RetailTech and eCommerce SaaS vendors sit at the intersection of the most enforced payment regulation in the world (PCI DSS), the most litigated state privacy law (CCPA/CPRA), a federal children's privacy rule with nine-figure settlements (COPPA), a federal email law with per-email penalties (CAN-SPAM), a Supreme Court sales tax ruling that rewrote nexus obligations for 45 states (Wayfair), and an accessibility statute whose courthouse filings tripled between 2018 and 2024 (ADA Title III).
None of these compliance obligations are optional. All of them have specific automation patterns that reduce exposure. And several of them become significantly harder to manage when your automation platform itself is a third-party service provider in your cardholder data environment.
The Five Regulations
PCI DSS v4.0 governs how you handle cardholder data. Version 4.0 became fully effective March 31, 2024. Requirement 12.8 mandates a written inventory of all third-party service providers (TPSPs) in your CDE, annual compliance assessments for each, and written agreements documenting responsibility allocation. If your cloud iPaaS receives order webhooks, processes loyalty triggers from payment events, or touches any data flow in your cardholder data environment, it is a TPSP under 12.8 — and the assessment cost runs $5,000–$50,000 per TPSP per year.
CCPA/CPRA gives California consumers rights to access, delete, correct, and opt out of the sale or sharing of their personal information. The operational burden: 45-day DSAR response windows, 15-business-day opt-out-of-sale windows, and annual privacy notice reviews. CPRA added sensitive PI opt-out (§1798.121) and the right to correct (§1798.106). For eCommerce platforms, 'sharing' includes sending customer behavior data to advertising platforms — your marketing automation workflows may be in scope.
COPPA (16 CFR §312) requires verifiable parental consent before collecting personal information from children under 13. There is no de minimis threshold and no safe harbor for accidental collection. FTC penalties run $50,120 per violation per day. Recent enforcement: $170M (YouTube), $5.8M (TikTok). If your platform has a kids mode, a loyalty program marketed to families, or any feature that might collect data from under-13 users, COPPA compliance is mandatory.
CAN-SPAM (15 USC §7704) requires commercial email senders to honor opt-out requests within 10 business days. Penalty: $51,744 per email sent to an opted-out address. This is a rolling operational obligation — every opt-out received starts a 10-business-day clock.
South Dakota v. Wayfair (2018) gave states the authority to require sales tax registration and collection from remote sellers who cross economic nexus thresholds — typically $100,000 in sales or 200 transactions per year in a given state. 45 states plus DC have enacted economic nexus laws. Q4 and Black Friday can push you over thresholds in new states within a single week. Manual monitoring fails at this scale.
ADA Title III requires eCommerce platforms to be accessible to people with disabilities. Federal courts in the 9th Circuit (Robles v. Domino's), the 11th Circuit (Gil v. Winn-Dixie), and others have held that inaccessible websites violate Title III even without a physical location. DOJ issued technical guidance in March 2022 adopting WCAG 2.1 AA as the accessibility standard. ADA web accessibility lawsuits filed in federal court: over 4,000 in 2023 alone.
The Cloud iPaaS Risk: PCI DSS Requirement 12.8
The sharpest compliance argument for self-hosted automation in RetailTech is not privacy or accessibility — it is PCI DSS Requirement 12.8.
If your cloud iPaaS instance receives any data flow in your cardholder data environment — order confirmation webhooks, loyalty point triggers from payment events, cart abandonment emails triggered by partial order data — it is a third-party service provider under PCI DSS v4.0.
What that means operationally:
- 12.8.1: Written TPSP inventory. Your iPaaS appears on this list.
- 12.8.2: Written agreement with the iPaaS vendor acknowledging their responsibility for CHD security.
- 12.8.4: Annual compliance assessment status monitoring for the iPaaS vendor — does it have a SOC 2? A PCI DSS Attestation of Compliance? If it has neither, that is an auditor finding.
- 12.8.5: Document which PCI DSS controls the iPaaS manages vs. which you manage vs. which are shared.
- 12.8.6: Ongoing monitoring when iPaaS changes might affect your security controls.
A cloud iPaaS with no published PCI DSS AoC is an unassessed TPSP in your CDE. Your QSA flags it. You must either get the vendor to produce a compliant AoC or remove them from scope.
Self-hosted n8n inside your PCI-scoped network segment eliminates the TPSP relationship entirely. The iPaaS is part of your own infrastructure. It appears in your internal asset inventory, not in your TPSP register. Your QSA scope contracts. The 12.8.x assessment burden — including the annual external assessment cost — disappears.
This is not a marginal benefit. For a SAQ D merchant running five cloud automation tools in their CDE, the annual TPSP assessment cost can exceed $150,000. Self-hosted n8n eliminates that cost for one of those line items.
Customer Tiers
| Tier | Description | Primary Compliance Driver |
|---|---|---|
| ENTERPRISE_ECOMMERCE_PLATFORM | Salesforce Commerce, SAP Commerce, Magento Enterprise | PCI DSS v4.0 SAQ D + CCPA + ADA |
| MIDMARKET_ECOMMERCE_SAAS | Shopify Plus, BigCommerce Enterprise, Fabric | PCI DSS SAQ A-EP + CCPA + Wayfair |
| RETAIL_ANALYTICS_SAAS | Customer data platforms, loyalty analytics | CCPA/CPRA data sharing rules |
| PAYMENT_ORCHESTRATION_SAAS | Multi-gateway, BNPL, fraud detection | PCI DSS v4.0 full SAQ D |
| RETAIL_MARKETING_SAAS | CDP, email/SMS marketing, loyalty | CAN-SPAM + CCPA sharing opt-out |
| OMNICHANNEL_FULFILLMENT_SAAS | OMS, 3PL integration, inventory | Wayfair nexus + SOC 2 |
| RETAILTECH_STARTUP | Pre-revenue / MVP stage | ADA + CAN-SPAM + basic PCI |
Workflow 1: Tier-Segmented Compliance Onboarding Drip
A webhook fires when a merchant signs up. The Switch node segments by compliance flag — PCI DSS SAQ D merchants receive the Req 12.8 TPSP brief on Day 0, CCPA-subject merchants receive the DSAR clock explanation, COPPA operators receive the VPC mechanism brief, Wayfair-exposed merchants receive the nexus threshold workflow on Day 3.
{
"name": "RetailTech Tier-Segmented Onboarding Drip",
"nodes": [
{
"id": "wh1",
"name": "Merchant Signed Up",
"type": "n8n-nodes-base.webhook",
"typeVersion": 2,
"position": [
240,
300
],
"parameters": {
"path": "retailtech-onboarding",
"responseMode": "responseNode"
}
},
{
"id": "res1",
"name": "Respond 200",
"type": "n8n-nodes-base.respondToWebhook",
"typeVersion": 1,
"position": [
440,
180
],
"parameters": {
"responseCode": 200,
"responseData": "allEntries"
}
},
{
"id": "sw1",
"name": "Segment by Compliance Tier",
"type": "n8n-nodes-base.switch",
"typeVersion": 3,
"position": [
640,
300
],
"parameters": {
"mode": "rules",
"rules": {
"values": [
{
"conditions": {
"options": {
"caseSensitive": false,
"leftValue": "",
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"leftValue": "={{ $json.flags.pci_dss_v4_saq_d_merchant }}",
"rightValue": true,
"operator": {
"type": "boolean",
"operation": "true"
}
}
]
},
"renameOutput": true,
"outputKey": "PCI_DSS_SAQ_D"
},
{
"conditions": {
"options": {
"caseSensitive": false,
"leftValue": "",
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"leftValue": "={{ $json.flags.ccpa_cpra_subject }}",
"rightValue": true,
"operator": {
"type": "boolean",
"operation": "true"
}
}
]
},
"renameOutput": true,
"outputKey": "CCPA_CPRA"
},
{
"conditions": {
"options": {
"caseSensitive": false,
"leftValue": "",
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"leftValue": "={{ $json.flags.coppa_under_13_subject }}",
"rightValue": true,
"operator": {
"type": "boolean",
"operation": "true"
}
}
]
},
"renameOutput": true,
"outputKey": "COPPA"
},
{
"conditions": {
"options": {
"caseSensitive": false,
"leftValue": "",
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"leftValue": "={{ $json.flags.wayfair_nexus_multistate }}",
"rightValue": true,
"operator": {
"type": "boolean",
"operation": "true"
}
}
]
},
"renameOutput": true,
"outputKey": "WAYFAIR"
},
{
"conditions": {
"options": {
"caseSensitive": false,
"leftValue": "",
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"leftValue": "={{ $json.tier }}",
"rightValue": "RETAILTECH_STARTUP",
"operator": {
"type": "string",
"operation": "notEquals"
}
}
]
},
"renameOutput": true,
"outputKey": "DEFAULT"
}
]
}
}
},
{
"id": "em_pci",
"name": "Day 0 \u2014 PCI DSS Req 12.8 Brief",
"type": "n8n-nodes-base.emailSend",
"typeVersion": 2,
"position": [
900,
160
],
"parameters": {
"fromEmail": "compliance@yourretailsaas.com",
"toEmail": "={{ $json.admin_email }}",
"subject": "[RetailSaaS] PCI DSS v4.0 Req 12.8 \u2014 Your Third-Party Processor Inventory",
"emailType": "text",
"message": "Hi {{ $json.company_name }},\n\nAs a PCI DSS v4.0 SAQ D merchant, your cloud iPaaS instance is a third-party service provider (TPSP) under Requirement 12.8.\n\nWhat Req 12.8 requires:\n- 12.8.1: Maintain a written list of all TPSPs (your iPaaS must appear here)\n- 12.8.2: Written agreement acknowledging each TPSP's responsibility for CHD\n- 12.8.4: Annual compliance assessment status for each TPSP\n- 12.8.5: Document which PCI DSS controls the TPSP manages vs. you\n\nRisk: If your cloud iPaaS receives order webhooks, processes loyalty triggers from payment events, or touches any cardholder data environment (CDE) boundary, it expands your SAQ scope and requires annual QSA assessment \u2014 typically $5,000\u2013$50,000.\n\nSelf-hosted n8n inside your PCI-scoped network segment eliminates the TPSP relationship entirely. Your SAQ scope contracts. The 12.8.x assessment burden disappears.\n\nYour dedicated compliance brief: https://stripeai.gumroad.com\n\nRetailSaaS Compliance Team"
}
},
{
"id": "em_ccpa",
"name": "Day 0 \u2014 CCPA DSR & Opt-Out",
"type": "n8n-nodes-base.emailSend",
"typeVersion": 2,
"position": [
900,
300
],
"parameters": {
"fromEmail": "compliance@yourretailsaas.com",
"toEmail": "={{ $json.admin_email }}",
"subject": "[RetailSaaS] CCPA/CPRA \u2014 Data Subject Request Obligations (45-Day Clock)",
"emailType": "text",
"message": "Hi {{ $json.company_name }},\n\nAs a CCPA/CPRA-subject business, your eCommerce platform must honor Data Subject Access Requests within 45 days (Cal. Civ. Code \u00a71798.105). CPRA added the right to correction (\u00a71798.106) and sensitive PI opt-out (\u00a71798.121).\n\nKey operational clocks:\n- DSAR response: 45 days + 45-day extension (must notify of extension on day 45)\n- Opt-out of sale/sharing: honor within 15 business days\n- Data deletion: 45 days + 45-day extension; must instruct all service providers\n- Annual privacy notice review: Cal. Civ. Code \u00a71798.130\n\nCloud iPaaS risk: your order enrichment, loyalty, and marketing automation workflows may process consumer PI as 'service providers' under CCPA. If your iPaaS vendor uses that data for any purpose beyond your instructions, they become a 'third party' \u2014 triggering sale/sharing opt-out rights. Contract language alone does not eliminate this risk.\n\nYour CCPA automation workflows: https://stripeai.gumroad.com\n\nRetailSaaS Compliance Team"
}
},
{
"id": "em_coppa",
"name": "Day 0 \u2014 COPPA Parental Consent",
"type": "n8n-nodes-base.emailSend",
"typeVersion": 2,
"position": [
900,
440
],
"parameters": {
"fromEmail": "compliance@yourretailsaas.com",
"toEmail": "={{ $json.admin_email }}",
"subject": "[RetailSaaS] COPPA \u2014 Verifiable Parental Consent Required Before Data Collection",
"emailType": "text",
"message": "Hi {{ $json.company_name }},\n\nAs a COPPA-subject operator (collecting data from children under 13), you must obtain verifiable parental consent (VPC) BEFORE collecting any personal information. FTC enforcement under 16 CFR \u00a7312.5.\n\nOperator obligations:\n- VPC prior to collection (\u00a7312.5): credit card, email to parent, signed form, video conference\n- No behavioral advertising to children (\u00a7312.5(a)(1)(iii))\n- Annual internal audit of VPC mechanisms required\n- Data retention limitation: only as long as reasonably necessary (\u00a7312.10)\n\nFTC enforcement: $50,120 per violation per day. Recent settlements: $170M (YouTube/Google), $5.8M (Musical.ly/TikTok).\n\nCloud iPaaS routing children's personal information = FTC characterizes as potential unauthorized disclosure if vendor's employees access data without VPC-authorized purposes.\n\nYour COPPA compliance workflows: https://stripeai.gumroad.com\n\nRetailSaaS Compliance Team"
}
},
{
"id": "em_wayfair",
"name": "Day 3 \u2014 Wayfair Nexus Thresholds",
"type": "n8n-nodes-base.emailSend",
"typeVersion": 2,
"position": [
900,
580
],
"parameters": {
"fromEmail": "compliance@yourretailsaas.com",
"toEmail": "={{ $json.admin_email }}",
"subject": "[RetailSaaS] Post-Wayfair Sales Tax \u2014 Nexus Threshold Monitoring for 45 States",
"emailType": "text",
"message": "Hi {{ $json.company_name }},\n\nSince South Dakota v. Wayfair (2018), 45 states + DC have enacted economic nexus laws. You owe sales tax registration and collection in any state where you cross the threshold \u2014 typically $100,000 in sales OR 200 transactions in that state.\n\nKey obligation: once you cross a state threshold, you typically have 30\u201390 days to register with that state's revenue department before you must collect and remit.\n\nHigh-volume periods (Black Friday, Q4) can push you over thresholds in new states without warning. Manual monitoring fails at scale.\n\nThis workflow monitors per-state transaction volumes, alerts when you approach 80% of any threshold, and triggers registration reminders when you cross.\n\nNexus automation: https://stripeai.gumroad.com\n\nRetailSaaS Compliance Team"
}
},
{
"id": "em_default",
"name": "Day 0 \u2014 ADA & General Welcome",
"type": "n8n-nodes-base.emailSend",
"typeVersion": 2,
"position": [
900,
720
],
"parameters": {
"fromEmail": "onboarding@yourretailsaas.com",
"toEmail": "={{ $json.admin_email }}",
"subject": "Welcome to RetailSaaS \u2014 Your Compliance Automation Is Ready",
"emailType": "text",
"message": "Hi {{ $json.company_name }},\n\nWelcome. Your compliance automation platform is active.\n\nNote on ADA web accessibility: eCommerce platforms are public accommodations under Title III of the ADA. Federal courts in the 11th Circuit (Winn-Dixie), 9th Circuit (Robles v. Domino's), and others have held that inaccessible websites = ADA violation, even without a physical location. WCAG 2.1 AA is the de facto compliance standard.\n\nWe recommend annual WCAG 2.1 AA audits and automated accessibility monitoring. Your platform's compliance automation includes ADA audit deadline tracking.\n\nSetup guide: https://stripeai.gumroad.com\n\nRetailSaaS Team"
}
}
],
"connections": {
"Merchant Signed Up": {
"main": [
[
{
"node": "Respond 200",
"type": "main",
"index": 0
},
{
"node": "Segment by Compliance Tier",
"type": "main",
"index": 0
}
]
]
},
"Segment by Compliance Tier": {
"main": [
[
{
"node": "Day 0 \u2014 PCI DSS Req 12.8 Brief",
"type": "main",
"index": 0
}
],
[
{
"node": "Day 0 \u2014 CCPA DSR & Opt-Out",
"type": "main",
"index": 0
}
],
[
{
"node": "Day 0 \u2014 COPPA Parental Consent",
"type": "main",
"index": 0
}
],
[
{
"node": "Day 3 \u2014 Wayfair Nexus Thresholds",
"type": "main",
"index": 0
}
],
[
{
"node": "Day 0 \u2014 ADA & General Welcome",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 2: PCI DSS v4.0 / CCPA / COPPA / Wayfair Compliance Deadline Tracker
A Code node builds a deadline schedule based on the merchant's compliance flags. Returns 12 deadline types: PCI ASV quarterly scans, PCI annual ROC, CCPA privacy policy annual review, COPPA VPC audit, CAN-SPAM rolling 10-day window, Wayfair quarterly nexus review, ADA annual accessibility audit, SOC 2 renewal. Each deadline includes a self_hosting_note documenting the specific compliance benefit of self-hosted n8n.
{
"name": "RetailTech Compliance Deadline Tracker",
"nodes": [
{
"id": "wh2",
"name": "Deadline Check Webhook",
"type": "n8n-nodes-base.webhook",
"typeVersion": 2,
"position": [
240,
300
],
"parameters": {
"path": "retailtech-deadline-check",
"responseMode": "responseNode"
}
},
{
"id": "res2",
"name": "Respond 200",
"type": "n8n-nodes-base.respondToWebhook",
"typeVersion": 1,
"position": [
440,
180
],
"parameters": {
"responseCode": 200,
"responseData": "allEntries"
}
},
{
"id": "code2",
"name": "Build Deadline Schedule",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
640,
300
],
"parameters": {
"jsCode": "\nconst input = $input.all()[0].json;\nconst now = new Date();\nconst year = now.getFullYear();\nconst merchant_id = input.merchant_id;\nconst flags = input.flags || {};\n\nconst deadlines = [];\n\n// PCI DSS v4.0 deadlines\nif (flags.pci_dss_v4_saq_d_merchant) {\n deadlines.push({\n type: 'PCI_DSS_ANNUAL_ROC_QSA',\n description: 'PCI DSS v4.0 Annual Report on Compliance \u2014 QSA submission',\n regulation: 'PCI DSS v4.0 Req 12.3.2',\n due_date: new Date(year + 1, 0, 31).toISOString().split('T')[0],\n days_until: Math.ceil((new Date(year + 1, 0, 31) - now) / 86400000),\n severity: 'CRITICAL',\n action: 'Engage QSA, schedule assessment 90+ days in advance. Cloud iPaaS in CDE scope adds TPSP assessment cost.',\n self_hosting_note: 'Self-hosted n8n inside PCI network segment: eliminates TPSP relationship, reduces QSA scope, saves $5K-$50K/yr in TPSP assessments.'\n });\n deadlines.push({\n type: 'PCI_DSS_SAQ_RENEWAL',\n description: 'PCI DSS SAQ Annual Self-Assessment',\n regulation: 'PCI DSS v4.0 Req 9.4.3',\n due_date: new Date(year + 1, 0, 31).toISOString().split('T')[0],\n days_until: Math.ceil((new Date(year + 1, 0, 31) - now) / 86400000),\n severity: 'HIGH',\n action: 'Complete SAQ-D or appropriate SAQ type. Inventory all TPSP relationships under Req 12.8.',\n self_hosting_note: 'Each cloud iPaaS = one TPSP line item in SAQ 12.8.1 inventory requiring annual assessment (12.8.4).'\n });\n const q1Scan = new Date(year, 2, 31);\n const q2Scan = new Date(year, 5, 30);\n const q3Scan = new Date(year, 8, 30);\n const q4Scan = new Date(year, 11, 31);\n [q1Scan, q2Scan, q3Scan, q4Scan].forEach((d, i) => {\n deadlines.push({\n type: 'PCI_DSS_ASV_QUARTERLY_SCAN',\n description: `PCI DSS Q${i+1} External ASV Vulnerability Scan`,\n regulation: 'PCI DSS v4.0 Req 11.3.2',\n due_date: d.toISOString().split('T')[0],\n days_until: Math.ceil((d - now) / 86400000),\n severity: 'HIGH',\n action: 'Run quarterly ASV scan of all Internet-facing IPs in CDE scope. Must pass with no high/critical findings.',\n self_hosting_note: 'Self-hosted n8n inside private network: removes one potential ASV scan target from external scope.'\n });\n });\n deadlines.push({\n type: 'PCI_DSS_PENETRATION_TEST_ANNUAL',\n description: 'PCI DSS Annual Penetration Test + Segmentation Test',\n regulation: 'PCI DSS v4.0 Req 11.4.1',\n due_date: new Date(year + 1, 0, 31).toISOString().split('T')[0],\n days_until: Math.ceil((new Date(year + 1, 0, 31) - now) / 86400000),\n severity: 'HIGH',\n action: 'Annual pen test of CDE boundary + segmentation controls. Segmentation test required if using network segmentation to reduce scope.',\n self_hosting_note: 'Self-hosted n8n in isolated segment: segmentation test must verify iPaaS cannot reach CDE \u2014 one test line item per cloud iPaaS instance.'\n });\n}\n\n// CCPA/CPRA deadlines\nif (flags.ccpa_cpra_subject) {\n deadlines.push({\n type: 'CCPA_PRIVACY_POLICY_ANNUAL_REVIEW',\n description: 'CCPA/CPRA Annual Privacy Notice Review',\n regulation: 'Cal. Civ. Code \u00a71798.130(a)(5)',\n due_date: new Date(year + 1, 0, 1).toISOString().split('T')[0],\n days_until: Math.ceil((new Date(year + 1, 0, 1) - now) / 86400000),\n severity: 'MEDIUM',\n action: 'Review and update privacy notice annually. Ensure CPRA additions: right to correction (\u00a71798.106), sensitive PI categories, opt-out of automated decision-making.',\n self_hosting_note: 'Self-hosted n8n: service provider contract does not need \"no cross-context behavioral advertising\" clause for iPaaS because no third-party sharing occurs.'\n });\n}\n\n// COPPA deadlines\nif (flags.coppa_under_13_subject) {\n deadlines.push({\n type: 'COPPA_VPC_MECHANISM_ANNUAL_AUDIT',\n description: 'COPPA Annual VPC Mechanism Internal Audit',\n regulation: '16 CFR \u00a7312.5 + FTC Staff Guidance 2013',\n due_date: new Date(year + 1, 0, 31).toISOString().split('T')[0],\n days_until: Math.ceil((new Date(year + 1, 0, 31) - now) / 86400000),\n severity: 'HIGH',\n action: 'Audit all verifiable parental consent mechanisms. Test each VPC method. Review third-party operators receiving childrens data. Document data retention purge schedule.',\n self_hosting_note: 'Self-hosted n8n: no cloud iPaaS employee accesses childrens personal information \u2014 eliminates FTC unauthorized disclosure risk from cloud personnel access.'\n });\n}\n\n// CAN-SPAM\nif (flags.can_spam_sender) {\n deadlines.push({\n type: 'CAN_SPAM_UNSUBSCRIBE_10_BUSINESS_DAY',\n description: 'CAN-SPAM Opt-Out Honor \u2014 Rolling 10-Business-Day Window',\n regulation: '15 USC \u00a77704(a)(3)(B)(i)',\n due_date: new Date(now.getTime() + 14 * 86400000).toISOString().split('T')[0],\n days_until: 14,\n severity: 'HIGH',\n action: 'Honor all opt-out requests within 10 business days. Automate opt-out list sync across all ESP platforms. Do not send marketing email to opted-out addresses for 30+ days after opt-out.',\n self_hosting_note: 'n8n workflow can automate real-time opt-out sync from ESP webhook to suppress list \u2014 eliminates 10-day clock risk.'\n });\n}\n\n// Wayfair nexus\nif (flags.wayfair_nexus_multistate) {\n deadlines.push({\n type: 'WAYFAIR_NEXUS_QUARTERLY_REVIEW',\n description: 'Economic Nexus Threshold Monitoring \u2014 Quarterly State-by-State Review',\n regulation: 'South Dakota v. Wayfair 585 US ___ (2018); 45-state economic nexus laws',\n due_date: new Date(year, Math.floor((now.getMonth() / 3) + 1) * 3, 1).toISOString().split('T')[0],\n days_until: Math.ceil((new Date(year, Math.floor((now.getMonth() / 3) + 1) * 3, 1) - now) / 86400000),\n severity: 'MEDIUM',\n action: 'Query transaction database for per-state sales count and dollar volume. Flag any state approaching $100K or 200-transaction threshold. Pre-register in states approaching 80% of threshold.',\n self_hosting_note: 'n8n workflow queries your Postgres order DB directly for per-state nexus calculation \u2014 no CHD, no external API, pure internal analytics.'\n });\n}\n\n// ADA accessibility\ndeadlines.push({\n type: 'ADA_WEB_ACCESSIBILITY_AUDIT_ANNUAL',\n description: 'ADA Title III / WCAG 2.1 AA Annual Accessibility Audit',\n regulation: 'ADA Title III 42 USC \u00a712181 + WCAG 2.1 AA (DOJ March 2022 guidance)',\n due_date: new Date(year + 1, 3, 1).toISOString().split('T')[0],\n days_until: Math.ceil((new Date(year + 1, 3, 1) - now) / 86400000),\n severity: 'MEDIUM',\n action: 'Annual WCAG 2.1 AA audit of all checkout flows, product pages, account management. Remediate within 60 days. Document remediation for litigation defense.',\n self_hosting_note: 'n8n automation runs scheduled axe-core API scans, logs violations to Postgres, sends weekly accessibility regression reports to CTO.'\n});\n\n// SOC2\nif (flags.soc2_required) {\n deadlines.push({\n type: 'SOC2_TYPE2_RENEWAL',\n description: 'SOC 2 Type II Annual Renewal',\n regulation: 'AICPA TSC 2017 CC6.1 / CC9.2 (vendor management)',\n due_date: new Date(year + 1, 2, 31).toISOString().split('T')[0],\n days_until: Math.ceil((new Date(year + 1, 2, 31) - now) / 86400000),\n severity: 'HIGH',\n action: 'Renew SOC 2 Type II. Ensure cloud iPaaS appears in CC9.2 vendor risk assessment with evidence of compliance. Cloud iPaaS with no SOC 2 report = auditor finding.',\n self_hosting_note: 'Self-hosted n8n: covered under your own SOC 2 boundary \u2014 no CC9.2 external vendor assessment required. Eliminates one vendor risk line item per audit.'\n });\n}\n\nreturn deadlines.map(d => ({ json: d }));\n"
}
},
{
"id": "notif2",
"name": "Alert \u2014 Upcoming Deadlines",
"type": "n8n-nodes-base.emailSend",
"typeVersion": 2,
"position": [
880,
300
],
"parameters": {
"fromEmail": "compliance@yourretailsaas.com",
"toEmail": "={{ $json.merchant_admin_email }}",
"subject": "[RetailSaaS Compliance] {{ $json.type }} \u2014 {{ $json.days_until }} days",
"emailType": "text",
"message": "COMPLIANCE DEADLINE\n\nType: {{ $json.type }}\nDue: {{ $json.due_date }} ({{ $json.days_until }} days)\nSeverity: {{ $json.severity }}\nRegulation: {{ $json.regulation }}\n\n{{ $json.description }}\n\nRequired action:\n{{ $json.action }}\n\nSelf-hosted n8n advantage:\n{{ $json.self_hosting_note }}\n\nAutomation workflows: https://stripeai.gumroad.com"
}
}
],
"connections": {
"Deadline Check Webhook": {
"main": [
[
{
"node": "Respond 200",
"type": "main",
"index": 0
},
{
"node": "Build Deadline Schedule",
"type": "main",
"index": 0
}
]
]
},
"Build Deadline Schedule": {
"main": [
[
{
"node": "Alert \u2014 Upcoming Deadlines",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 3: RetailTech API Health Monitor
Runs every 15 minutes against five endpoints: PCI DSS QSA portal, CCPA DSAR intake, payment processor webhook, Wayfair nexus threshold monitor, ADA accessibility scanner. Uses $getWorkflowStaticData for 3-hour deduplication — no repeated alerts for the same outage. Fires email alert on first failure per 3-hour window.
{
"name": "RetailTech API Health Monitor",
"nodes": [
{
"id": "sch3",
"name": "Every 15 Minutes",
"type": "n8n-nodes-base.scheduleTrigger",
"typeVersion": 1,
"position": [
240,
300
],
"parameters": {
"rule": {
"interval": [
{
"field": "minutes",
"minutesInterval": 15
}
]
}
}
},
{
"id": "code3",
"name": "Check Endpoints",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
460,
300
],
"parameters": {
"jsCode": "\nconst staticData = $getWorkflowStaticData('global');\nconst lastAlerted = staticData.lastAlerted || {};\n\nconst endpoints = [\n { id: 'pci_dss_qsa_portal', url: 'https://www.pcisecuritystandards.org/assessors_and_solutions', label: 'PCI DSS QSA Portal', regulation: 'PCI DSS v4.0 Req 12.3.2', alert_code: 'PCI_DSS_QSA_PORTAL_DOWN' },\n { id: 'ccpa_dsar_portal', url: process.env.CCPA_DSAR_INTAKE_URL || 'https://yourretailsaas.com/privacy/dsar', label: 'CCPA DSAR Intake Portal', regulation: 'Cal. Civ. Code \u00a71798.105(b)', alert_code: 'CCPA_DSAR_INTAKE_FAILURE' },\n { id: 'payment_processor_webhook', url: process.env.PAYMENT_PROCESSOR_HEALTH_URL || 'https://api.yourpaymentprocessor.com/v1/health', label: 'Payment Processor Webhook', regulation: 'PCI DSS v4.0 Req 6.4.1 + CHD flow integrity', alert_code: 'PAYMENT_PROCESSOR_WEBHOOK_FAILURE' },\n { id: 'wayfair_nexus_api', url: process.env.NEXUS_MONITORING_URL || 'https://nexus-api.yourretailsaas.com/health', label: 'Wayfair Nexus Threshold Monitor', regulation: 'South Dakota v. Wayfair \u2014 45-state nexus obligations', alert_code: 'NEXUS_MONITORING_FAILURE' },\n { id: 'ada_scanner_api', url: process.env.ADA_SCANNER_URL || 'https://accessibility-api.yourretailsaas.com/health', label: 'ADA Accessibility Scanner API', regulation: 'ADA Title III / WCAG 2.1 AA', alert_code: 'ADA_SCANNER_OUTAGE' }\n];\n\nconst now = Date.now();\nconst DEDUP_WINDOW = 3 * 60 * 60 * 1000; // 3h\n\nconst alerts = [];\nfor (const ep of endpoints) {\n const lastAlert = lastAlerted[ep.id] || 0;\n if (now - lastAlert < DEDUP_WINDOW) continue;\n\n try {\n const resp = await fetch(ep.url, { method: 'GET', signal: AbortSignal.timeout(8000) });\n if (!resp.ok) {\n lastAlerted[ep.id] = now;\n alerts.push({ ...ep, status: resp.status, error: `HTTP ${resp.status}`, ts: new Date().toISOString() });\n }\n } catch (e) {\n lastAlerted[ep.id] = now;\n alerts.push({ ...ep, status: 0, error: e.message, ts: new Date().toISOString() });\n }\n}\n\nstaticData.lastAlerted = lastAlerted;\nreturn alerts.length ? alerts.map(a => ({ json: a })) : [{ json: { status: 'ok', ts: new Date().toISOString() } }];\n"
}
},
{
"id": "filter3",
"name": "Alerts Only",
"type": "n8n-nodes-base.filter",
"typeVersion": 2,
"position": [
680,
300
],
"parameters": {
"conditions": {
"options": {
"caseSensitive": false,
"leftValue": "",
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"leftValue": "={{ $json.alert_code }}",
"rightValue": "",
"operator": {
"type": "string",
"operation": "notEmpty"
}
}
]
}
}
},
{
"id": "em3",
"name": "Send Health Alert",
"type": "n8n-nodes-base.emailSend",
"typeVersion": 2,
"position": [
900,
300
],
"parameters": {
"fromEmail": "alerts@yourretailsaas.com",
"toEmail": "devops@yourretailsaas.com",
"subject": "[RETAILTECH ALERT] {{ $json.alert_code }} \u2014 {{ $json.label }} DOWN",
"emailType": "text",
"message": "RETAIL COMPLIANCE SYSTEM ALERT\n\nAlert: {{ $json.alert_code }}\nEndpoint: {{ $json.label }}\nURL: {{ $json.url }}\nError: {{ $json.error }}\nRegulation: {{ $json.regulation }}\nTime: {{ $json.ts }}\n\nNote: {{ $json.label }} failure may block compliance workflow execution. Investigate immediately.\n\nMonitor: https://stripeai.gumroad.com"
}
}
],
"connections": {
"Every 15 Minutes": {
"main": [
[
{
"node": "Check Endpoints",
"type": "main",
"index": 0
}
]
]
},
"Check Endpoints": {
"main": [
[
{
"node": "Alerts Only",
"type": "main",
"index": 0
}
]
]
},
"Alerts Only": {
"main": [
[
{
"node": "Send Health Alert",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 4: Incident Response Pipeline
A webhook receives incident events. The Switch node routes to the correct response handler: PCI breach fires the IMMEDIATE P2P card brand notification + 24h acquirer clock, CCPA DSR starts the 45-day response clock, CCPA breach fires the 30-day consumer notification window, COPPA unauthorized collection flags IMMEDIATE FTC referral risk, ADA complaint fires the 60-day injunction risk alert, Wayfair nexus crossed triggers per-state registration deadline calculation, CAN-SPAM fires the 10-business-day opt-out clock.
{
"name": "RetailTech Incident Response Pipeline",
"nodes": [
{
"id": "wh4",
"name": "Incident Webhook",
"type": "n8n-nodes-base.webhook",
"typeVersion": 2,
"position": [
240,
300
],
"parameters": {
"path": "retailtech-incident",
"responseMode": "responseNode"
}
},
{
"id": "res4",
"name": "Respond 202",
"type": "n8n-nodes-base.respondToWebhook",
"typeVersion": 1,
"position": [
440,
180
],
"parameters": {
"responseCode": 202,
"responseData": "allEntries"
}
},
{
"id": "sw4",
"name": "Route by Incident Type",
"type": "n8n-nodes-base.switch",
"typeVersion": 3,
"position": [
640,
300
],
"parameters": {
"mode": "rules",
"rules": {
"values": [
{
"conditions": {
"options": {
"caseSensitive": false,
"leftValue": "",
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"leftValue": "={{ $json.incident_type }}",
"rightValue": "PCI_DSS_BREACH",
"operator": {
"type": "string",
"operation": "equals"
}
}
]
},
"renameOutput": true,
"outputKey": "PCI_BREACH"
},
{
"conditions": {
"options": {
"caseSensitive": false,
"leftValue": "",
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"leftValue": "={{ $json.incident_type }}",
"rightValue": "CCPA_DSR_REQUEST",
"operator": {
"type": "string",
"operation": "equals"
}
}
]
},
"renameOutput": true,
"outputKey": "CCPA_DSR"
},
{
"conditions": {
"options": {
"caseSensitive": false,
"leftValue": "",
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"leftValue": "={{ $json.incident_type }}",
"rightValue": "CCPA_DATA_BREACH",
"operator": {
"type": "string",
"operation": "equals"
}
}
]
},
"renameOutput": true,
"outputKey": "CCPA_BREACH"
},
{
"conditions": {
"options": {
"caseSensitive": false,
"leftValue": "",
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"leftValue": "={{ $json.incident_type }}",
"rightValue": "COPPA_UNAUTHORIZED_COLLECTION",
"operator": {
"type": "string",
"operation": "equals"
}
}
]
},
"renameOutput": true,
"outputKey": "COPPA_VIOLATION"
},
{
"conditions": {
"options": {
"caseSensitive": false,
"leftValue": "",
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"leftValue": "={{ $json.incident_type }}",
"rightValue": "ADA_COMPLAINT",
"operator": {
"type": "string",
"operation": "equals"
}
}
]
},
"renameOutput": true,
"outputKey": "ADA_COMPLAINT"
},
{
"conditions": {
"options": {
"caseSensitive": false,
"leftValue": "",
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"leftValue": "={{ $json.incident_type }}",
"rightValue": "WAYFAIR_NEXUS_CROSSED",
"operator": {
"type": "string",
"operation": "equals"
}
}
]
},
"renameOutput": true,
"outputKey": "NEXUS_CROSSED"
},
{
"conditions": {
"options": {
"caseSensitive": false,
"leftValue": "",
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"leftValue": "={{ $json.incident_type }}",
"rightValue": "CAN_SPAM_VIOLATION",
"operator": {
"type": "string",
"operation": "equals"
}
}
]
},
"renameOutput": true,
"outputKey": "CAN_SPAM"
},
{
"conditions": {
"options": {
"caseSensitive": false,
"leftValue": "",
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"leftValue": "={{ $json.incident_type }}",
"rightValue": "",
"operator": {
"type": "string",
"operation": "notEmpty"
}
}
]
},
"renameOutput": true,
"outputKey": "GENERAL"
}
]
}
}
},
{
"id": "em_pci_breach",
"name": "PCI Breach \u2014 IMMEDIATE P2P + 24h Acquirer",
"type": "n8n-nodes-base.emailSend",
"typeVersion": 2,
"position": [
1000,
60
],
"parameters": {
"fromEmail": "incident@yourretailsaas.com",
"toEmail": "cto@yourretailsaas.com",
"subject": "[P0 PCI BREACH] IMMEDIATE \u2014 Card Brand P2P + 24h Acquirer Notification Required",
"emailType": "text",
"message": "P0 INCIDENT: PCI_DSS_BREACH\n\nINCIDENT ID: {{ $json.incident_id }}\nMerchant: {{ $json.merchant_id }}\nDetected: {{ $json.detected_at }}\nDescription: {{ $json.description }}\n\nREQUIRED ACTIONS \u2014 CLOCK RUNNING:\n1. IMMEDIATE: Notify card brands via P2P (Payment Processor Portal) \u2014 no grace period\n2. WITHIN 24h: Written notification to acquiring bank with forensic summary\n3. Engage PCI Forensic Investigator (PFI) if >100K CHD records\n4. Preserve all logs \u2014 do NOT restart affected systems before PFI approval\n5. Isolate affected network segment immediately\n\nPCI DSS v4.0 Req 12.10.7: automated response must begin within 15 minutes of breach detection.\n\nIncident documentation: https://stripeai.gumroad.com"
}
},
{
"id": "em_ccpa_dsr",
"name": "CCPA DSR \u2014 45-Day Clock Starts",
"type": "n8n-nodes-base.emailSend",
"typeVersion": 2,
"position": [
1000,
180
],
"parameters": {
"fromEmail": "privacy@yourretailsaas.com",
"toEmail": "dpo@yourretailsaas.com",
"subject": "[CCPA DSR] 45-Day Response Clock \u2014 {{ $json.consumer_email }}",
"emailType": "text",
"message": "CCPA DATA SUBJECT REQUEST RECEIVED\n\nConsumer: {{ $json.consumer_email }}\nRequest Type: {{ $json.request_type }}\nReceived: {{ $json.received_at }}\nResponse Due: {{ $json.response_deadline }} (45 days \u2014 Cal. Civ. Code \u00a71798.105(d))\n\nReminder: If you need an extension (up to 45 additional days), you must notify the consumer on or before day 45 with the reason for extension.\n\nAssigned to: {{ $json.assigned_to }}\n\nPrivacy workflow: https://stripeai.gumroad.com"
}
},
{
"id": "em_ccpa_breach",
"name": "CCPA Breach \u2014 30-Day Notification Window",
"type": "n8n-nodes-base.emailSend",
"typeVersion": 2,
"position": [
1000,
300
],
"parameters": {
"fromEmail": "incident@yourretailsaas.com",
"toEmail": "cpo@yourretailsaas.com",
"subject": "[CCPA BREACH] 30-Day Consumer Notification Window \u2014 Cal. Civ. Code \u00a71798.29",
"emailType": "text",
"message": "CCPA DATA BREACH EVENT\n\nBreach Type: {{ $json.breach_type }}\nConsumers Affected: {{ $json.affected_count }}\nData Categories: {{ $json.data_categories }}\nDiscovered: {{ $json.discovered_at }}\n\nCCPA \u00a71798.29(a) notification due within 30 days of discovery.\nCPRA: If >500 CA residents, expedited notification required.\n\nIf breach involves PI held by service provider: service provider must notify you 'in the most expedient time possible' (\u00a71798.150(b)).\n\nBreach response: https://stripeai.gumroad.com"
}
},
{
"id": "em_coppa",
"name": "COPPA Violation \u2014 IMMEDIATE FTC Referral Risk",
"type": "n8n-nodes-base.emailSend",
"typeVersion": 2,
"position": [
1000,
420
],
"parameters": {
"fromEmail": "incident@yourretailsaas.com",
"toEmail": "legal@yourretailsaas.com",
"subject": "[P0 COPPA] Unauthorized Child Data Collection \u2014 IMMEDIATE Legal Review Required",
"emailType": "text",
"message": "COPPA UNAUTHORIZED COLLECTION INCIDENT\n\nDescription: {{ $json.description }}\nChild accounts affected: {{ $json.affected_count }}\nData type: {{ $json.data_type }}\nDetected: {{ $json.detected_at }}\n\nCOPPA 16 CFR \u00a7312.10: Unauthorized collection of children's PI = FTC referral.\nFines: $50,120 per violation per day. Operator must delete unauthorized data 'promptly'.\n\nIMMEDIATE: Engage legal. Do not delete data before legal hold assessment. Document VPC failure root cause.\n\nCOPPA response: https://stripeai.gumroad.com"
}
},
{
"id": "em_ada",
"name": "ADA Complaint \u2014 60-Day Injunction Risk",
"type": "n8n-nodes-base.emailSend",
"typeVersion": 2,
"position": [
1000,
540
],
"parameters": {
"fromEmail": "legal@yourretailsaas.com",
"toEmail": "cto@yourretailsaas.com",
"subject": "[ADA COMPLAINT] WCAG 2.1 AA \u2014 60-Day Preliminary Injunction Window",
"emailType": "text",
"message": "ADA WEB ACCESSIBILITY COMPLAINT\n\nComplainant: {{ $json.complainant }}\nIssue: {{ $json.accessibility_issue }}\nPage URL: {{ $json.page_url }}\nFiled: {{ $json.filed_at }}\n\nADA Title III litigation risk: courts in 9th and 11th Circuits have held inaccessible eCommerce = public accommodation violation.\nPreliminary injunction possible within 60 days of filing.\n\nRemediation: engage WCAG 2.1 AA remediation firm within 10 business days. Document all fixes.\n\nAccessibility workflow: https://stripeai.gumroad.com"
}
},
{
"id": "em_nexus",
"name": "Wayfair Nexus Crossed \u2014 State Registration Deadline",
"type": "n8n-nodes-base.emailSend",
"typeVersion": 2,
"position": [
1000,
660
],
"parameters": {
"fromEmail": "tax@yourretailsaas.com",
"toEmail": "cfo@yourretailsaas.com",
"subject": "[WAYFAIR NEXUS] Economic Nexus Threshold Crossed \u2014 {{ $json.state }} \u2014 Register Within {{ $json.registration_days }} Days",
"emailType": "text",
"message": "ECONOMIC NEXUS THRESHOLD CROSSED\n\nState: {{ $json.state }}\nTransactions: {{ $json.transaction_count }}\nRevenue: ${{ $json.revenue }}\nThreshold Crossed: {{ $json.threshold_crossed_at }}\nRegistration Deadline: {{ $json.registration_deadline }} ({{ $json.registration_days }} days)\n\nRegister with {{ $json.state }} revenue department before collecting tax.\nPenalty for collection without registration: varies by state (typically 5-25% of uncollected tax + interest).\n\nNexus automation: https://stripeai.gumroad.com"
}
},
{
"id": "em_canspam",
"name": "CAN-SPAM \u2014 10 Business Day Opt-Out Clock",
"type": "n8n-nodes-base.emailSend",
"typeVersion": 2,
"position": [
1000,
780
],
"parameters": {
"fromEmail": "compliance@yourretailsaas.com",
"toEmail": "marketing@yourretailsaas.com",
"subject": "[CAN-SPAM] Opt-Out Request \u2014 Honor Within 10 Business Days",
"emailType": "text",
"message": "CAN-SPAM OPT-OUT REQUEST\n\nConsumer: {{ $json.consumer_email }}\nOpt-Out Received: {{ $json.received_at }}\nHonor By: {{ $json.honor_by_date }} (10 business days \u2014 15 USC \u00a77704(a)(3)(B)(i))\n\nAction required:\n1. Remove from all commercial email lists within 10 business days\n2. Do not send marketing email for minimum 30 days after opt-out\n3. Sync opt-out to all ESP platforms and CDPs\n\nNote: CAN-SPAM violation = $51,744 per email. Class action risk for systematic failures.\n\nEmail automation: https://stripeai.gumroad.com"
}
}
],
"connections": {
"Incident Webhook": {
"main": [
[
{
"node": "Respond 202",
"type": "main",
"index": 0
},
{
"node": "Route by Incident Type",
"type": "main",
"index": 0
}
]
]
},
"Route by Incident Type": {
"main": [
[
{
"node": "PCI Breach \u2014 IMMEDIATE P2P + 24h Acquirer",
"type": "main",
"index": 0
}
],
[
{
"node": "CCPA DSR \u2014 45-Day Clock Starts",
"type": "main",
"index": 0
}
],
[
{
"node": "CCPA Breach \u2014 30-Day Notification Window",
"type": "main",
"index": 0
}
],
[
{
"node": "COPPA Violation \u2014 IMMEDIATE FTC Referral Risk",
"type": "main",
"index": 0
}
],
[
{
"node": "ADA Complaint \u2014 60-Day Injunction Risk",
"type": "main",
"index": 0
}
],
[
{
"node": "Wayfair Nexus Crossed \u2014 State Registration Deadline",
"type": "main",
"index": 0
}
],
[
{
"node": "CAN-SPAM \u2014 10 Business Day Opt-Out Clock",
"type": "main",
"index": 0
}
],
[
{
"node": "CAN-SPAM \u2014 10 Business Day Opt-Out Clock",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 5: Weekly RetailTech KPI Dashboard
Runs Monday at 8 AM. Queries a Postgres database for: enterprise merchant count, SMB merchant count, total MRR with WoW percentage, open PCI incidents, pending CCPA DSARs, open ADA complaints, active Wayfair nexus state count, CAN-SPAM violations in the last 7 days. Emails CEO with a structured compliance KPI report.
{
"name": "RetailTech Weekly KPI Dashboard",
"nodes": [
{
"id": "sch5",
"name": "Monday 8 AM",
"type": "n8n-nodes-base.scheduleTrigger",
"typeVersion": 1,
"position": [
240,
300
],
"parameters": {
"rule": {
"interval": [
{
"field": "weeks",
"weeksInterval": 1,
"triggerAtDay": [
1
],
"triggerAtHour": 8,
"triggerAtMinute": 0
}
]
}
}
},
{
"id": "pg5",
"name": "Query RetailTech KPIs",
"type": "n8n-nodes-base.postgres",
"typeVersion": 2,
"position": [
460,
300
],
"parameters": {
"operation": "executeQuery",
"query": "\nSELECT\n COUNT(DISTINCT CASE WHEN tier IN ('ENTERPRISE_ECOMMERCE_PLATFORM','MIDMARKET_ECOMMERCE_SAAS') THEN merchant_id END) AS enterprise_merchants,\n COUNT(DISTINCT CASE WHEN tier IN ('RETAILTECH_STARTUP','RETAIL_ANALYTICS_SAAS') THEN merchant_id END) AS smb_merchants,\n ROUND(SUM(mrr)::numeric, 2) AS total_mrr,\n ROUND(((SUM(mrr) - LAG(SUM(mrr), 1) OVER (ORDER BY week)) / NULLIF(LAG(SUM(mrr), 1) OVER (ORDER BY week), 0)) * 100, 1) AS mrr_wow_pct,\n COUNT(CASE WHEN incident_type = 'PCI_DSS_BREACH' AND status = 'OPEN' THEN 1 END) AS pci_incidents_open,\n COUNT(CASE WHEN incident_type = 'CCPA_DSR_REQUEST' AND status = 'PENDING' THEN 1 END) AS ccpa_dsar_pending,\n COUNT(CASE WHEN incident_type = 'ADA_COMPLAINT' AND status = 'OPEN' THEN 1 END) AS ada_complaints_open,\n COUNT(DISTINCT CASE WHEN flags->>'wayfair_nexus_multistate' = 'true' THEN state END) AS wayfair_nexus_states_active,\n COUNT(CASE WHEN incident_type = 'CAN_SPAM_VIOLATION' AND created_at > NOW() - INTERVAL '7 days' THEN 1 END) AS can_spam_violations_7d\nFROM retailtech_weekly_stats\nWHERE week = date_trunc('week', NOW() - INTERVAL '7 days')\n"
}
},
{
"id": "em5",
"name": "Weekly KPI Email",
"type": "n8n-nodes-base.emailSend",
"typeVersion": 2,
"position": [
700,
300
],
"parameters": {
"fromEmail": "analytics@yourretailsaas.com",
"toEmail": "ceo@yourretailsaas.com",
"subject": "[RetailSaaS KPI] Weekly Compliance Dashboard \u2014 {{ $now.format('YYYY-MM-DD') }}",
"emailType": "text",
"message": "RETAILTECH SAAS WEEKLY KPI\nWeek ending: {{ $now.format('YYYY-MM-DD') }}\n\n--- REVENUE ---\nEnterprise Merchants: {{ $json.enterprise_merchants }}\nSMB Merchants: {{ $json.smb_merchants }}\nTotal MRR: ${{ $json.total_mrr }}\nMRR WoW: {{ $json.mrr_wow_pct }}%\n\n--- COMPLIANCE INCIDENTS ---\nPCI DSS Breaches Open: {{ $json.pci_incidents_open }}\nCCPA DSARs Pending: {{ $json.ccpa_dsar_pending }}\nADA Complaints Open: {{ $json.ada_complaints_open }}\nWayfair Nexus States Active: {{ $json.wayfair_nexus_states_active }}\nCAN-SPAM Violations (7d): {{ $json.can_spam_violations_7d }}\n\nKPI trend: https://stripeai.gumroad.com"
}
}
],
"connections": {
"Monday 8 AM": {
"main": [
[
{
"node": "Query RetailTech KPIs",
"type": "main",
"index": 0
}
]
]
},
"Query RetailTech KPIs": {
"main": [
[
{
"node": "Weekly KPI Email",
"type": "main",
"index": 0
}
]
]
}
}
}
Deployment Notes
PCI DSS scope: deploy n8n inside your PCI-scoped network segment with no external routable connectivity to outside your CDE boundary. This is the architectural requirement that eliminates the TPSP classification.
CCPA DSAR intake: the health monitor checks your DSAR portal endpoint. A 30-second downtime during a DSAR submission can result in a consumer who cannot exercise statutory rights — which is itself a CCPA violation.
Wayfair nexus queries: the deadline tracker runs against your internal order database. No external API call required — nexus calculation is purely a query against your transaction table grouped by ship_to_state.
COPPA data minimization: configure n8n to log workflow execution data with executions.pruneData = true. Do not log children's personal information in n8n execution records.
All five workflows are available as ready-to-import JSON at stripeai.gumroad.com — part of the FlowKit n8n Compliance Automation Bundle.
FlowKit builds n8n workflow templates for compliance-heavy SaaS vendors. See the full vertical series at dev.to/flowkithq.
Top comments (0)