deadlineLabel: types[d.deadlineType] || d.deadlineType } };\n}).filter(i => ['OVERDUE','CRITICAL','URGENT','WARNING','NOTICE'].includes(i.json.urgency));\n"
}
},
{
"id": "4",
"name": "IF \u2014 Critical or Overdue",
"type": "n8n-nodes-base.if",
"parameters": {
"conditions": {
"options": {
"caseSensitive": false
},
"conditions": [
{
"leftValue": "={{$json.urgency}}",
"operator": {
"type": "string",
"operation": "equals"
},
"rightValue": "OVERDUE"
},
{
"leftValue": "={{$json.urgency}}",
"operator": {
"type": "string",
"operation": "equals"
},
"rightValue": "CRITICAL"
},
{
"leftValue": "={{$json.urgency}}",
"operator": {
"type": "string",
"operation": "equals"
},
"rightValue": "URGENT"
}
],
"combinator": "or"
}
}
},
{
"id": "5",
"name": "Slack \u2014 #compliance-critical",
"type": "n8n-nodes-base.slack",
"parameters": {
"operation": "post",
"channel": "#compliance-critical",
"text": "={{$json.urgency === 'OVERDUE' ? '\ud83d\udea8' : '\u26a0\ufe0f'}} *{{$json.urgency}}* \u2014 {{$json.deadlineLabel}}\nDays left: {{$json.daysLeft}} | Owner: {{$json.ownerName}} | Entity: {{$json.entityName}}\nDeadline: {{$json.deadlineDate}}"
}
},
{
"id": "6",
"name": "Gmail \u2014 Owner Alert",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"toList": "={{$json.ownerEmail}}",
"subject": "={{$json.urgency}}: {{$json.deadlineLabel}} \u2014 {{Math.abs($json.daysLeft)}} day{{Math.abs($json.daysLeft) === 1 ? '' : 's'}} {{$json.daysLeft < 0 ? 'overdue' : 'remaining'}}",
"message": "={{$json.deadlineLabel}}\nEntity: {{$json.entityName}} | Jurisdiction: {{$json.jurisdiction}}\nDeadline: {{$json.deadlineDate}} ({{$json.daysLeft < 0 ? Math.abs($json.daysLeft) + ' days overdue' : $json.daysLeft + ' days remaining'}})\n\nAction required: {{$json.actionRequired}}"
}
},
{
"id": "7",
"name": "Slack \u2014 #compliance-watch",
"type": "n8n-nodes-base.slack",
"parameters": {
"operation": "post",
"channel": "#compliance-watch",
"text": "\ud83d\udccb *{{$json.urgency}}* \u2014 {{$json.deadlineLabel}}\nDays left: {{$json.daysLeft}} | Owner: {{$json.ownerName}}"
}
}
]
}
12 deadline types covering every major InsurTech compliance obligation. Runs daily at 7AM, classifies OVERDUE/CRITICAL/URGENT/WARNING/NOTICE, routes to #compliance-critical or owner email. Includes state DOI exam document production (IMMEDIATE), NAIC Cybersecurity 72h, HIPAA 60d, OFAC 10d, ORSA Oct 31.
Workflow 3: InsurTech API Health Monitor
{
"name": "InsurTech API Health Monitor (DOI/NAIC/OFAC Endpoints)",
"nodes": [
{
"id": "1",
"name": "Schedule \u2014 Every 15 Minutes",
"type": "n8n-nodes-base.scheduleTrigger",
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "*/15 * * * *"
}
]
}
}
},
{
"id": "2",
"name": "HTTP \u2014 policy_admin_api (NAIC \u00a7820 group data)",
"type": "n8n-nodes-base.httpRequest",
"parameters": {
"url": "{{$env.POLICY_ADMIN_API_URL}}/health",
"method": "GET",
"timeout": 8000
}
},
{
"id": "3",
"name": "HTTP \u2014 claims_workflow_api (HIPAA \u00a7164 PHI claims pipeline)",
"type": "n8n-nodes-base.httpRequest",
"parameters": {
"url": "{{$env.CLAIMS_API_URL}}/health",
"method": "GET",
"timeout": 8000
}
},
{
"id": "4",
"name": "HTTP \u2014 doi_filing_api (State DOI submission \u2014 rate/form filing)",
"type": "n8n-nodes-base.httpRequest",
"parameters": {
"url": "{{$env.DOI_FILING_API_URL}}/health",
"method": "GET",
"timeout": 8000
}
},
{
"id": "5",
"name": "HTTP \u2014 ofac_screening_api (OFAC SDN real-time screening)",
"type": "n8n-nodes-base.httpRequest",
"parameters": {
"url": "{{$env.OFAC_API_URL}}/health",
"method": "GET",
"timeout": 8000
}
},
{
"id": "6",
"name": "HTTP \u2014 naic_reporting_api (ORSA/holding co annual filings)",
"type": "n8n-nodes-base.httpRequest",
"parameters": {
"url": "{{$env.NAIC_API_URL}}/health",
"method": "GET",
"timeout": 8000
}
},
{
"id": "7",
"name": "Code \u2014 Aggregate & Flag Failures",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "const apis = [\n { name: 'policy_admin_api', note: 'NAIC Model Act \u00a7820 group data \u2014 down = holding company reporting gap' },\n { name: 'claims_workflow_api', note: 'HIPAA \u00a7164 PHI claims \u2014 down = prompt payment law clock exposure' },\n { name: 'doi_filing_api', note: 'State DOI submission \u2014 down = rate/form filing deadline risk' },\n { name: 'ofac_screening_api', note: 'OFAC SDN \u2014 down = sanctions screening gap = potential \u00a76 violation' },\n { name: 'naic_reporting_api', note: 'NAIC ORSA/Oct31 deadline \u2014 down = annual filing gap' }\n];\nconst results = $input.all().map((item, i) => ({\n ...apis[i],\n status: item.json.status || (item.json.statusCode < 300 ? 'UP' : 'DOWN'),\n responseMs: item.json.responseTimeMs || 0,\n checkedAt: new Date().toISOString()\n}));\nconst failed = results.filter(r => r.status !== 'UP');\nconst state = $getWorkflowStaticData('global');\nconst now = Date.now();\nconst notified = failed.map(f => {\n const lastAlert = state[f.name + '_last_alert'] || 0;\n const shouldAlert = (now - lastAlert) > 60 * 60 * 1000;\n if (shouldAlert) state[f.name + '_last_alert'] = now;\n return { ...f, shouldAlert };\n});\nreturn [{ json: { failed: notified.filter(f => f.shouldAlert), total: results.length, allResults: results } }];\n"
}
},
{
"id": "8",
"name": "IF \u2014 Any Down > 60 Min",
"type": "n8n-nodes-base.if",
"parameters": {
"conditions": {
"conditions": [
{
"leftValue": "={{$json.failed.length}}",
"operator": {
"type": "number",
"operation": "gt"
},
"rightValue": 0
}
]
}
}
},
{
"id": "9",
"name": "Slack \u2014 #insurtech-ops CRITICAL",
"type": "n8n-nodes-base.slack",
"parameters": {
"operation": "post",
"channel": "#insurtech-ops",
"text": "\ud83d\udd34 *API DOWN \u2014 InsurTech Compliance Pipeline*\n{{$json.failed.map(f => `\u2022 ${f.name}: ${f.note}`).join('\\n')}}\nDown endpoints risk regulatory clock exposure. Investigate immediately."
}
},
{
"id": "10",
"name": "Google Sheets \u2014 SLA Log",
"type": "n8n-nodes-base.googleSheets",
"parameters": {
"operation": "appendOrUpdate",
"sheetId": "API_SLA_LOG",
"columns": {
"mappingMode": "defineBelow",
"value": {
"checkedAt": "={{$json.allResults[0].checkedAt}}",
"failedApis": "={{$json.failed.map(f=>f.name).join(',')}}",
"totalDown": "={{$json.failed.length}}",
"allStatuses": "={{JSON.stringify($json.allResults)}}"
}
}
}
}
]
}
Five endpoints checked every 15 minutes — tighter than the 72h NAIC Cybersecurity clock. ofac_screening_api down means SDN screening gap = potential §6 violation on every policy issued while it's down. 1-hour dedup prevents alert fatigue.
Workflow 4: Incident & Regulatory Notification Pipeline
{
"name": "InsurTech Incident & Regulatory Notification Pipeline",
"nodes": [
{
"id": "1",
"name": "Webhook \u2014 Incident Reported",
"type": "n8n-nodes-base.webhook",
"parameters": {
"path": "insurtech-incident",
"responseMode": "responseNode"
}
},
{
"id": "2",
"name": "Code \u2014 Classify & Set SLA",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "const d = $json;\nconst slas = {\n 'STATE_DOI_COMPLAINT_RECEIVED': { slaH: 0, label: 'State DOI complaint \u2014 IMMEDIATE triage (10-15biz day response window)', severity: 'CRITICAL', channel: '#compliance-critical' },\n 'NAIC_CYBERSECURITY_INCIDENT': { slaH: 72, label: 'NAIC Model Cybersecurity Law \u00a715 \u2014 72h notification to home state DOI', severity: 'CRITICAL', channel: '#compliance-critical' },\n 'HIPAA_PHI_BREACH_DISCOVERED': { slaH: 0, label: 'HIPAA HITECH \u00a713402 \u2014 IMMEDIATE risk assessment; 60d HHS OCR + individual notify', severity: 'CRITICAL', channel: '#compliance-critical' },\n 'OFAC_POTENTIAL_VIOLATION': { slaH: 0, label: 'OFAC \u2014 IMMEDIATE internal escalation; 10-day report for apparent violations 31 CFR \u00a7501.604', severity: 'CRITICAL', channel: '#compliance-critical' },\n 'DOI_EXAM_COMMENCED': { slaH: 0, label: 'State DOI market conduct exam \u2014 IMMEDIATE document hold + production notice', severity: 'CRITICAL', channel: '#compliance-critical' },\n 'NAIC_ORSA_RESTATEMENT': { slaH: 24*30, label: 'NAIC ORSA restatement \u2014 30d to lead state DOI', severity: 'HIGH', channel: '#compliance-ops' },\n 'SOLVENCY_II_SCR_BREACH': { slaH: 24*2, label: 'Solvency II Art.138 \u2014 2 months to restore SCR (FCA notification IMMEDIATE)', severity: 'HIGH', channel: '#compliance-ops' },\n 'STATE_RATE_FILING_OBJECTION': { slaH: 24*30, label: 'State DOI rate filing objection \u2014 state-specific response window (typically 30d)', severity: 'HIGH', channel: '#compliance-ops' }\n};\nconst sla = slas[d.incidentType] || { slaH: 24, label: d.incidentType, severity: 'MEDIUM', channel: '#compliance-ops' };\nconst deadlineTs = sla.slaH > 0 ? new Date(Date.now() + sla.slaH*3600000).toISOString() : 'IMMEDIATE';\nreturn [{ json: { ...d, ...sla, deadlineTs, loggedAt: new Date().toISOString() } }];\n"
}
},
{
"id": "3",
"name": "Slack \u2014 Route by Channel",
"type": "n8n-nodes-base.slack",
"parameters": {
"operation": "post",
"channel": "={{$json.channel}}",
"text": "={{$json.severity === 'CRITICAL' ? '\ud83d\udea8' : '\u26a0\ufe0f'}} *{{$json.severity}}* \u2014 {{$json.label}}\nEntity: {{$json.entityName}} | Incident ID: {{$json.incidentId}}\nSLA deadline: {{$json.deadlineTs}}\nReporter: {{$json.reportedBy}} | Description: {{$json.description}}"
}
},
{
"id": "4",
"name": "Gmail \u2014 Compliance Officer",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"toList": "={{$json.complianceOfficerEmail}}",
"subject": "={{$json.severity}}: {{$json.label}}",
"message": "Incident ID: {{$json.incidentId}}\n{{$json.label}}\n\nEntity: {{$json.entityName}}\nDescription: {{$json.description}}\nSLA deadline: {{$json.deadlineTs}}\nReported by: {{$json.reportedBy}} at {{$json.loggedAt}}\n\nLog in to the compliance portal to begin response workflow."
}
},
{
"id": "5",
"name": "Google Sheets \u2014 Incident Log",
"type": "n8n-nodes-base.googleSheets",
"parameters": {
"operation": "appendOrUpdate",
"sheetId": "INCIDENT_LOG",
"columns": {
"mappingMode": "defineBelow",
"value": {
"incidentId": "={{$json.incidentId}}",
"incidentType": "={{$json.incidentType}}",
"label": "={{$json.label}}",
"severity": "={{$json.severity}}",
"entityName": "={{$json.entityName}}",
"deadlineTs": "={{$json.deadlineTs}}",
"loggedAt": "={{$json.loggedAt}}",
"status": "OPEN"
}
}
}
}
]
}
Eight incident types: STATE_DOI_COMPLAINT (IMMEDIATE), NAIC_CYBERSECURITY_INCIDENT (72h), HIPAA_PHI_BREACH (IMMEDIATE → 60d HHS), OFAC_POTENTIAL_VIOLATION (IMMEDIATE → 10d report), DOI_EXAM_COMMENCED (IMMEDIATE document hold), and more. Each gets the specific regulatory citation and SLA timestamp logged.
Workflow 5: Weekly InsurTech KPI & Compliance Dashboard
{
"name": "Weekly InsurTech KPI & Compliance Dashboard",
"nodes": [
{
"id": "1",
"name": "Schedule \u2014 Monday 8:00 AM",
"type": "n8n-nodes-base.scheduleTrigger",
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 8 * * 1"
}
]
}
}
},
{
"id": "2",
"name": "Google Sheets \u2014 Customer Counts by Tier",
"type": "n8n-nodes-base.googleSheets",
"parameters": {
"operation": "readRows",
"sheetId": "INSURTECH_CUSTOMERS"
}
},
{
"id": "3",
"name": "Google Sheets \u2014 Open Compliance Items",
"type": "n8n-nodes-base.googleSheets",
"parameters": {
"operation": "readRows",
"sheetId": "INCIDENT_LOG",
"filtersUI": {
"values": [
{
"lookupColumn": "status",
"lookupValue": "OPEN"
}
]
}
}
},
{
"id": "4",
"name": "Code \u2014 Build KPI Report",
"type": "n8n-nodes-base.code",
"parameters": {
"jsCode": "const customers = $('Google Sheets \u2014 Customer Counts by Tier').all().map(i => i.json);\nconst incidents = $('Google Sheets \u2014 Open Compliance Items').all().map(i => i.json);\nconst tierCounts = {};\ncustomers.forEach(c => { tierCounts[c.customerTier] = (tierCounts[c.customerTier] || 0) + 1; });\nconst mrr = customers.reduce((s, c) => s + (parseFloat(c.mrrUsd) || 0), 0);\nconst openDoi = incidents.filter(i => i.incidentType && i.incidentType.includes('DOI')).length;\nconst openNaic = incidents.filter(i => i.incidentType && i.incidentType.includes('NAIC')).length;\nconst openHipaa = incidents.filter(i => i.incidentType && i.incidentType.includes('HIPAA')).length;\nconst openOfac = incidents.filter(i => i.incidentType && i.incidentType.includes('OFAC')).length;\nconst state = $getWorkflowStaticData('global');\nconst lastMrr = state.lastMrr || mrr;\nconst mrrWow = lastMrr > 0 ? (((mrr - lastMrr) / lastMrr) * 100).toFixed(1) : '0.0';\nstate.lastMrr = mrr;\nconst html = `<h2>InsurTech Weekly KPI \u2014 ${new Date().toDateString()}</h2>\n<h3>Customers by Tier</h3><ul>\n${Object.entries(tierCounts).map(([t,n]) => `<li>${t}: ${n}</li>`).join('')}\n</ul><p>Total MRR: $${mrr.toLocaleString()} (${mrrWow > 0 ? '+' : ''}${mrrWow}% WoW)</p>\n<h3>Open Compliance Items</h3><ul>\n<li>State DOI: ${openDoi}</li>\n<li>NAIC (Cybersecurity/ORSA/Holding Co): ${openNaic}</li>\n<li>HIPAA PHI: ${openHipaa}</li>\n<li>OFAC: ${openOfac}</li>\n<li>Total open: ${incidents.length}</li>\n</ul>`;\nreturn [{ json: { html, mrr, mrrWow, totalCustomers: customers.length, tierCounts, openDoi, openNaic, openHipaa, openOfac, totalOpen: incidents.length } }];\n"
}
},
{
"id": "5",
"name": "Gmail \u2014 Leadership Briefing",
"type": "n8n-nodes-base.gmail",
"parameters": {
"operation": "send",
"toList": "={{$env.CEO_EMAIL}}",
"ccList": "={{$env.CISO_EMAIL}},={{$env.CCO_EMAIL}}",
"subject": "InsurTech Weekly KPI \u2014 {{new Date().toDateString()}}",
"message": "={{$json.html}}",
"htmlMessage": true
}
},
{
"id": "6",
"name": "Slack \u2014 #insurtech-ops Weekly Summary",
"type": "n8n-nodes-base.slack",
"parameters": {
"operation": "post",
"channel": "#insurtech-ops",
"text": "\ud83d\udcca *InsurTech Weekly KPI*\nCustomers: {{$json.totalCustomers}} | MRR: ${{$json.mrr.toLocaleString()}} ({{$json.mrrWow > 0 ? '+' : ''}}{{$json.mrrWow}}% WoW)\nOpen DOI: {{$json.openDoi}} | Open NAIC: {{$json.openNaic}} | Open HIPAA: {{$json.openHipaa}} | Open OFAC: {{$json.openOfac}}"
}
}
]
}
Monday 8AM briefing: customers by tier, MRR with WoW%, open DOI/NAIC/HIPAA/OFAC incidents. Goes to CEO, CISO, CCO. Uses $getWorkflowStaticData for WoW% without a database.
The Cloud iPaaS Problem for InsurTech
When carrier policy data or PHI claims records flow through Zapier or Make:
| Risk | Why It Matters |
|---|---|
| State DOI exam scope expansion | Examiners issue document subpoenas to third parties — your iPaaS vendor holds copies of policy data |
| NAIC Model Cybersecurity Law §15 | Third-party vendor breach triggers your 72h notification clock — even if the breach is at the iPaaS, not you |
| HIPAA §164.308(b) BAA gap | Cloud iPaaS in PHI pipeline = unauthorized Business Associate unless BAA executed — and a BAA doesn't fix data residency |
| OFAC SDN screening logs | Audit evidence of your screening program must be within your custody — cloud iPaaS logs outside legal control |
| Actuarial opinion privilege | Actuarial data in cloud automation = potentially discoverable by DOI in rate challenge proceedings |
Self-hosted n8n keeps every policy record, claims payload, OFAC screening log, and ORSA calculation within your perimeter. One compliance boundary. One BAA. One audit trail.
Get the complete FlowKit workflow bundle
These five workflows are part of the FlowKit n8n Automation Template Bundle — 14 ready-to-import workflows covering onboarding, compliance tracking, incident pipelines, API monitoring, and KPI reporting. Built for InsurTech and regulated industry SaaS vendors.
Self-host n8n. Keep your regulatory data where it belongs.
Top comments (0)