HubSpot has a SOC 2 Type I report. The SOC 2 report attests to the controls that HubSpot has in place governing the availability, confidentiality, and security of customer data as they map to Trust Service Principles (TSPs) established by the American Institute of Certified Public Accountants (AICPA).

Contact Gate 39 Media to request a copy of HubSpot’s SOC 2 Type I report.

Application Security

In-transit Encryption

Sessions between you and your portal are protected with in-transit encryption using 2,048-bit or better keys and TLS 1.0 or above. Users with modern browsers will use TLS 1.2 or 1.3.

TLS for HubSpot-hosted sites

TLS is enabled by default on HubSpot-hosted websites. You can also select the versions of TLS that are available to your site’s visitors. Please see Connect your domain and SSL and domain security pages for more detail.

Web Application and network firewalls

HubSpot monitors potential attacks with several tools, including a web application firewall and network-level firewalling. In addition, the HubSpot platform contains Distributed Denial of Service (DDoS) prevention defenses to help protect your site and access to your products.

Software development lifecycle (SDLC) Security

HubSpot implements static code analysis tools and human review processes to ensure consistent quality in our software development practices.

Datacenter Protections

Physical Security

HubSpot products are hosted with cloud infrastructure providers with SOC 2 Type II and ISO 27001 certifications, among others. The certified protections include dedicated security staff, strictly managed physical access control, and video surveillance.

Sotware Security

Patch Management

HubSpot’s patch management process identifies and addresses missing patches within the product infrastructure. Server-level instrumentation ensures tracked software packages use the appropriate versions.

Security Incident Response

HubSpot’s security incident process flows and investigation data sources are pre-defined during recurring preparation activities and exercises and are refined through investigation follow-ups. HubSpot uses standard incident response process structures to ensure that the right steps are taken at the right time.

Audits, Vulnerability Assessment & Penetration Testing

Vulnerability Assessment

HubSpot tests for potential vulnerabilities on a recurring basis. HubSpot runs static code analysis, and infrastructure vulnerability scans.

Penetration Testing

HubSpot leverages 3rd party penetration testing firms several times a year to test the HubSpot products and product infrastructure.

Bug Bounty Program

In addition to our internal processes, HubSpot crowd-sources vulnerability assessment with our bug bounty program. Rewards are available for helping us spot potential flaws. Are you interested?
Check out HubSpot’s bounty program.

External Audit & Certification

HubSpot has obtained a SOC 2 Type I report attesting to the excellence of its controls in the domains of security, availability, and confidentiality. If you’re interested in obtaining a copy of our SOC 2 report, contact Gate 39 Media.

You can also download a copy of HubSpot’s SOC 3 report at the top of this page. HubSpot maintains its TRUSTe certification for Enterprise Privacy. HubSpot’s infrastructure providers maintain ISO 27001, SOC 2 Type II, and many other certifications (AWS) (GCP). As a publicly traded company, HubSpot’s key IT controls are audited on a recurring basis as part of its Sarbanes Oxley compliance; public information about HubSpot’s SOX compliance is available as part of our SEC filings.

System Reliability

How does HubSpot make its system reliable and resilient?

HubSpot is available and accessible in a variety of disaster scenarios. Each service in HubSpot’s micro-services architecture is spread across multiple servers running in different data centers. HubSpot services use API’s to communicate with each other to reduce the interdependence between each other. Every service also has a corresponding test environment where changes are deployed before they are migrated to production.

HubSpot also utilizes a worldwide Content Delivery Network (CDN) provided by Cloudflare to distribute content to a location closest to users enabling quick and consistent access wherever you are.

Are HubSpot’s site and services always available?

Our goal is that you can always access your HubSpot account. There are times when the HubSpot service will be unavailable due to planned maintenance or due to a component failure. In such cases, HubSpot staff are paged as soon as the failure is detected and work to make sure the service is back up in the shortest possible time. You can check HubSpot’s Status site for the latest service status.

How does HubSpot make sure outages due to component failures do not reoccur?

When an outage or significant failure occurs, HubSpot’s primary goal is to get the service up and available to customers. After the issue has been resolved, the team that owns the affected service holds a postmortem, i.e., a formal review of the incident. During this review, teams use “The 5 Why’s” process to analyze the root cause of the event and to develop a list of immediate action items to make sure this event, and other events like this one, do not re-occur. Action items are expected to be completed within 30 days of the event. Each postmortem event is documented in detail and future learnings are incorporated into long-term plans.

Data Safety

Is my Data Safe with HubSpot?

The HubSpot platform uses a variety of datastores to store data and ensure data safety. Each datastore is architected using best practices for data safety and recovery. HubSpot products are hosted with Amazon Web Services and Google Cloud. Data stored in the HubSpot platform is replicated to three data centers. If a server in one data center fails, the processing is switched to a replica server in another data center with minimal service interruptions. HubSpot also maintains hourly and daily backups for each data store, these backups are maintained for 30 days. Backups are maintained on highly durable media. Backups of a critical subset of our customer’s data are also maintained in a different geographic region to protect against a regional disaster.

Is My Data Secure with HubSpot?

All communications between a web client and HubSpot servers are protected using TLS (1.0, 1.1, 1.2) protocol encryption using 2048-bit keys. HubSpot also provides customers with the ability to enable Two-Phase Authentication (2FA) to prevent unauthorized use of their portals. Communications between HubSpot services are protected by using Virtual Private Networks and encrypted network protocols. Data is encrypted at rest to help protect against unauthorized access.

Recoverability & Reliance

What is the geographical location of the site where my data is stored?

HubSpot data is primarily stored in Northern Virginia, USA. A critical subset of data is also backed up to Ohio, USA. Additionally, HubSpot has some data that is replicated to Frankfurt, Germany. Additional details on HubSpot’s cloud infrastructure can be found here.

How does HubSpot ensure all my data is backed up and can be restored in case of a disaster?

The disaster recovery strategy at HubSpot uses a combination of snapshots of data and daily full backups to ensure that there are multiple copies of data available to be restored. Snapshots are designed to provide a quick recovery mechanism where the recovery can happen in minutes. Full backups are used when snapshots are not available to recover the data.
The microservices architecture of the HubSpot platform enables operations staff to prioritize getting high impact services like a sales rep’s ability to get work done or getting web pages available before attending to other tasks like the ability to publish new pages.

Can I recover my data if I accidentally delete it?

Based on the context of the deletion, it is possible to undelete and recover data within a day of an incident or the data being accidentally deleted. Note that if you use the GDPR contact deletion outlined here, this is a permanent delete and we cannot recover this data. Full-service subscription customers can contact Gate 39 Media support to enter a support ticket for our staff to determine the best way to recover your data.

Automatic Monitoring and System Status

What does HubSpot do to monitor its systems?

HubSpot operations and engineering teams use industry-leading tools and instrumentation of services to monitor and analyze the behavior of its SaaS platform. Metrics from services and the cloud infrastructure are fed into an alerting framework. Alerts generated from HubSpot’s alerting framework will cause automation to take the appropriate corrective action or it will notify operation staff of an abnormality that needs review and attention.

We’re seeing reports of website downtime through an external tool, how can we resolve this?

A website can be unavailable due to a variety of reasons. Check HubSpot’s Status site to determine if there are any issues with the HubSpot service or if a regional internet outage that may be causing an issue. If the Status site does not show a current issue, please open a support ticket with Gate 39 Media support.

How does HubSpot let its customers know and keep them updated?

If HubSpot finds issues that might affect your ability to use the HubSpot service, it will be posted immediately on the Status site. Updates to current issues will also be posted on the same site. HubSpot has also built notifications within your HubSpot portal that will notify you of functionality that may be experiencing issues at that time, look out for a banner that will explain the affected service.