// Trust & Security Report

    HubSpot, Inc. logo

    HubSpot, Inc.

    HubSpot Agentic Customer Platform (Smart CRM) with Breeze AI tools and agents, spanning Marketing Hub, Sales Hub, Service Hub, Content Hub, Data Hub, Revenue Hub

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    We are pleased to announce updates to HubSpot's compliance and assurance portfolio, including our first SOC 1 report, updated SOC 2 Type II and SOC 3 reports, a refreshed HIPAA attestation, and updated Compliance FAQs.

    Verify on trust.hubspot.com
    SOC 3
    HELD

    Download our SOC3 and SOC 2 Type 2, our latest penetration test summaries, the HubSpot Security Overview, and more above.

    Verify on legal.hubspot.com
    SOC 1 Type II
    HELD

    Our new SOC 1 report provides assurance over controls relevant to financial reporting, helping support customers who rely on HubSpot data in their own financial reporting processes.

    Verify on trust.hubspot.com
    HIPAA (attestation)
    HELD

    Our HIPAA attestation further supports customers with HIPAA-regulated use cases and reinforces our ongoing commitment to safeguarding Protected Health Information (PHI).

    Verify on trust.hubspot.com
    GDPR
    HELD

    With product features such as "GDPR delete" that permanently deletes record data, "lawful basis to communicate" consent tracking, subscription settings, and cookie tracking consent banners that are customizable across regions -- HubSpot makes it easier than ever to comply with GDPR and similar regulations.

    Verify on legal.hubspot.com
    CCPA
    HELD

    Trust Center badges listed: SOC 1 Type II, SOC 2 Type II, SOC 3, HIPAA, GDPR, CCPA, EU Cloud Code of Conduct, TRUSTe Certified Privacy (8 Badges).

    Verify on trust.hubspot.com
    EU Cloud Code of Conduct
    HELD

    QUICK LINKS ... Badges ... EU Cloud Code of Conduct ... TRUSTe Certified Privacy

    Verify on trust.hubspot.com
    TRUSTe Certified Privacy
    HELD

    Badges ... TRUSTe Certified Privacy (listed among HubSpot Trust Center's 8 Badges).

    Verify on trust.hubspot.com
    > Show 1 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Not listed among HubSpot's own Trust Center badges (SOC 1/2/3, HIPAA, GDPR, CCPA, EU Cloud Code of Conduct, TRUSTe). ISO 27001 applies to HubSpot's underlying AWS infrastructure, not to HubSpot the application as a certified entity.

    source: trust.hubspot.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    US by default with regional data hosting available (EU). Infrastructure hosted on AWS.

    By default HubSpot MAY use a customer's account data to train HubSpot's own AI/ML models. Privacy Policy 2.3: 'When you use our products and services we may process personal data to develop, support, and improve HubSpot AI features and to train our AI models and similar products and services that rely on machine learning.' Super Admins can opt out via an AI model training switch in account AI settings; when off, data is no longer used to train HubSpot models and is not shared with other customers (change takes up to ~1 week). Accounts with Sensitive Data enabled are opted out of AI model training by default and cannot opt in. Third-party AI providers used by Breeze are contractually prohibited from training their models on customer data.

    // Security controls

    Annual third-party penetration testing

    Yes - annual third-party pen testing; summaries downloadable; 2025 Corporate Network Penetration Test report published in Trust Center

    trust.hubspot.com

    Bug bounty / vulnerability disclosure

    Yes - public bug bounty on both HackerOne (hackerone.com/hubspot) and Bugcrowd (bugcrowd.com/hubspot); CTF rewards up to $20,000

    hackerone.com

    Annual third-party audits

    Yes - 'One or more annual third-party audit(s)' per Trust Center Quick Summary

    trust.hubspot.com

    Encryption

    Standard SSL/TLS on all HubSpot-hosted content; data encrypted in transit and at rest (Encryption FAQ category in Trust Center)

    legal.hubspot.com

    Access controls

    SSO, two-factor authentication (2FA), passkeys, custom domain security settings, password-protected pages, memberships

    legal.hubspot.com

    Disaster recovery & cyber insurance

    Has a disaster recovery plan; carries cyber insurance; status page available (real-time status)

    trust.hubspot.com

    Secure development framework

    Defense-in-depth; OWASP Top 10 and CIS Critical Security Controls; internal 'Mainsail' secure-product framework

    legal.hubspot.com

    Subprocessors disclosure

    Subprocessors list available via Trust Center

    trust.hubspot.com

    // Products & data scope

    Smart CRM + Hubs (Marketing/Sales/Service/Content/Data/Revenue)CRM / customer platform

    data: Customer Data (contacts, deals, tickets, content) processed by HubSpot as a processor under the Customer Terms of Service and DPA; customer is controller

    Free through Enterprise tiers. Same security controls applied across free and paid products per Security page.

    Breeze AI (agents and assistants: Customer Agent, Prospecting Agent, Data Agent, content/copilot)AI agents / assistants

    data: Operates on customer CRM data; by default account data may feed HubSpot AI model training unless opted out; third-party model providers contractually barred from training on customer data

    AI Model Cards and AI Trust FAQs published. Sensitive Data accounts auto opted-out of model training.

    Enrichment / commercial dataset (Breeze Intelligence)Data enrichment

    data: HubSpot acts as CONTROLLER of a commercial dataset of business/professional contacts collected from public sources, third parties, and customers; individuals can opt out/delete via a form

    Distinct scope from processor-mode Customer Data - relevant for procurement reviewing data-broker exposure.

    Free tools / website (forms, chatbots, tracking code)Free marketing tools / website

    data: HubSpot acts as controller for its own websites and tracking code; visitor data (IP, identifiers) used to improve products and the commercial dataset

    Cookie Policy and GPC universal opt-out supported.

    // What to watch

    • AI model training on customer data is ON by default; opt-out exists (Super Admin AI settings) but is not opt-in - notable for privacy-conscious buyers.
    • Sensitive Data accounts are auto opted-out of AI model training and cannot opt in.
    • HubSpot itself is NOT ISO 27001 certified (only its AWS infrastructure is); do not represent ISO 27001 as a HubSpot cert.
    • HubSpot also operates as a DATA CONTROLLER over a commercial contact dataset (data-broker style) - separate from processor-mode Customer Data.
    • Several 2025-2026 security advisories (Composio incident, Jinjava RCE, phishing/vishing campaigns) handled and disclosed transparently in Trust Center - shows mature response, not a red flag.

    // At a glance

    Pricing model

    Freemium - free tools through paid Starter/Professional/Enterprise editions plus Small Business Bundle; per-seat and tier-based

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on HubSpot, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.hubspot.com

    > Browse all vendor trust reports