// Trust & Security Report
HubSpot, Inc.
HubSpot Customer Platform (Sales Hub is one of several Hubs)
Certifications held
8
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.hubspot.com“Our SOC 2 Type II report continues to provide a detailed evaluation of controls related to security, availability, and confidentiality... Customers can visit the HubSpot Trust Center to access security and compliance documentation.”
Verify on trust.hubspot.com“SOC 3 offers a high-level summary for customers whose review does not require the full report. Download our SOC3 and SOC 2 Type 2... above.”
Verify on trust.hubspot.com“Our new SOC 1 report provides assurance over controls relevant to financial reporting, helping support customers who rely on HubSpot data in their own financial reporting processes.”
Verify on trust.hubspot.com“Our HIPAA attestation further supports customers with HIPAA-regulated use cases and reinforces our ongoing commitment to safeguarding Protected Health Information (PHI).”
Verify on legal.hubspot.com“With product features such as 'GDPR delete' that permanently deletes record data, 'lawful basis to communicate' consent tracking, subscription settings, and cookie tracking consent banners that are customizable across regions -- HubSpot makes it easier than ever to comply with GDPR and similar regulations.”
Verify on trust.hubspot.com“Listed under Trust Center Badges: 'CCPA'. Privacy Policy includes a dedicated '8. California Privacy Rights' section.”
Verify on trust.hubspot.com“Listed under Trust Center Badges: 'EU Cloud Code of Conduct'.”
Verify on trust.hubspot.com“Listed under Trust Center Badges: 'TRUSTe Certified Privacy'.”
> Show 1 unconfirmed / not-held certifications
source: trust.hubspot.comNot present among HubSpot's own 8 Trust Center badges (SOC 1 Type II, SOC 2 Type II, SOC 3, HIPAA, GDPR, CCPA, EU Cloud Code of Conduct, TRUSTe). ISO 27001 applies to HubSpot's cloud infrastructure provider (AWS), not to HubSpot's own certification scope: 'HubSpot products are hosted with cloud infrastructure providers with SOC 2 Type 2 and ISO 27001 certifications.'
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Customer-selectable data center region: United States, European Union, Canada, or Australia. AI sub-processor processing locations disclosed per-region on the Sub-Processors page.
Nuanced. HubSpot's general Privacy Policy 2.3 says: 'When you use our products and services we may process personal data to develop, support, and improve HubSpot AI features and to train our AI models and similar products and services that rely on machine learning.' HOWEVER, HubSpot's AI Trust resources state customer (Subscription Service) data is NOT used for model training: 'Third-party AI providers used by Breeze are contractually prohibited from training their models on your data... HubSpot does not permit AI service providers that it engages to provide the Subscription Service to use your data for model training,' with zero-day retention commitments where possible. Net: customer-stored CRM data is not used for third-party model training by default; the broader Privacy Policy training language primarily covers HubSpot's own feature improvement and its separately-sourced commercial enrichment dataset. Customers control which data AI features can access.
// Security controls
Bug bounty program
Yes - Bugcrowd. Trust Center confirms 'Has a bug bounty or vulnerability disclosure program'; penetration testing of HubSpot products is permitted provided findings are submitted to the Bugcrowd program. (A 2022 Log4j finding was responsibly disclosed via HubSpot's bug bounty program.)
trust.hubspot.comPenetration testing
Annual third-party penetration testing. 2025 Application Pentest Attestation (covering the web app and the LLMs powering AI features) and 2025 Corporate Network Penetration Test report available in the Trust Center.
trust.hubspot.comEncryption
Standard SSL/TLS on all HubSpot-hosted content; data encrypted in transit and at rest (Encryption FAQ category in Trust Center, 14 answers). Configurable TLS settings and security headers (HSTS, CSP).
legal.hubspot.comAuthentication controls
Single sign-on (SSO), two-factor authentication (2FA), Passkeys, and Super Admin controls to restrict login methods (e.g., disable password-based login).
legal.hubspot.comHosting / infrastructure
Hosted on AWS (cloud provider holds SOC 2 Type 2 and ISO 27001). Defense-in-depth program aligned to OWASP Top 10 and CIS Critical Security Controls; 'Mainsail' secure-by-design framework.
legal.hubspot.comOperational assurance
Disaster recovery plan, status/real-time status page, published subprocessors list, cyber insurance, AI Model Cards, and AI Trust & Safety documentation.
trust.hubspot.com// Products & data scope
data: Stores CRM contact, deal, company, email, call-tracking and conversation-intelligence data as a processor on behalf of the customer under the DPA. AI features (Breeze Prospecting Agent, AI Guided Selling, Smart Deal Progression) process conversation transcripts and deal history.
Tiers: Free, Starter (~$10-20/seat), Professional (~$100/seat), Enterprise (~$150/seat). Enterprise adds custom objects, AI lead scoring, conversation intelligence.
data: Processes payment/billing data via secure third-party payment processors; pairs with Sales Hub for quote-to-cash.
Marketed as a companion to Sales Hub for closing and collecting payment.
data: Same underlying CRM data model, same Customer Terms of Service, DPA, and Trust Center scope. CMS Hub additionally hosts customer websites (HubL/Jinjava template engine).
Compliance posture (SOC, HIPAA, GDPR, region selection) applies platform-wide, not Sales-Hub-specific.
data: Breeze uses third-party LLMs (OpenAI GPT-4o, Anthropic Claude, Stability AI) under no-training / zero-day-retention contracts. SEPARATELY, HubSpot maintains a 'commercial dataset' of business-contact data collected from public sources, third parties, and enrichment customers, processed by HubSpot as a CONTROLLER (distinct data-use scope; opt-out form available).
Distinguish customer CRM data (processor, not used for model training) from the enrichment commercial dataset (controller). This is the key data-scope difference an infosec reviewer should flag.
// What to watch
- ISO 27001 is NOT held by HubSpot itself - it belongs to their cloud infrastructure provider (AWS). Do not display ISO 27001 as a HubSpot certification.
- AI training language is nuanced/potentially conflicting: the general Privacy Policy (2.3) broadly says HubSpot may 'train our AI models' on personal data, while AI Trust pages assert customer Subscription Service data is not used for model training. Resolution: customer CRM data is not used to train third-party models; the broad clause covers feature improvement and the separate commercial enrichment dataset.
- HubSpot operates a separate commercial enrichment dataset as a controller (built from public/third-party sources) - different data-use and privacy scope than customer CRM data.
- Recent (2025-2026) third-party/integration incidents disclosed transparently (Composio OAuth credential leak, Jinjava RCE CVE, phishing/vishing campaigns) - handled and disclosed via Trust Center; no evidence of HubSpot core platform compromise.
- Bug bounty platform is Bugcrowd (not HackerOne).
// At a glance
Pricing model
Freemium + per-seat subscription, tiered Free / Starter / Professional / Enterprise
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on HubSpot, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.hubspot.com