// Trust & Security Report
HubSpot, Inc.
HubSpot Agentic Customer Platform (Smart CRM) with Breeze AI tools and agents, spanning Marketing Hub, Sales Hub, Service Hub, Content Hub, Data Hub, Revenue Hub
Certifications held
8
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.hubspot.com“We are pleased to announce updates to HubSpot's compliance and assurance portfolio, including our first SOC 1 report, updated SOC 2 Type II and SOC 3 reports, a refreshed HIPAA attestation, and updated Compliance FAQs.”
Verify on legal.hubspot.com“Download our SOC3 and SOC 2 Type 2, our latest penetration test summaries, the HubSpot Security Overview, and more above.”
Verify on trust.hubspot.com“Our new SOC 1 report provides assurance over controls relevant to financial reporting, helping support customers who rely on HubSpot data in their own financial reporting processes.”
Verify on trust.hubspot.com“Our HIPAA attestation further supports customers with HIPAA-regulated use cases and reinforces our ongoing commitment to safeguarding Protected Health Information (PHI).”
Verify on legal.hubspot.com“With product features such as "GDPR delete" that permanently deletes record data, "lawful basis to communicate" consent tracking, subscription settings, and cookie tracking consent banners that are customizable across regions -- HubSpot makes it easier than ever to comply with GDPR and similar regulations.”
Verify on trust.hubspot.com“Trust Center badges listed: SOC 1 Type II, SOC 2 Type II, SOC 3, HIPAA, GDPR, CCPA, EU Cloud Code of Conduct, TRUSTe Certified Privacy (8 Badges).”
Verify on trust.hubspot.com“QUICK LINKS ... Badges ... EU Cloud Code of Conduct ... TRUSTe Certified Privacy”
Verify on trust.hubspot.com“Badges ... TRUSTe Certified Privacy (listed among HubSpot Trust Center's 8 Badges).”
> Show 1 unconfirmed / not-held certifications
source: trust.hubspot.comNot listed among HubSpot's own Trust Center badges (SOC 1/2/3, HIPAA, GDPR, CCPA, EU Cloud Code of Conduct, TRUSTe). ISO 27001 applies to HubSpot's underlying AWS infrastructure, not to HubSpot the application as a certified entity.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
US by default with regional data hosting available (EU). Infrastructure hosted on AWS.
By default HubSpot MAY use a customer's account data to train HubSpot's own AI/ML models. Privacy Policy 2.3: 'When you use our products and services we may process personal data to develop, support, and improve HubSpot AI features and to train our AI models and similar products and services that rely on machine learning.' Super Admins can opt out via an AI model training switch in account AI settings; when off, data is no longer used to train HubSpot models and is not shared with other customers (change takes up to ~1 week). Accounts with Sensitive Data enabled are opted out of AI model training by default and cannot opt in. Third-party AI providers used by Breeze are contractually prohibited from training their models on customer data.
// Security controls
Annual third-party penetration testing
Yes - annual third-party pen testing; summaries downloadable; 2025 Corporate Network Penetration Test report published in Trust Center
trust.hubspot.comBug bounty / vulnerability disclosure
Yes - public bug bounty on both HackerOne (hackerone.com/hubspot) and Bugcrowd (bugcrowd.com/hubspot); CTF rewards up to $20,000
hackerone.comAnnual third-party audits
Yes - 'One or more annual third-party audit(s)' per Trust Center Quick Summary
trust.hubspot.comEncryption
Standard SSL/TLS on all HubSpot-hosted content; data encrypted in transit and at rest (Encryption FAQ category in Trust Center)
legal.hubspot.comAccess controls
SSO, two-factor authentication (2FA), passkeys, custom domain security settings, password-protected pages, memberships
legal.hubspot.comDisaster recovery & cyber insurance
Has a disaster recovery plan; carries cyber insurance; status page available (real-time status)
trust.hubspot.comSecure development framework
Defense-in-depth; OWASP Top 10 and CIS Critical Security Controls; internal 'Mainsail' secure-product framework
legal.hubspot.com// Products & data scope
data: Customer Data (contacts, deals, tickets, content) processed by HubSpot as a processor under the Customer Terms of Service and DPA; customer is controller
Free through Enterprise tiers. Same security controls applied across free and paid products per Security page.
data: Operates on customer CRM data; by default account data may feed HubSpot AI model training unless opted out; third-party model providers contractually barred from training on customer data
AI Model Cards and AI Trust FAQs published. Sensitive Data accounts auto opted-out of model training.
data: HubSpot acts as CONTROLLER of a commercial dataset of business/professional contacts collected from public sources, third parties, and customers; individuals can opt out/delete via a form
Distinct scope from processor-mode Customer Data - relevant for procurement reviewing data-broker exposure.
data: HubSpot acts as controller for its own websites and tracking code; visitor data (IP, identifiers) used to improve products and the commercial dataset
Cookie Policy and GPC universal opt-out supported.
// What to watch
- AI model training on customer data is ON by default; opt-out exists (Super Admin AI settings) but is not opt-in - notable for privacy-conscious buyers.
- Sensitive Data accounts are auto opted-out of AI model training and cannot opt in.
- HubSpot itself is NOT ISO 27001 certified (only its AWS infrastructure is); do not represent ISO 27001 as a HubSpot cert.
- HubSpot also operates as a DATA CONTROLLER over a commercial contact dataset (data-broker style) - separate from processor-mode Customer Data.
- Several 2025-2026 security advisories (Composio incident, Jinjava RCE, phishing/vishing campaigns) handled and disclosed transparently in Trust Center - shows mature response, not a red flag.
// At a glance
Pricing model
Freemium - free tools through paid Starter/Professional/Enterprise editions plus Small Business Bundle; per-seat and tier-based
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on HubSpot, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.hubspot.com