Back to Blog

How CRM Canvas Protects Your HubSpot Data

Your CRM contains your most sensitive business relationships. Here's exactly how CRM Canvas secures your HubSpot data with OAuth 2.0, end-to-end encryption, and a zero-storage architecture.

Your CRM isn't just a database. It's a detailed map of every relationship, every deal, and every conversation your company has with customers and prospects.

That's incredibly valuable data. And it deserves serious protection.

Here's exactly how CRM Canvas secures your HubSpot data — no marketing fluff, just the technical reality.

Why CRM Data Security Matters

Let's be honest about what's at stake:

  • Competitive intelligence: Your deal pipeline reveals your entire go-to-market strategy
  • Relationship details: Who you're talking to, how often, what about
  • Revenue forecasts: Actual numbers competitors would love to see
  • Contact information: Personal details protected by privacy regulations

A security breach isn't just an IT problem. It's a competitive disaster.

Our Security Architecture

We built CRM Canvas with a simple principle: minimize access, maximize protection.

1. OAuth 2.0 — We Never See Your Password

When you connect HubSpot to CRM Canvas, we use OAuth 2.0 — the same authentication protocol used by Google, Microsoft, and every major enterprise platform.

How it works:

  1. You click "Connect HubSpot"
  2. HubSpot's own login page opens (not ours)
  3. You authorize specific permissions
  4. HubSpot sends us a secure token — never your password

Your credentials stay with HubSpot. We never see them, never store them, never even touch them.

2. Read-Only Permissions

We request the minimum permissions needed to generate relationship maps:

  • crm.objects.contacts.read — See contact names and emails
  • crm.objects.companies.read — See company information
  • crm.objects.deals.read — See deal associations

That's it. We cannot:

  • Create, update, or delete any records
  • Send emails on your behalf
  • Access billing or account settings
  • Modify any HubSpot configuration

Read-only means read-only.

3. Encryption In Transit and At Rest

Every piece of data is encrypted:

In transit: TLS 1.3 encryption for all API calls. Your data travels through an encrypted tunnel that even we can't read in transit.

At rest: AES-256 encryption for any stored tokens. This is the same encryption standard used by banks and government agencies.

4. Zero CRM Data Storage

Here's the key: we don't store your CRM data.

When you generate a relationship map:

  1. We fetch the relevant contacts and relationships from HubSpot
  2. Our AI processes the data in memory
  3. We generate your diagram
  4. The CRM data is discarded

No database of your contacts. No cache of your deals. The data comes in, gets processed, and leaves.

What We Store (and Why)

Complete transparency — here's what we actually keep:

DataWhyRetention
Your emailAccount identificationUntil you delete
OAuth tokensConnect to HubSpotEncrypted, deleted on disconnect
Usage metricsBilling and limits90 days
Diagram imagesSo you can re-access themUntil you delete

We do NOT store:

  • Your HubSpot credentials
  • Contact details from your CRM
  • Email content or meeting notes
  • Deal amounts or pipeline data

What We Don't Do

Let's be explicit:

  • We don't sell your data. Not to advertisers, not to data brokers, not to anyone.
  • We don't train AI on your data. Your relationship maps are yours, not training data for our models.
  • We don't share with third parties beyond what's needed to run the service (hosting, payment processing).
  • We don't access more than we need. Minimum permissions, maximum protection.

Your Rights Under GDPR and CCPA

Whether you're in the EU, California, or anywhere else, you have rights:

Access: Request a copy of any data we have about you.

Deletion: Ask us to delete your account and all associated data. We comply within 30 days.

Portability: Export your diagrams and data in standard formats.

Opt-out: Disconnect HubSpot at any time. We immediately revoke access tokens.

Email hello@crmcanvas.app for any privacy request.

The HubSpot OAuth Flow (Technical Details)

For the security-minded, here's exactly what happens:

  1. User clicks "Connect HubSpot" in CRM Canvas

  2. Browser redirects to HubSpot's OAuth page:

    • client_id: Our app ID
    • redirect_uri: https://crmcanvas.app/api/callback
    • scope: crm.objects.contacts.read crm.objects.companies.read crm.objects.deals.read

  3. User authenticates with HubSpot (we never see this)

  4. HubSpot redirects back with a temporary authorization code

  5. Our server exchanges the code for tokens (server-to-server, encrypted)

  6. Access token stored with AES-256 encryption in database

  7. Token refreshed automatically (30-minute expiry)

At no point do we handle your HubSpot password or have access to credentials.

Infrastructure Security

Our stack is built on enterprise-grade infrastructure:

  • Hosting: Google Cloud Run (HTTPS enforced, automatic SSL)
  • Database: Supabase PostgreSQL (encryption at rest, row-level security)
  • Backend: Next.js on Vercel (automatic security patches)

All providers maintain SOC 2 compliance and undergo regular security audits.

Questions?

Security isn't a feature we ship and forget. It's how we build.

If you have questions about how we protect your data, email us: hello@crmcanvas.app

Ready to see your HubSpot relationships visualized — securely?

Get early access to CRM Canvas →

Ready to see your CRM relationships visualized?

Join the waitlist for CRM Canvas — AI-powered relationship maps from your HubSpot.