Your Information is Safe and Available

Data Protection meets high-scale systems

Our products and services are transforming the sales and marketing industries with the Inbound revolution, but the backbone of our success is providing a safe and trustworthy place for marketing and sales data. Protecting your data is our obsession.

  • Will HubSpot's software be available?

    Yes! HubSpot’s availability is consistently above 99.99%. Customer data is 100% backed up to multiple online replicas with additional snapshots and other backups.

    What if something isn't working as expected?

    Your site, marketing campaigns, and sales activities are as critical to us as they are to you. If there’s ever a customer-impacting situation, we will make you aware of it on our Status site and keep you continually updated.

    Does HubSpot monitor its systems and software?

    Yes! Our operations teams monitor software and application behavior 24x7x365 using proprietary and industry-recognized solutions.

    Does the HubSpot software contain system redundancy?

    Yes! Every part of the HubSpot products is distributed across at least 3 data center availability zones. Databases, application servers, web servers, jobs servers, and load balancers as well as backend support services all have multiple failover instances to prevent outage from single points of failure.

  • Does HubSpot encrypt data in transit?

    Yes! Sessions between you and your portal are always protected with top end in-transit encryption, advanced TLS (1.0, 1.1, and 1.2) protocols, and 2,048-bit keys.

    Can I use SSL (TLS) on my HubSpot-hosted sites?

    Yes! You have the option of enabling TLS for your website. Please see our How to set up SSL page for more detail.

    Is my website or data protected by a Web Application Firewall and network firewall?

    Yes! HubSpot prevents attacks with sophisticated monitoring and protections including a high-grade web application firewall and tightly controlled network-level firewalling. In addition, HubSpot’s Distributed Denial of Service (DDoS) prevention defenses protect your site and access to your products from attacks.

    Does HubSpot incorporate security into its software development lifecycle (SDLC)?

    Yes! HubSpot code is high quality from conception to deploy. We use automated static code analysis alongside human review to ensure development best practices are implemented across our thousands of daily code pushes. Responsive software development means new features, resiliency improvements, and bug fixes arrive hundreds of times a day, seamlessly.

  • Are physical security protections in place to protect my data?

    Yes! HubSpot products are hosted with the world’s leading data center providers. Access to these data centers is strictly controlled and monitored by security staff, tight access control, and video surveillance. Our data center partners are SOC 2 Type II and ISO 27001 certified and provide N+1 redundancy to all power, network, and HVAC services.

    Are diverse data centers used?

    Yes! The HubSpot infrastructure is distributed between three distinct availability zones. We use multi-vendor diversity to ensure that a single failure does not negatively impact our customer base.

  • Can the HubSpot software respond quickly to new security needs or threats?

    Yes! Between our streamlined, rapid approach to application delivery and our highly automated server infrastructure, HubSpot quickly addresses security issues as they arise. These technology and process structures allow HubSpot to rapidly adapt as new threats are identified.

    Does the HubSpot infrastructure detect and prevent attacks?

    Yes! HubSpot uses enterprise-grade firewalling, routing, intrusion prevention, and behavior analytics capabilities to protect infrastructure and thwart attacks.

    Does HubSpot rapidly patch and update when vulnerabilities are identified?

    Yes! HubSpot’s patch management process pushes security updates fast and consistently. In most situations, patching is handled by deploying new server instances with the most up to date patches and de-provisioning out of date servers.

    Does HubSpot have an incident response program?

    Yes! HubSpot's incident response program is responsive and repeatable. Incident process flows and investigation data sources are pre-defined during recurring preparation activities and exercises and are refined through investigation follow-ups. We use standard incident response process structures to ensure that the right steps are taken at the right time.

  • Does HubSpot have a repeatable process for discovering and quickly correcting security bugs?

    Yes! We test for potential vulnerabilities continuously in all layers of the technology stack. Dynamic application scans, static code analysis, and infrastructure vulnerability scans are run every day, all day. Our Security team hammers our products day-in and day-out to detect and quickly respond to flaws.

    Does HubSpot bring in outside third parties to find security issues?

    Yes! We bring in industry-respected 3rd party penetration testing firms 4 times a year to test the HubSpot products and corporate infrastructure. We also have rigorous internal and external audit processes to ensure that processes are implemented and working as intended.

    Can I get involved in security testing the HubSpot products?

    Yes! In addition to our internal processes, HubSpot crowd-sources vulnerability assessment with our bug bounty program. Rewards are available for helping us spot potential flaws. Are you interested? Check out our bounty program.

    What external audits or assessment results are available to review?

    Many! HubSpot certified its compliance with the EU-U.S. Privacy Shield framework as well as maintaining its TRUSTe certification for Enterprise Privacy. Our data center providers maintain ISO 27001, SOC2 Type II, and many other certifications. HubSpot was also rated "Enterprise Ready" by leading cloud security provider Skyhigh.

Looking for more information about HubSpot protections?