Back to Blog

How CRM Canvas Protects Your HubSpot Data

Your CRM contains your most sensitive business relationships. Here's exactly how CRM Canvas secures your HubSpot data with OAuth 2.0, end-to-end encryption, and a zero-storage architecture.

Your CRM isn't just a database. It's a detailed map of every relationship, every deal, and every conversation your company has with customers and prospects.

That's incredibly valuable data. And it deserves serious protection.

Here's exactly how CRM Canvas secures your HubSpot data — no marketing fluff, just the technical reality.

Why CRM Data Security Matters

Let's be honest about what's at stake:

  • Competitive intelligence: Your deal pipeline reveals your entire go-to-market strategy
  • Relationship details: Who you're talking to, how often, what about
  • Revenue forecasts: Actual numbers competitors would love to see
  • Contact information: Personal details protected by privacy regulations

A security breach isn't just an IT problem. It's a competitive disaster.

Our Security Architecture

We built CRM Canvas with a simple principle: minimize access, maximize protection.

1. OAuth 2.0 — We Never See Your Password

When you connect HubSpot to CRM Canvas, we use OAuth 2.0 — the same authentication protocol used by Google, Microsoft, and every major enterprise platform.

How it works:

  1. You click "Connect HubSpot"
  2. HubSpot's own login page opens (not ours)
  3. You authorize specific permissions
  4. HubSpot sends us a secure token — never your password

Your credentials stay with HubSpot. We never see them, never store them, never even touch them.

2. Read-Only Permissions

We request the minimum permissions needed to generate relationship maps:

  • crm.objects.contacts.read — See contact names and emails
  • crm.objects.companies.read — See company information
  • crm.objects.deals.read — See deal associations

That's it. We cannot:

  • Create, update, or delete any records
  • Send emails on your behalf
  • Access billing or account settings
  • Modify any HubSpot configuration

Read-only means read-only.

3. Encryption In Transit and At Rest

Every piece of data is encrypted:

In transit: TLS 1.3 encryption for all API calls. Your data travels through an encrypted tunnel that even we can't read in transit.

At rest: AES-256 encryption for any stored tokens. This is the same encryption standard used by banks and government agencies.

4. Privacy-First Caching Architecture

Here's the key difference between us and traditional CRM tools: we don't store your raw CRM data.

When you generate a relationship map:

  1. We fetch the relevant contacts and relationships from HubSpot
  2. Our AI processes the data to generate a relationship graph
  3. We cache the generated map (not raw emails or meeting notes) for 24 hours
  4. After 24 hours, the map is automatically deleted
  5. Raw email content and meeting notes are discarded immediately

Why cache for 24 hours?

  • Performance: Instant loading when you revisit a map
  • Cost-effective: We don't need to reprocess with AI on every page load
  • Still privacy-respecting: Only the relationship graph is cached, not your sensitive CRM data

What competitors do differently:

  • Gong, Chorus, LinkedIn Sales Navigator: Store your entire email history indefinitely
  • Salesforce Einstein: Keeps all CRM data for AI training (unclear retention)
  • CRM Canvas: 24-hour cache of relationship graphs only, then auto-delete

If you want to preserve a map longer than 24 hours, you can export it as PNG, JSON, or PDF at any time.

What We Store (and Why)

Complete transparency — here's what we actually keep:

DataWhyRetention
Your emailAccount identificationUntil you delete
OAuth tokensConnect to HubSpotEncrypted, deleted on disconnect
Generated relationship mapsFast loading on return visits24 hours, then auto-deleted
Audit logsSecurity monitoring & compliance90 days

We do NOT store:

  • Your HubSpot credentials
  • Raw email content (only the relationship graph derived from them)
  • Meeting notes or transcripts (only the relationships we extract)
  • Deal amounts or pipeline data beyond what's in the graph
  • Contact details beyond what's shown on your maps

The difference: Gong stores your entire email archive. We store a relationship graph for 24 hours, then delete it.

What We Don't Do

Let's be explicit:

  • We don't sell your data. Not to advertisers, not to data brokers, not to anyone.
  • We don't train AI on your data. Your relationship maps are yours, not training data for our models.
  • We don't share with third parties beyond what's needed to run the service (hosting, payment processing).
  • We don't access more than we need. Minimum permissions, maximum protection.

Your Rights Under GDPR and CCPA

Whether you're in the EU, California, or anywhere else, you have rights:

Access: Request a copy of any data we have about you.

Deletion: Ask us to delete your account and all associated data. We comply within 30 days.

Portability: Export your diagrams and data in standard formats.

Opt-out: Disconnect HubSpot at any time. We immediately revoke access tokens.

Email hello@crmcanvas.app for any privacy request.

The HubSpot OAuth Flow (Technical Details)

For the security-minded, here's exactly what happens:

  1. User clicks "Connect HubSpot" in CRM Canvas

  2. Browser redirects to HubSpot's OAuth page:

    • client_id: Our app ID
    • redirect_uri: https://crmcanvas.app/api/callback
    • scope: crm.objects.contacts.read crm.objects.companies.read crm.objects.deals.read

  3. User authenticates with HubSpot (we never see this)

  4. HubSpot redirects back with a temporary authorization code

  5. Our server exchanges the code for tokens (server-to-server, encrypted)

  6. Access token stored with AES-256 encryption in database

  7. Token refreshed automatically (30-minute expiry)

At no point do we handle your HubSpot password or have access to credentials.

Infrastructure Security

Our stack is built on enterprise-grade infrastructure:

  • Hosting: Google Cloud Run (HTTPS enforced, automatic SSL)
  • Database: Supabase PostgreSQL (encryption at rest, row-level security)
  • Backend: Next.js on Vercel (automatic security patches)

All providers maintain SOC 2 compliance and undergo regular security audits.

Questions?

Security isn't a feature we ship and forget. It's how we build.

If you have questions about how we protect your data, email us: hello@crmcanvas.app

Ready to see your HubSpot relationships visualized — securely?

Get early access to CRM Canvas →

Related Reading

Ready to see your CRM relationships visualized?

Join the waitlist for CRM Canvas — AI-powered relationship maps from your HubSpot.