Back to Blog

HubSpot Data Security: OAuth, Encryption & What to Ask Your CRM Vendors (2026)

Your CRM holds your most sensitive deal intelligence. Learn how HubSpot protects data with SOC 2 Type II, encryption at rest, and what to ask every third-party integration before connecting.

Your CRM isn't just a database. It's a detailed map of every relationship, every deal, and every conversation your company has with customers and prospects.

That's incredibly valuable data. And it deserves serious protection.

Whether you're evaluating HubSpot's own security posture, vetting a third-party integration, or building a security policy for your CRM stack — this guide covers everything you need to know.

Why CRM Data Security Matters

Let's be honest about what's at stake:

  • Competitive intelligence: Your deal pipeline reveals your entire go-to-market strategy
  • Relationship details: Who you're talking to, how often, what about
  • Revenue forecasts: Actual numbers competitors would love to see
  • Contact information: Personal details protected by GDPR, CCPA, and other privacy regulations

A security breach isn't just an IT problem. It's a competitive disaster.

In 2024, the average cost of a data breach reached $4.88 million globally (IBM Cost of a Data Breach Report). CRM systems are particularly high-value targets because they centralize exactly the information attackers want: contact details, financial data, and communication histories.

How HubSpot Secures Your Data

Before we talk about third-party integrations, let's cover what HubSpot itself does to protect your data.

SOC 2 Type II Compliance

HubSpot maintains SOC 2 Type II certification, which means an independent auditor has verified that HubSpot's security controls are not just designed properly but are operating effectively over time. This covers:

  • Security: Protection against unauthorized access
  • Availability: System uptime and performance
  • Confidentiality: Data access restricted to authorized parties
  • Processing integrity: Data processed accurately and completely

Encryption Standards

HubSpot encrypts data at multiple levels:

  • In transit: All data transmitted between your browser and HubSpot uses TLS 1.2+ encryption. API calls are HTTPS-only.
  • At rest: Data stored in HubSpot's databases is encrypted using AES-256, the same standard used by financial institutions and government agencies.
  • Backups: Database backups are also encrypted and stored in geographically distributed data centers.

Data Center Infrastructure

HubSpot hosts on Amazon Web Services (AWS) with data centers in the US and EU. AWS data centers maintain physical security controls including biometric access, 24/7 surveillance, and environmental controls. For EU customers, HubSpot offers data residency options to keep data within the European Union.

Access Controls and Audit Logging

HubSpot provides granular role-based access controls (RBAC) so you can limit which team members see which data. Every significant action — record creation, modification, deletion, export — is logged in the audit trail, available to super admins.

Common CRM Data Breach Scenarios

Understanding how breaches happen helps you prevent them. These are the most common vectors for CRM data exposure:

1. Third-Party Integration Vulnerabilities

The biggest risk isn't HubSpot itself — it's the apps you connect to it. Every integration that requests broad API access becomes a potential attack surface. If that vendor gets breached, your CRM data goes with them.

What to watch for:

  • Integrations that request write access when they only need to read
  • Vendors that store your full CRM dataset on their own servers
  • Apps with vague or nonexistent security documentation

2. Over-Permissioned API Keys

Some teams create API keys with full access and share them across multiple tools and team members. A single leaked key can expose your entire CRM.

Best practice: Use OAuth 2.0 integrations instead of API keys whenever possible. OAuth tokens are scoped, time-limited, and revocable without affecting other integrations.

3. Data Export and Shadow IT

Employees exporting contact lists to spreadsheets, uploading them to personal Google Drives, or importing them into unauthorized tools. Once data leaves HubSpot, its protections no longer apply.

4. Phishing and Credential Compromise

An attacker who gains access to a HubSpot super admin account through phishing effectively has access to everything: contacts, deals, emails, and the ability to create new API keys.

Mitigation: Enable two-factor authentication (2FA) for all HubSpot users, especially admins. HubSpot supports both app-based 2FA and hardware security keys.

How to Evaluate Third-Party HubSpot Integrations

Every app you connect to HubSpot introduces risk. Here's a security checklist for evaluating integrations before you connect them:

Authentication Method

Best: OAuth 2.0 with scoped permissions — you authorize specific data access, and the vendor never sees your password.

Acceptable: API key with restricted permissions — less ideal, but workable if the vendor documents their key storage practices.

Red flag: Asking you to share your HubSpot login credentials directly. Walk away.

Data Storage Practices

Ask every vendor:

  1. What data do you store? The less they keep, the less they can leak.
  2. How long do you retain it? Indefinite retention means indefinite risk.
  3. Where is it stored? Cloud provider, region, encryption at rest.
  4. Can I delete my data? You need a way out.

Permission Scope

The principle of least privilege applies: an integration should request only the permissions it absolutely needs.

For example, a relationship mapping tool needs read access to contacts, companies, and deals. It does NOT need:

  • Write access to create or modify records
  • Access to billing or account settings
  • Permission to send emails on your behalf
  • Access to HubSpot workflow configurations

If a vendor requests permissions that seem excessive for their stated purpose, ask why.

Compliance Certifications

For enterprise deployments, look for:

  • SOC 2 Type II — independent security audit
  • GDPR compliance — if you have EU contacts
  • CCPA compliance — if you have California contacts
  • ISO 27001 — information security management (less common for startups, standard for enterprise vendors)

How CRM Canvas Secures Your HubSpot Data

We built CRM Canvas with the principles above baked into every layer: minimize access, maximize protection. Here's exactly how — no marketing fluff, just the technical reality.

1. OAuth 2.0 — We Never See Your Password

When you connect HubSpot to CRM Canvas, we use OAuth 2.0 — the same authentication protocol used by Google, Microsoft, and every major enterprise platform.

How it works:

  1. You click "Connect HubSpot"
  2. HubSpot's own login page opens (not ours)
  3. You authorize specific permissions
  4. HubSpot sends us a secure token — never your password

Your credentials stay with HubSpot. We never see them, never store them, never even touch them.

2. Read-Only Permissions

We request the minimum permissions needed to generate relationship maps:

  • crm.objects.contacts.read — See contact names and emails
  • crm.objects.companies.read — See company information
  • crm.objects.deals.read — See deal associations

That's it. We cannot:

  • Create, update, or delete any records
  • Send emails on your behalf
  • Access billing or account settings
  • Modify any HubSpot configuration

Read-only means read-only.

3. Encryption In Transit and At Rest

Every piece of data is encrypted:

In transit: TLS 1.3 encryption for all API calls. Your data travels through an encrypted tunnel that even we can't read in transit.

At rest: AES-256 encryption for any stored tokens. This is the same encryption standard used by banks and government agencies.

4. Privacy-First Caching Architecture

Here's the key difference between us and traditional CRM tools: we don't store your raw CRM data.

When you generate a relationship map:

  1. We fetch the relevant contacts and relationships from HubSpot
  2. Our AI processes the data to generate a relationship graph
  3. We cache the generated map (not raw emails or meeting notes) for 24 hours
  4. After 24 hours, the map is automatically deleted
  5. Raw email content and meeting notes are discarded immediately

Why cache for 24 hours?

  • Performance: Instant loading when you revisit a map
  • Cost-effective: We don't need to reprocess with AI on every page load
  • Still privacy-respecting: Only the relationship graph is cached, not your sensitive CRM data

What competitors do differently:

  • Gong, Chorus, LinkedIn Sales Navigator: Store your entire email history indefinitely
  • Salesforce Einstein: Keeps all CRM data for AI training (unclear retention)
  • CRM Canvas: 24-hour cache of relationship graphs only, then auto-delete

If you want to preserve a map longer than 24 hours, you can export it as PNG, JSON, or PDF at any time.

What We Store (and Why)

Complete transparency — here's what we actually keep:

DataWhyRetention
Your emailAccount identificationUntil you delete
OAuth tokensConnect to HubSpotEncrypted, deleted on disconnect
Generated relationship mapsFast loading on return visits24 hours, then auto-deleted
Audit logsSecurity monitoring & compliance90 days

We do NOT store:

  • Your HubSpot credentials
  • Raw email content (only the relationship graph derived from them)
  • Meeting notes or transcripts (only the relationships we extract)
  • Deal amounts or pipeline data beyond what's in the graph
  • Contact details beyond what's shown on your maps

The difference: Gong stores your entire email archive. We store a relationship graph for 24 hours, then delete it.

What We Don't Do

Let's be explicit:

  • We don't sell your data. Not to advertisers, not to data brokers, not to anyone.
  • We don't train AI on your data. Your relationship maps are yours, not training data for our models.
  • We don't share with third parties beyond what's needed to run the service (hosting, payment processing).
  • We don't access more than we need. Minimum permissions, maximum protection.

Your Rights Under GDPR and CCPA

Whether you're in the EU, California, or anywhere else, you have rights:

Access: Request a copy of any data we have about you.

Deletion: Ask us to delete your account and all associated data. We comply within 30 days.

Portability: Export your diagrams and data in standard formats.

Opt-out: Disconnect HubSpot at any time. We immediately revoke access tokens.

Email hello@crmcanvas.app for any privacy request.

The HubSpot OAuth Flow (Technical Details)

For the security-minded, here's exactly what happens:

  1. User clicks "Connect HubSpot" in CRM Canvas

  2. Browser redirects to HubSpot's OAuth page:

    • client_id: Our app ID
    • redirect_uri: https://crmcanvas.app/api/callback
    • scope: crm.objects.contacts.read crm.objects.companies.read crm.objects.deals.read

  3. User authenticates with HubSpot (we never see this)

  4. HubSpot redirects back with a temporary authorization code

  5. Our server exchanges the code for tokens (server-to-server, encrypted)

  6. Access token stored with AES-256 encryption in database

  7. Token refreshed automatically (30-minute expiry)

At no point do we handle your HubSpot password or have access to credentials.

Infrastructure Security

Our stack is built on enterprise-grade infrastructure:

  • Hosting: Google Cloud Run (HTTPS enforced, automatic SSL)
  • Database: Supabase PostgreSQL (encryption at rest, row-level security)
  • Backend: Next.js on Vercel (automatic security patches)

All providers maintain SOC 2 compliance and undergo regular security audits.

HubSpot Data Security Best Practices Summary

Whether you're using CRM Canvas or any other integration, follow these practices to keep your HubSpot data secure:

  1. Enable 2FA for all users — Especially super admins. Use app-based authentication, not SMS.

  2. Audit your connected apps quarterly — In HubSpot, go to Settings → Integrations → Connected Apps. Remove anything you're not actively using.

  3. Prefer OAuth over API keys — OAuth tokens are scoped and revocable. API keys are all-or-nothing.

  4. Check permission scopes before connecting — If an app asks for write access but only needs to read data, that's a red flag.

  5. Monitor your audit log — HubSpot super admins can review all account activity. Set a monthly reminder to check for unusual access patterns.

  6. Ask vendors about data retention — "How long do you keep my data?" should have a specific, short answer. "Indefinitely" is not acceptable.

  7. Have an exit plan — Before connecting any integration, confirm you can disconnect it and have your data deleted. Get this in writing for enterprise tools.

Questions?

Security isn't a feature we ship and forget. It's how we build.

If you have questions about how we protect your data, email us: hello@crmcanvas.app

Ready to see your HubSpot relationships visualized — securely?

Try the interactive demo — no login required | Connect your HubSpot →

Related Reading

See your CRM relationships visualized — free

Try the interactive demo and see AI-powered stakeholder maps built from real HubSpot data. No credit card required.