// Trust & Security Report

    HubSpot, Inc. logo

    HubSpot, Inc.

    HubSpot Customer Platform (Sales Hub is one of several Hubs)

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Our SOC 2 Type II report continues to provide a detailed evaluation of controls related to security, availability, and confidentiality... Customers can visit the HubSpot Trust Center to access security and compliance documentation.

    Verify on trust.hubspot.com
    SOC 3
    HELD

    SOC 3 offers a high-level summary for customers whose review does not require the full report. Download our SOC3 and SOC 2 Type 2... above.

    Verify on trust.hubspot.com
    SOC 1 Type II
    HELD

    Our new SOC 1 report provides assurance over controls relevant to financial reporting, helping support customers who rely on HubSpot data in their own financial reporting processes.

    Verify on trust.hubspot.com
    HIPAA
    HELD

    Our HIPAA attestation further supports customers with HIPAA-regulated use cases and reinforces our ongoing commitment to safeguarding Protected Health Information (PHI).

    Verify on trust.hubspot.com
    GDPR
    HELD

    With product features such as 'GDPR delete' that permanently deletes record data, 'lawful basis to communicate' consent tracking, subscription settings, and cookie tracking consent banners that are customizable across regions -- HubSpot makes it easier than ever to comply with GDPR and similar regulations.

    Verify on legal.hubspot.com
    CCPA
    HELD

    Listed under Trust Center Badges: 'CCPA'. Privacy Policy includes a dedicated '8. California Privacy Rights' section.

    Verify on trust.hubspot.com
    EU Cloud Code of Conduct
    HELD

    Listed under Trust Center Badges: 'EU Cloud Code of Conduct'.

    Verify on trust.hubspot.com
    TRUSTe Certified Privacy
    HELD

    Listed under Trust Center Badges: 'TRUSTe Certified Privacy'.

    Verify on trust.hubspot.com
    > Show 1 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Not present among HubSpot's own 8 Trust Center badges (SOC 1 Type II, SOC 2 Type II, SOC 3, HIPAA, GDPR, CCPA, EU Cloud Code of Conduct, TRUSTe). ISO 27001 applies to HubSpot's cloud infrastructure provider (AWS), not to HubSpot's own certification scope: 'HubSpot products are hosted with cloud infrastructure providers with SOC 2 Type 2 and ISO 27001 certifications.'

    source: trust.hubspot.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Customer-selectable data center region: United States, European Union, Canada, or Australia. AI sub-processor processing locations disclosed per-region on the Sub-Processors page.

    Nuanced. HubSpot's general Privacy Policy 2.3 says: 'When you use our products and services we may process personal data to develop, support, and improve HubSpot AI features and to train our AI models and similar products and services that rely on machine learning.' HOWEVER, HubSpot's AI Trust resources state customer (Subscription Service) data is NOT used for model training: 'Third-party AI providers used by Breeze are contractually prohibited from training their models on your data... HubSpot does not permit AI service providers that it engages to provide the Subscription Service to use your data for model training,' with zero-day retention commitments where possible. Net: customer-stored CRM data is not used for third-party model training by default; the broader Privacy Policy training language primarily covers HubSpot's own feature improvement and its separately-sourced commercial enrichment dataset. Customers control which data AI features can access.

    // Security controls

    Bug bounty program

    Yes - Bugcrowd. Trust Center confirms 'Has a bug bounty or vulnerability disclosure program'; penetration testing of HubSpot products is permitted provided findings are submitted to the Bugcrowd program. (A 2022 Log4j finding was responsibly disclosed via HubSpot's bug bounty program.)

    trust.hubspot.com

    Penetration testing

    Annual third-party penetration testing. 2025 Application Pentest Attestation (covering the web app and the LLMs powering AI features) and 2025 Corporate Network Penetration Test report available in the Trust Center.

    trust.hubspot.com

    Encryption

    Standard SSL/TLS on all HubSpot-hosted content; data encrypted in transit and at rest (Encryption FAQ category in Trust Center, 14 answers). Configurable TLS settings and security headers (HSTS, CSP).

    legal.hubspot.com

    Authentication controls

    Single sign-on (SSO), two-factor authentication (2FA), Passkeys, and Super Admin controls to restrict login methods (e.g., disable password-based login).

    legal.hubspot.com

    Hosting / infrastructure

    Hosted on AWS (cloud provider holds SOC 2 Type 2 and ISO 27001). Defense-in-depth program aligned to OWASP Top 10 and CIS Critical Security Controls; 'Mainsail' secure-by-design framework.

    legal.hubspot.com

    Operational assurance

    Disaster recovery plan, status/real-time status page, published subprocessors list, cyber insurance, AI Model Cards, and AI Trust & Safety documentation.

    trust.hubspot.com

    // Products & data scope

    Sales HubSales CRM / pipeline / CPQ / sales automation

    data: Stores CRM contact, deal, company, email, call-tracking and conversation-intelligence data as a processor on behalf of the customer under the DPA. AI features (Breeze Prospecting Agent, AI Guided Selling, Smart Deal Progression) process conversation transcripts and deal history.

    Tiers: Free, Starter (~$10-20/seat), Professional (~$100/seat), Enterprise (~$150/seat). Enterprise adds custom objects, AI lead scoring, conversation intelligence.

    Revenue Hub / Commerce HubQuotes, billing, payments (CPQ)

    data: Processes payment/billing data via secure third-party payment processors; pairs with Sales Hub for quote-to-cash.

    Marketed as a companion to Sales Hub for closing and collecting payment.

    Other Hubs (Marketing, Service, Content/CMS, Operations)Broader HubSpot Customer Platform

    data: Same underlying CRM data model, same Customer Terms of Service, DPA, and Trust Center scope. CMS Hub additionally hosts customer websites (HubL/Jinjava template engine).

    Compliance posture (SOC, HIPAA, GDPR, region selection) applies platform-wide, not Sales-Hub-specific.

    Breeze AI + Commercial Enrichment DatasetAI agents and data enrichment

    data: Breeze uses third-party LLMs (OpenAI GPT-4o, Anthropic Claude, Stability AI) under no-training / zero-day-retention contracts. SEPARATELY, HubSpot maintains a 'commercial dataset' of business-contact data collected from public sources, third parties, and enrichment customers, processed by HubSpot as a CONTROLLER (distinct data-use scope; opt-out form available).

    Distinguish customer CRM data (processor, not used for model training) from the enrichment commercial dataset (controller). This is the key data-scope difference an infosec reviewer should flag.

    // What to watch

    • ISO 27001 is NOT held by HubSpot itself - it belongs to their cloud infrastructure provider (AWS). Do not display ISO 27001 as a HubSpot certification.
    • AI training language is nuanced/potentially conflicting: the general Privacy Policy (2.3) broadly says HubSpot may 'train our AI models' on personal data, while AI Trust pages assert customer Subscription Service data is not used for model training. Resolution: customer CRM data is not used to train third-party models; the broad clause covers feature improvement and the separate commercial enrichment dataset.
    • HubSpot operates a separate commercial enrichment dataset as a controller (built from public/third-party sources) - different data-use and privacy scope than customer CRM data.
    • Recent (2025-2026) third-party/integration incidents disclosed transparently (Composio OAuth credential leak, Jinjava RCE CVE, phishing/vishing campaigns) - handled and disclosed via Trust Center; no evidence of HubSpot core platform compromise.
    • Bug bounty platform is Bugcrowd (not HackerOne).

    // At a glance

    Pricing model

    Freemium + per-seat subscription, tiered Free / Starter / Professional / Enterprise

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on HubSpot, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.hubspot.com

    > Browse all vendor trust reports