Agnes reviewing a contract at her laptop, professional pose, with a CRM database icon visible on the screen.

HubSpot Data Processing Agreement: What You Need to Arrange for GDPR

GDPR, Compliance

You use HubSpot. Have you signed the DPA?

HubSpot probably sits deep inside your organisation. Marketing runs campaigns through it, sales manages pipelines, support sends emails. In practice that means: you store names, email addresses, phone numbers, click behaviour, and sometimes call notes from customers and prospects inside a US-based CRM.

Under the GDPR, that makes HubSpot your processor. And for every processor, Article 28 applies: you need a data processing agreement (DPA) in place.

HubSpot has the DPA ready and waiting. But many companies have never accepted it, never logged it in their processing register, and have no idea which sub-processors HubSpot uses. That is the kind of gap a supervisory authority spots quickly during a review.

This is the first article in a series on vendor-specific DPAs. We walk through HubSpot in four practical steps.

Controller or processor: who is who?

Before you accept anything, you need to know your role. GDPR defines two key roles:

  • Controller: determines the purpose and means of processing. That is you. You decide which leads you collect, which newsletter they receive, and how long you keep their data.
  • Processor: processes personal data on behalf of the controller. That is HubSpot. HubSpot does not invent reasons to use your customer data. It stores it for you and makes it usable.

This split is not paperwork. It decides who is liable in case of a breach, who answers data subject requests, and what goes into the DPA. For HubSpot the line is clear: you are the controller, HubSpot is the processor.

Step 1: accept the HubSpot DPA

HubSpot does not force the DPA on you at login. You have to navigate there yourself.

The path inside your HubSpot account:

  1. Go to Settings (the gear icon, top right).
  2. In the left menu, click Account Defaults and then Legal Stuff (depending on your plan this can also be labelled Account and Billing or Legal).
  3. Open Data Processing Agreement.
  4. Review the agreement and click Accept.

From that moment the DPA is active for your portal. Make sure the person accepting has signing authority, or that you have agreed internally that the DPO or a director performs this step. Save a PDF or screenshot of the confirmation in your supplier folder.

Step 2: log HubSpot in your processing register

An accepted DPA without registration is half a solution. Article 30 of the GDPR requires you to maintain a record of processing activities. HubSpot belongs in it.

What do you record per processing activity?

  • Name of the processor: HubSpot, Inc.
  • Categories of personal data: contact details, click behaviour, form data, sometimes phone numbers and call notes.
  • Purpose: CRM, marketing automation, sales, and service.
  • Retention period: your own policy (often 2 or 3 years after last contact).
  • Legal basis: usually consent for marketing, legitimate interest for customer administration.
  • Transfer: yes, to the US.
  • Safeguards: SCCs and EU-US Data Privacy Framework, plus the accepted DPA.

A solid processing register turns this step into a fill-in exercise. If you do not have a register yet, HubSpot is a good place to start building one.

Step 3: note the sub-processors

HubSpot does not do all the work itself. For hosting and infrastructure it brings in sub-processors, including:

  • Amazon Web Services (AWS): cloud infrastructure and storage.
  • Google Cloud Platform: additional cloud services.

HubSpot also works with partners for support, email delivery, and analytics. The current list lives on HubSpot's Privacy and Legal page. Plan an annual check, because sub-processors change.

You do not need to copy each sub-processor verbatim into your register, but you should note that HubSpot uses sub-processors and where the up-to-date list is published. That way you can answer customer or regulator questions immediately.

Step 4: assess the transfer risk

HubSpot is a US company. Part of the processing happens in the US, which makes data transfer outside the EEA a point of attention.

HubSpot covers this with two safeguards:

  • Standard Contractual Clauses (SCCs): standard contract terms from the European Commission that pin down rights and duties for international transfers.
  • EU-US Data Privacy Framework: the framework that since 2023 legitimises transfers to certified US companies.

Document which safeguards you accept. For most SMBs using HubSpot for standard marketing and sales, this is sufficient. If you process sensitive data (such as health data), an additional Data Transfer Impact Assessment (DTIA) is wise.

Treat HubSpot like any other vendor

HubSpot is one of probably twenty to fifty processors inside your organisation. For every vendor you walk through the same four steps: accept the DPA, log it in the register, note sub-processors, and assess transfer. Doing this ad hoc per vendor is how teams lose the overview.

A structured approach to supplier management keeps you in control: one place to track DPAs, sub-processors, and risk assessments, with reminders for annual reviews.

Want to handle every vendor the same way? Start with our guide on how to close a data processing agreement and then move to supplier management for GDPR to set up the full chain.

Frequently asked questions

Does HubSpot have a data processing agreement?

Yes. HubSpot provides a standard DPA that you accept via Settings, Account, Legal Stuff, Data Processing Agreement. Once you accept, the DPA is active for your account and connected products.

Is HubSpot GDPR compliant?

HubSpot offers the building blocks: an Article 28 DPA, SCCs, and participation in the EU-US Data Privacy Framework. Whether your use is GDPR-compliant depends on how you configure HubSpot, what data you process, and how well your supplier management is documented.

What sub-processors does HubSpot use?

HubSpot uses Amazon Web Services and Google Cloud Platform for hosting, along with other partners. The full list is on HubSpot's Privacy and Legal page. Plan an annual check.

How do I add HubSpot to my processing register?

Log which personal data you store, the purpose, retention period, legal basis, whether data leaves the EEA, and which safeguards apply. Reference the accepted DPA and the sub-processor list.

This article is general information and not legal advice. For advice tailored to your situation, consult a specialised GDPR lawyer or privacy advisor.

Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free