HubSpot Security Program
Logo - Full (Color)
Skip to content
 

Security, Privacy, and Control

Your business runs on trust, that's why it runs on HubSpot.

With HubSpot’s end-to-end approach to data security, privacy, and control, each product includes tools that empower your teams to achieve compliance with confidence and security infrastructure that keeps your data safe.

Last Updated: April 18th, 2023

Trusted By

We've got your back

HubSpot is trusted by over 228,000 customers
in over 135 different countries.

  • KPMG
  • WWF
  • GoFundMe
  • Cybereason
  • LegalZoom
  • CancerIQ

Visit our Trust Center

Need the fine print? We've got you covered. Check out our Trust Center to access documents and reports, and to learn about HubSpot’s data privacy, security, and compliance. Download our SOC3 and SOC 2 Type 2, our latest penetration test summaries, the HubSpot Security Overview, and more above.

Hear HubSpot's leaders give a high-level overview of the end-to-end approach HubSpot takes to data security, privacy, and controls.

  1. crafted-not-cobbled-security

    Crafted, not cobbled

    When your tools are cobbled together without a solid foundation, each tool has a different standard for security or protocols for controlling data. Too much data spread across systems leaves gaps and cracks.

    HubSpot is crafted, not cobbled.

    Our product team takes a forward-thinking approach to privacy and security with the “Mainsail”, a framework for building a secure, reliable, and consumer-grade product. We don’t build anything new unless we are meeting the security and privacy standards we’ve laid out.

Scale your company with software you can trust

  1. secure-by-design

    Secure by design

    The core tenets of HubSpot’s security program are to safeguard customer data and to maintain customer trust. 

    HubSpot uses a defense-in-depth approach to implement layers of security throughout our organization. We’re passionate about defining new security controls and continuously refining our existing ones.

    Our security program is driven not only by compliance and regulatory requirements, but also by industry best practices like the OWASP Top 10 and the CIS Critical Security Controls and threat intelligence.

  2. privacy-protection

    Privacy and protections

    Whether you’re using HubSpot products that are free or paid, feature-rich or lightweight, HubSpot works hard to maintain the privacy of data you entrust with us.

    Data you store in HubSpot products is yours -- we put our security program in place to protect it, and use it only as permitted in our Customer Terms of Service and Privacy Policy. We never share your data across customers and never sell it.

  3. compliance-with-confidence

    Compliance with confidence

    Whether it’s GDPR or a similar local regulation, it’s more important than ever that your teams be mindful of data privacy.

    With product features such as “GDPR delete” that permanently deletes record data, “lawful basis to communicate” consent tracking, subscription settings, and cookie tracking consent banners that are customizable across regions -- HubSpot makes it easier than ever to comply with GDPR and similar regulations.

Have questions? Give us a call and we'll walk you through it.

1 888 482 7768

Data security, privacy, and control that scales with you.

HubSpot’s CRM platform was built for your front office teams -- the backbone of our products’ success is providing a safe and trustworthy place for your data.

HubSpot employs the same sophisticated security measures of secure software development processes, infrastructure management, and alerting methodologies across the entire CRM platform.

  • Security
  • Privacy
  • Control

Security

Keep your data safe and protected from bad actors.

Platform security

Platform security
Popular Features
Standard SSL Certificate
Secure your content and lead data with standard SSL on all HubSpot-hosted content. It gives your visitors peace of mind, and can also increase visibility in search results.
Single sign-on (SSO)
Let users sign in to HubSpot using single sign-on credentials, making it easy for them to log in while enhancing security and your control over who has access.
Two-factor authentication
With two-factor authentication (2FA) enabled, logging in requires verification using a second device, such as your mobile phone.
Custom Domain Security Settings
Allow your IT teams to manage the security of your HubSpot-hosted content, dictating how external visitors access your website for maximum protection.
Password-protected pages
Password-protect website pages and landing pages, giving you the ability to control who can see the content on a specific page
Memberships
Restrict access to specific HubSpot-hosted web pages, landing pages, and blog content by requiring visitors to log in with a username and password.

Privacy

Manage customer data while being mindful of local regulations.

cookie privacy settings

cookie privacy settings
Popular Features
GDPR deletion

Permanently delete a contact and prevent accidental re-creation.

Lawful basis processing

We’ve overhauled our subscription setup to make “lawful basis to communicate” easy to track, including consent. You can track both opt-ins and opt-outs in HubSpot.

Consent and cookies

Capture a visitor’s consent for cookie tracking, and use different versions of the consent banner depending on page or regional needs.

Control

Control access to your customer data as you scale.

Content Partitioning

Content Partitioning
Popular Features
Field-level permissions

Disable the editing of specific properties for certain reps to keep your team efficient and your database clean.

User roles

Give each team member using your account the right permission levels for different functionality.

Hierarchical teams

Organize users on multiple levels based on team, region, business unit, brand, or any other dimension, to suit the way your business works.

Partitioning
Give teams different permissions for your blog posts, site pages, emails, forms, CTAs, lists, or workflows based on role, region, and more, so they can only see and edit content relevant to them.
Admin tools
Includes permissions, partitioning, exporting user permissions, and more.
Data sync
Automatically sync data two ways between HubSpot and dozens of popular third-party apps. Only available for select HubSpot-built integrations.

GDPR Compliance

We've enhanced HubSpot’s CRM platform to enable easier compliance with GDPR.

Learn more

Privacy Policy

The official source for all things data privacy at HubSpot.

Learn more

Legal Overview

Your one stop shop for all legal documentation available for HubSpot.

Learn more

HubSpot Reliability

How we keep customer data safe and build a platform that's reliable.

Learn more

Mainsail Framework

A framework for building a secure, reliable, consumer-grade product.

Learn more

Cloud Infrastructure FAQs

Quickly find answers and general information about the HubSpot Cloud Infrastructure hosted on AWS.

Learn more

SSL and Domain Security

Read knowledge base documentation to learn about how these features work.

Learn more

Real-Time Status

Get real-time information on system status and security.

Learn more

CMS Hub Platform and Hosting

Get the details on how CMS Hub provides your IT teams with all the tools they need for proper website monitoring.

Learn more

Frequently Asked Questions

  • HubSpot’s product infrastructure is hosted on Amazon Web Services (AWS) in the United States East region.

    As of July 19, 2021, new HubSpot customers have  the option to store their data in our  EU data center located in Frankfurt, Germany. Existing HubSpot customers can migrate their data to the EU data center using our data migration tool. Learn more about that tool here.

    HubSpot products are hosted with cloud infrastructure providers with SOC 2 Type 2 and ISO 27001 certifications, among others. The certified protections include dedicated security staff, strictly managed physical access control, and video surveillance.

    For more detail, please review our Cloud Infrastructure FAQ page.

  • Our customers are increasingly conscious of where their data is processed and stored. Supporting regional data hosting is a priority for HubSpot and something we are working on in order to provide our customers the flexibility to choose where their customer data is stored. 

    As of July 19, 2021 new HubSpot customers have had the option to store their data in our EU data center located in Frankfurt, Germany. Existing HubSpot customers that want to migrate their data to the EU data center can use our data migration tool. Learn how to do that here.

  • HubSpot has a publicly available SOC 3 report attesting to our commitment to meeting rigorous industry standards established by the Trust Service Principles (TSPs) established by the American Institute of Certified Public Accountants (AICPA). You can download the SOC3 report in the downloadable reports section above.

    HubSpot also has a confidential SOC 2 Type 2 report attesting to the controls we have in place governing the availability, confidentiality, and security of customer data as they map to the TSPs. We are proud of the excellence of our controls and invite you to download a copy of our SOC 2 Type 2 report (in the downloadable reports section above) if you are a customer or prospect.

  • Yes, HubSpot does provide bridge letters (in the downloadable reports section above) for customers and prospects.

  • HubSpot is committed to ensuring the availability of our systems by using commercially reasonable efforts to meet a service uptime of 99.95% for our Subscription Service in a given calendar month. Please reference Sec. 5 of the Product Specific Terms for more details.

  • All sensitive interactions with the HubSpot products (e.g., API calls, login, authenticated sessions to the customer's portal, etc.) are encrypted in-transit with TLS 1.2, or 1.3 and 2,048 bit keys or better. Transport layer security (TLS) is also available by default for customers who host their websites on the HubSpot platform. 

    HubSpot leverages several technologies to ensure stored data is encrypted at rest. The physical and virtualized hard drives used by HubSpot product server instances as well as long-term storage solutions like AWS S3 use AES-256 encryption. User passwords are hashed and are encrypted at rest. Certain email features work by providing an additional level of both at-rest and in-transit encryption.

  • As of March 8 2021, the HubSpot app itself will no longer support TLS 1.0 and TLS 1.1. All of our officially supported web browsers support at least TLS 1.2. See our announcement here.

    This change does not affect CMS Hub website pages. Websites hosted on CMS Hub can choose the TLS version to support. We currently support the latest TLS 1.2 and TLS 1.3 cipher suites and encourage customers to use them. Most browsers and SSL clients default to the most secure option automatically.

    Please review this knowledge base article for instructions on SSL and how to choose your TLS version within HubSpot.

  • For instructions on domain security and security header settings, check out this knowledge base article.

  • You are permitted to penetration test the HubSpot products, as long as you adhere to these guidelines and submit any findings to our Bugcrowd program. These guidelines are set so you can effectively test within the security controls we have in place. Submitting into our Bugcrowd program submits directly into our vulnerability management program. 

    Our Acceptable Use Policy requires that if you perform a penetration test, you must do so in an authorized manner. Testing the app within the guidelines we set forth on is what constitutes authorized testing. We recommend using a different IP address for scanning than you use to login to your portal. This mitigates any risk that you may be unable to use your HubSpot portal due to blocks incurred by your tests.

  • The HubSpot products allow users to login to their HubSpot accounts using built-in HubSpot login, “Sign in with Google” login, or Single Sign On (SSO). The built-in login enforces a uniform password policy which requires a minimum of 8 characters and a combination of lower and upper case letters, special characters, whitespace, and numbers. People who use HubSpot’s built-in login cannot change the default password policy.

    The “Sign in with Google” feature is available to all HubSpot customers. More advanced SAML-based SSO integrated with any SAML-based IDP is available with any hub at the enterprise tier level.

    Customers who use an SSO provider can set up SSO-based login for their users. Instructions for setting up SSO are available on this knowledge base article and HubSpot Academy. Single Sign On and Google login users can configure a password policy in their SSO provider or with their Google accounts.

    Customers who use HubSpot’s built-in login are also encouraged to set up two-factor authentication for their HubSpot accounts, and portal administrators can configure their HubSpot portals to ensure that all users have two-factor authentication enabled.

  • The HubSpot products enforce finely-grained authorization rules for customers. Customers are empowered to create and manage users of their portals and assign the privileges that are appropriate for those users. Please see this knowledge base article for more information about user roles within the HubSpot products.

  • While HubSpot backs up data on our servers for you, this knowledge base article will tell you how to export your content and data if you’d like to back it up on your own.

  • Please see the Sub-Processors section in our HubSpot Data Processing Agreement.

  • You can read all about HubSpot’s cookie policy here.

  • You can learn all about HubSpot’s App Marketplace certification requirements here, many of which directly relate to security.

  • As a CRM user, you have the ability to connect your Gmail, Office365, or IMAP-enabled email inbox. 

    Gmail and Office365 integrations are authorized by and protected by the native integration capabilities in those platforms.

    IMAP integration allows your connected inbox to synchronize mail into your CRM from other mail services. When a user sets up an IMAP integration, the HubSpot products act as an IMAP client. The services that support IMAP integrations have many built-in protections: data is encrypted in transit from end-to-end; the data is encrypted at rest at the field level as well as at the database level; and access controls ensure only authorized access to the data.

Scale your business with software you can trust.

Your business runs on trust, and that’s why it runs on HubSpot. Get started with the #1 customer platform for scaling businesses.

Smiling Person