HubSpot

HubSpot

Search the Trust Center...
Ctrl +K

HubSpot | Trust Center

Everything you need to complete your security review is here. Browse documents, certifications, and compliance details with confidence. Our Trust Center is regularly updated to reflect the latest audit results, and subprocessor disclosures.

Quick links


Badges

gdpr
GDPR
ccpa
CCPA

Documents & Knowledge Base FAQs


AI Trust at HubSpot

AI Model Cards

Check out HubSpot's AI Model Cards here.

At HubSpot, we leverage both proprietary AI models and those from third-party service providers. These include generative AI models for text and image processing, generation, and content moderation. The models detailed on the model cards page power HubSpot's generative AI capabilities and are categorized by product, use case, and function.

Other AI Trust Resources

AI Security
Review our AI Trust FAQs for detailed information on AI security controls, privacy & data use, and legal compliance.

AI Trust and Safety
At HubSpot, we are committed to doing the right thing. Our approach to AI is rooted in trust, transparency, and accountability. Check out our AI Trust & Safety here.


Announcements

HubSpot Update on Wordpress Plugin Vulnerability

On July 2, 2026, HubSpot became aware of a publicly disclosed vulnerability in the HubSpot All-In-One Marketing WordPress plugin affecting versions up to and including 11.3.53. The vulnerability, classified as CVE-2026-57736, allowed for sensitive data exposure. The vulnerability is now fixed in version 11.3.61.

Customers using the HubSpot WordPress plugin are highly encouraged to update to the latest version.

Background

HubSpot was alerted to a CVE filed against the HubSpot WordPress plugin via Patchstack. The vulnerable versions allowed authenticated WordPress users with contributor-level access or above to retrieve the site's plaintext HubSpot OAuth refresh token. This vulnerability was submitted by a security researcher and, after a preliminary investigation, we have no evidence to suggest exploitation of this vulnerability in the wild.

An initial patch was released on July 6, 2026 (version 11.3.58) that removes the refresh token from the plugin's inline JavaScript object, reducing the exposure surface.

On July 8, 2026 we released a second patch (version 11.3.61) to address the root cause of the vulnerability by moving all OAuth token exchange operations server-side. Tokens associated with the plugin are no longer accessible from the browser.

Next Steps

  • Customers utilizing the HubSpot Wordpress plugin should update to the latest version (11.3.61) via the WordPress plugin manager. Automatic updates are configurable within the plugin settings.

SOC 1 Report and 2026 SOC 2, HIPAA Reports Now Available

We are pleased to announce updates to HubSpot’s compliance and assurance portfolio, including our first SOC 1 report, updated SOC 2 Type II and SOC 3 reports, a refreshed HIPAA attestation, and updated Compliance FAQs.

These updates reflect HubSpot’s continued investment in security, compliance, and transparency. Our new SOC 1 report provides assurance over controls relevant to financial reporting, helping support customers who rely on HubSpot data in their own financial reporting processes. Our SOC 2 Type II report continues to provide a detailed evaluation of controls related to security, availability, and confidentiality, while SOC 3 offers a high-level summary for customers whose review does not require the full report. Our HIPAA attestation further supports customers with HIPAA-regulated use cases and reinforces our ongoing commitment to safeguarding Protected Health Information (PHI).

Customers can visit the HubSpot Trust Center to access security and compliance documentation, browse FAQs, and review additional trust resources.


HubSpot Update on 2026 Composio Security Incident

On May 25, 2026, Composio disclosed a security incident involving unauthorized access to certain internal Composio systems, including leaked OAuth credentials and API keys used in their toolkits. Between May 25th and May 27th, based on Composio’s recommendation, HubSpot Security rotated OAuth tokens and API keys for apps using Composio's managed or custom authorization options to integrate with Composio's HubSpot toolkit.

It is important to note that this issue did not stem from a vulnerability within the core HubSpot platform, but rather from a compromise of Composio’s internal systems.

Customers and developers can re-enable their app connections with new credentials. Before doing so, customers are encouraged to review Composio’s incident disclosure in detail.

We are investigating any potential impact to HubSpot customers and working with Composio to understand the full scope of the incident. At this time, there is no evidence to suggest HubSpot or our customers’ accounts have been compromised.

Composio has contacted customers directly if their connection(s) were affected. HubSpot will also notify customers directly via email when our investigation concludes if we find any instance of account compromise. If you do not receive an email from Composio or HubSpot, you were not impacted.

HubSpot will continue to monitor the situation and provide updates in our Trust Center as necessary.

Update on May 29th:
Based upon our continued investigation and due diligence, HubSpot continued to rotate OAuth credentials and API keys which we believe to be used in Composio toolkits between May 28th and May 29th.

Update on June 3rd:
HubSpot's investigation into the Composio security incident is now complete. We have found no evidence that HubSpot or any HubSpot customer accounts were compromised as a result of this incident.

Actions Recommended:

  • Customers and developers: HubSpot users with impacted apps or keys will see a banner at the top of their Connected Apps page. The banner will instruct super admins to re-enable their app connections with new credentials if they wish.
  • App owners: Any apps available in the HubSpot Marketplace that rely on Composio’s HubSpot toolkit may have also experienced degraded functionality or broken connections. App owners can review their Composio interface for connection failures and re-enable their app connections with new credentials, if necessary.

If you have questions about Composio and their recent incident, we encourage you to reach out to Composio directly. For questions on using AI-native integration platforms in the future, please consult your IT or Security team.


Security Advisory: Phishing Campaign to Install Malicious Integrations

March 12, 2026 Update:

On March 12 at 1:30 PM ET, HubSpot’s security team temporarily disabled legacy public app and project-based app creation for new portals. This increase in security measures is in response to a phishing campaign that impacted some customers. Investigation is ongoing and updates will be available at our Trust Center when they become available.

- End Update

Advisory Notice

HubSpot is aware of an ongoing phishing campaign targeting some HubSpot customers. While our investigation is ongoing, we are sharing this information to help customers recognize and prevent these fraudulent attempts.

Summary

A subset of customers may have received fraudulent emails that appear to be from HubSpot, but were sent from non-HubSpot email addresses and domains. These emails may contain subject lines like “Your HubSpot portal has been deactivated” with fraudulent instructions to take an action, such as clicking a link to “Verify your Identity”.

Some customers may have also received an erroneous email verification from noreply@hubspot.com with the subject line “Looks like you already have an account”. These emails can be safely ignored.

We have identified that bad actors have attempted to impersonate HubSpot to convince some customers to install malicious third-party app integrations to their HubSpot portals. Our Security team has blocked identified malicious apps and is investigating other potentially malicious apps. We’re also identifying impacted customer portals and will notify them directly once impact is confirmed.

Red Flags to Watch

  • Look out for Unsolicited Emails or Calls: Be skeptical of any unexpected email or call appearing to be from HubSpot Support or your own company IT support, especially if it is requesting to install an app.

  • Do not install Apps from Email Links: Unless you know and trust the app developer, app integrations should only be installed from the HubSpot Marketplace. When installing an app from outside the Marketplace, HubSpot will first provide you with a warning that you are installing an unverified app.

  • Check Email Senders: All legitimate communications from HubSpot, including password reset, account validation, and renewal emails, are sent from the hubspot.com domain. Please review the display name and the “sent from:” email address if you receive suspicious or unusual emails.

  • Inspect Links and URLs: Ensure that you are only entering your credentials on the official HubSpot login page.

If you receive suspicious emails from non-HubSpot email domains, please do not click any links or provide personal information, such as email addresses or passwords, to the sender or through the web pages linked within these emails. Do not install any untrusted apps.

Key Takeaways

Be vigilant for any suspicious emails from fraudulent email domains, and be mindful of any request to install new or untrusted app integrations to your HubSpot portal. Report any suspicious activity to abuse@hubspot.com.

We will provide additional updates to the HubSpot Trust Center as needed.


HubSpot Update on Jinjava Vulnerability

HubSpot has issued a patch for a critical vulnerability that allows for sandbox bypass and remote code execution that impacts Jinjava, as documented here. Jinjava is a Java-based template engine used to generate dynamic web content that was developed and open-sourced by HubSpot. The vulnerability is fixed in versions 2.8.3 and 2.7.6.

We completed an investigation into this vulnerability’s impact on HubSpot and found no evidence to suggest exploitation of this vulnerability. All Jinjava libraries used by HubSpot have been successfully patched as of January 30, 2026 at 5:33 PM ET.

Background

On January 29, 2026, members of the Assetnote Security research team contacted HubSpot Security to disclose a vulnerability they discovered in HubSpot’s open-source Jinjava code. The vulnerability allows for Sandbox Escape and Remote Code Execution in unpatched versions of Jinjava. HubSpot immediately investigated, and patches were staged and ready to test with our partnering researchers the same day.

On February 2, we deployed the patch and published a Trust Center update regarding the exercise.

Discovery and disclosure of this vulnerability is credited to Shubham Shah, Adam Kues and Tomais Williamson from the Assetnote Security Research Team.

How does HubSpot use Jinjava?

Jinjava is HubSpot’s open-source Java port of Python’s Jinja2 template engine, used to generate dynamic web content. The HubSpot product platform leverages Jinjava in several supporting back-end applications and is a core component of how the HubSpot CMS renders web content. HubSpot’s CMS uses the HubSpot Markup Language (HubL), which itself is HubSpot’s extension of Jinjava. Other instances of Jinjava within HubSpot’s back-end stack, which do not allow rendering of external templates, were not vulnerable.

All vulnerable versions of Jinjava used by HubSpot internally and within the product infrastructure were patched by 5:33 PM ET on January 30, 2026.

HubSpot Customers

HubSpot has remediated any risk to HubSpot-provided tools internally. After investigating, there is no evidence to suggest this vulnerability was exploited historically or that customer data was impacted.

No action is needed by HubSpot customers. Only developers hosting custom-developed web content that utilizes Jinjava should take action to update their own Jinjava libraries to the latest version.

Actions Required for External Usage

Developers using Jinjava in their own projects should update Maven dependencies (com.hubspot.jinjava) to version 2.8.3 or 2.7.6.


Security Advisory: Vishing-Based Attacks Targeting Okta SSO Accounts

HubSpot is aware of reports detailing sophisticated voice phishing (vishing) campaigns targeting Okta Single Sign-On (SSO) accounts. While these attacks are targeting identity providers broadly, we are proactively sharing this information to help customers recognize and prevent these social engineering attempts.

How the Attack Works

Attackers call employees and pose as IT support staff from their company or a service provider. They trick victims into visiting a fake login page designed to steal usernames and passwords. While still on the phone, the attacker uses those stolen credentials to trigger a real login. They then guide the victim through the Multi-Factor Authentication (MFA) step, such as asking for a code or telling them to approve a push notification, to gain full access to the account. Once inside, they can access sensitive data from various business tools and may attempt to extort the organization.

Red Flags to Watch For

  • Unsolicited Calls: Be skeptical of any unexpected call from "IT Support" or "Okta" that creates a sense of urgency.
  • Requests for Interaction: Legitimate support will not ask you to visit non-standard URLs (e.g., company-internal.com) or provide MFA codes over the phone.
  • MFA Mismatches: Pay close attention if you receive an MFA push notification or other security prompts that you did not personally trigger through a verified login attempt.

Key Takeaways

HubSpot and your official service providers will never call you to request credentials or MFA codes.

HubSpot customers utilizing Okta should be vigilant of unsolicited calls claiming to be IT support. If you receive a suspicious call, hang up and contact your internal IT department through official, known channels.

HubSpot and Okta recommend using phishing-resistant MFA, such as hardware keys or authenticators, which are more effective against these real-time relay attacks.


Customer Advisory - Phishing Campaign Targeting HubSpot Users

Threat Overview

HubSpot is aware of a threat report detailing an ongoing phishing campaign targeting HubSpot customers and other SaaS platforms. The campaign deploys business email compromise (BEC) tactics and infrastructure abuse to bypass traditional email security controls.

How the Attack Works

Attackers send emails impersonating HubSpot, requesting users to verify their accounts in connection with “unusual unsubscribe activity.” Notably, while email bodies do not contain typical malicious links, the phishing URL is instead embedded within the sender’s display name. If the malicious link is clicked, it redirects the user to a convincing login page that mimics the legitimate HubSpot login page and steals user passwords and multi-factor authentication (MFA) credentials.

Red Flags to Watch For

All legitimate communications from HubSpot, including password reset, account validation, and renewal emails, are sent from the hubspot.com domain. Please review the display name and the “sent from:” email address if you receive suspicious or unusual emails. Ensure that you are only entering your credentials on the official HubSpot login page.

If you receive these types of fraudulent emails from non-HubSpot email domains, directing to non-HubSpot pages, please do not click any link or provide any personal information, such as email addresses or passwords, to the sender or through the web pages linked within these emails.

How to Protect Yourself

Users are encouraged to set up and login with Passkeys. Super Admins can also restrict the permitted login methods for their account to disable password-based logins.

Conclusion

Our investigation is ongoing and we will provide updates on this page as needed. If you receive this, or any other suspicious email impersonating HubSpot, please report it to abuse@hubspot.com.


HubSpot is launching a new Trust Center!

We’re excited to announce an upgrade coming to HubSpot’s Trust Center!

On Monday, December 15, 2025, we will be launching an all-new HubSpot Trust Center experience. Our current URL: “trust.hubspot.com” will remain as our one-stop-shop for public information, gated access, and communications on HubSpot’s security and compliance posture, but with an improved browsing experience and new features that will make it easier to find the information you are looking for.

Actions Needed From You:

As a current HubSpot Trust Center subscriber, you will need to re-subscribe to our Trust Center again following the launch (after December 15, 2025) to continue receiving our updates and announcements.

You’ll also need to confirm your email address with our new Trust Center to gain access to our gated Trust Center content, such as our SOC 2 report. Customers with active subscriptions will be provisioned with full access to Trust Center content after confirming their email.

Trust Center subscribers who are not active HubSpot customers will need to complete HubSpot’s clickwrap NDA to un-gate all content, just like how the HubSpot Trust Center works today.

What’s Coming:

We’re excited to offer you easier access to our documentation, as well as an interactive knowledge base to answer our most commonly asked security and compliance questions. Keep a lookout for more features in the months ahead.


Updated Documents Now Available on HubSpot’s Trust Center

HubSpot is excited to announce that the 2025 Corporate Network Penetration Test report is now available for review in our Trust Center. This assessment focused on our corporate network’s external attack surface and all publicly accessible corporate network assets.

Additionally, we have published an updated version of the HubSpot Network Diagram that contains new, up-to-date information around our network architecture.


HubSpot’s Response to React Vulnerability

On December 3, 2025, a vulnerability was announced related to popular open-source web development frameworks React Server Components (CVE-2025-55182) and Next.js (CVE-2025-66478). These open-source resources are widely used across the internet to build user interfaces.

Is HubSpot Impacted?

HubSpot utilizes React Server Components and Next.js in a limited capacity primarily for internal tools and experimental product research. We have conducted a thorough review of our Product and Corporate environments to determine the full extent of possible exposure to affected versions of React and Next.js.

We have found no evidence to suggest any attempted exploitation of CVE-2025-55182 in our environments.

Actions Taken

We began patching procedures for vulnerable versions of React and Next.js immediately upon becoming aware of the vulnerability. Initial patches based on advisories were completed by December 3, 2025 at 5:14 PM EST.

As of December 4, 2025 at 1:00 PM EST, all vulnerable React and Next.js versions within HubSpot’s production environment were fully patched.

Additionally, HubSpot’s product platform and public APIs are protected behind our Web Application Firewall (WAF). A new ruleset to specifically protect against this vulnerability was fully implemented into our WAF on December 3, 2025 by 5:00 PM EST. All instances of the HubSpot product, as well as HubSpot’s own marketing pages, are fully protected behind our WAF.
HubSpot is also monitoring any potential impact to our third-party vendors.

Next Steps

There is no action needed for HubSpot customers to protect their HubSpot accounts or data. However, customers using React Server Components and/or Next.js in their own environments are strongly encouraged to update to the latest patched versions.

We will continue to monitor the situation and will post any additional updates to the Trust Center as needed.


HubSpot Update on Gainsight Integration Security Incident

Based on our investigation into Gainsight integration activity along with published indicators of compromise (IOCs), we have found no evidence to suggest that HubSpot or our customers were impacted.
The Gainsight integration will remain deactivated from the HubSpot app marketplace until Gainsight fully concludes their investigation to ensure all systems are secure.

HubSpot will continue to follow Gainsight’s investigation updates, and customers should continue to visit Gainsight's status page and Salesforce's status page for updated information.


Gainsight Integration Security Incident

On November 19, Salesforce reported unauthorized activity in their Gainsight integration. Out of an abundance of caution, we have temporarily removed the app from the HubSpot Marketplace and disabled the integration for any HubSpot accounts where it was in use.

We are investigating any potential impact to the HubSpot integration. At this time, there is no evidence to suggest HubSpot or our customers are impacted. We will continue our investigation and have contacted Gainsight to understand the full scope of the incident.

No additional action is needed from HubSpot customers at this time. Customers who did not integrate Gainsight in their HubSpot accounts were not impacted.

For updates on this issue, customers can visit Gainsight’s status page. For Salesforce-related updates, please visit Salesforce's status page.

HubSpot will continue to monitor the situation and will provide updates in our Trust Center as necessary.


HubSpot’s 2025 Application Pentest Attestation Now Available

HubSpot is pleased to announce that the 2025 Application Pentest Attestation is now available for review. This report provides a summary of our latest third-party penetration test against the HubSpot web application, including the LLMs that power HubSpot’s AI features.

HubSpot conducts regular third-party penetration tests to identify potential vulnerabilities and strengthen the security of our platform. The 2025 Attestation report details the scope of testing, the methods employed by independent security experts, key findings, and remediation information.


HubSpot Update on Salesloft Drift Security Incident

September 12, 2025

On September 11, HubSpot deactivated Drift's integration with HubSpot as a precautionary response to Salesloft's latest update.

We have not observed any unauthorized access via the Drift integration beyond what we have previously reported.

HubSpot will continue to monitor the situation and provide updates in our Trust Center as necessary.

As a reminder, customers who did not integrate Drift in their HubSpot accounts were not impacted. HubSpot notified impacted customers on September 9, 2025. If you have not received email notice, there is no evidence of impact to your account.


September 9, 2025

HubSpot Update on Salesloft Drift Security Incident

On August 26, HubSpot became aware of a security incident involving Drift, an AI chatbot tool by Salesloft. While HubSpot does not use Drift internally and was not directly impacted, we investigated Drift integrations in HubSpot customer portals and found evidence of unauthorized access to customer data via Drift Oauth tokens. HubSpot is also monitoring any potential impact to our third-party vendors. It is important to note that this issue did not stem from a vulnerability within the core HubSpot platform, but rather from a compromise of the Drift app connection.

What Happened?

In August 2025, Salesloft disclosed a security incident involving their Drift chatbot service. Threat actors obtained OAuth tokens used to integrate Drift with other platforms, such as CRMs. These tokens were used to access and exfiltrate data in Drift chatbot support cases between August 8 and August 18, 2025.

Although HubSpot is not a direct Salesloft/Drift customer, we took steps to understand how HubSpot and our customers might be impacted and began our investigation on August 26. In this initial investigation, we found no evidence that the OAuth tokens had been used maliciously by searching for known malicious indicators (also known as Indicators of Compromise or IOCs).

HubSpot Security continued to investigate. On September 5, we found evidence of unauthorized access to customer data via Drift OAuth tokens. This access occurred via a new set of IOCs. By Monday, September 8, HubSpot identified a subset of customer portals with Drift integrations that were impacted through unauthorized access to customer data via Drift’s OAuth tokens. On September 9, 2025, HubSpot notified all impacted customers.

Customers who did not integrate Drift in their HubSpot accounts were not impacted. Not every HubSpot customer who installed the Drift integration was impacted by this incident. If you have not received email notice, there is no evidence of impact to you and we are continuing to monitor the situation.

Actions Taken and Next Steps

HubSpot is investigating our customers’ Drift usage and our own third-party vendors to understand impact and next steps.

  1. Starting on August 26, we reviewed logs based on Salesloft’s guidance, threat intelligence reports, and our own analysis. In our initial investigation, we found no evidence of the known IOCs.

  2. Our team conducted threat hunting which yielded new, additional IOCs, and on Friday, September 5, 2025, HubSpot discovered evidence of unauthorized access to customer data via compromised Drift OAuth tokens on August 28. We have shared these new IOCs below for your review.

  3. We have notified impacted customers and have shared steps they can take to review information that was likely exposed.

  4. We have been in communication with Salesloft while they have secured their environment. On August 29, 2025, Salesloft rotated compromised Drift tokens for their HubSpot integration. This revoked any unauthorized access to HubSpot and Drift data. On September 6, 2025 Salesloft confirmed that the incident had been fully contained in their environment.

  5. HubSpot has been in communication with our vendors to understand how HubSpot may have been impacted by this event. A small number of our vendors have confirmed that they were impacted, and that some HubSpot data was in-scope. We have conducted thorough investigations and at this time, we have found:

  • no evidence of customer data being exposed through third party providers that support the product
  • no evidence of any sensitive HubSpot data being exposed through our corporate supply chain.

We will continue monitoring our vendors.

With these actions we consider the incident closed, but we will continue to monitor the situation and provide updates in our Trust Center as necessary.

Our investigation revealed a number of new Indicators of Compromise which we’ve provided in the TXT file here: https://www.hubspot.com/hubfs/Security/2025-09-09-drift-iocs.txt. Our intelligence sources indicate these IPs are operated by Oculus Proxies.


Security Advisory: Malicious App Vishing Campaigns

Threat Overview

HubSpot is aware of a threat report detailing sophisticated voice phishing (vishing) campaigns where attackers impersonate IT support personnel to trick victims into authorizing malicious applications to be connected to their Salesforce instances. At this time, we have no evidence that HubSpot customers are being targeted. However, since these attacks have been successfully used against customers of SaaS products with associated app marketplaces, we believe similar techniques could pose a significant risk to HubSpot customers.

How the Attack Works

Attackers begin by calling victims and posing as IT support staff from either the victim's organization or the SaaS provider itself. They manipulate employees into installing a malicious app integration in their SaaS instance using convincing telephone-based social engineering. Once authorized, the malicious app gains broad access to your data which allows attackers to extract information from the compromised environment. The malicious app remains connected and authorized until manually revoked which allows attackers to return and extract additional data over time. The stolen data is either sold on dark web markets, used for further attacks, or leveraged in extortion attempts against the victim organization.

Red Flags to Watch For

Be suspicious of unsolicited calls claiming to be from IT support or HubSpot, especially those using urgency tactics. Other warning signs include requests to:

  • install or authorize new applications
  • visit specific websites or enter codes
  • gain credentials, MFA codes, or permissions to remotely access your computer

When reviewing app authorization requests, watch for apps with names that mimic legitimate tools but have slight variations, apps requesting excessive permissions, authorization requests from unknown or suspicious-looking applications, and apps that don't match your organization's approved software list.

HubSpot displays clear warnings when you're connecting an app that hasn't been reviewed or verified by HubSpot - pay attention to warning banners within your portal.

How to Protect Yourself

Before authorizing any connected app, pay attention to warnings displayed by HubSpot. If HubSpot shows a warning that you're connecting an unverified app, take extra caution and verify the app's legitimacy.

  • Only authorize apps that are officially approved by your organization, carefully examine what data access the app is requesting, and ensure the app comes from a trusted developer or is officially endorsed by HubSpot.
  • Have a super-admin user carefully review which users have access to install Marketplace apps, and revoke this access for any user unless it is necessary.
  • Never provide credentials, MFA codes, or authorize apps during unsolicited phone calls.
  • Report suspicious calls to your IT security team immediately, be skeptical of urgent requests especially those involving data access, and when in doubt, hang up and verify through official channels.

Key Takeaway

Remember: HubSpot will never call you asking to install applications or provide credentials. Any such requests should be treated as potential social engineering attempts. When in doubt, verify independently through official channels before taking any action. This type of attack relies entirely on tricking users—there are no technical vulnerabilities being exploited. Your vigilance and following proper verification procedures are the best defenses against these sophisticated social engineering campaigns. If you believe you have been targeted by this attack, report it to HubSpot support.


HubSpot Product Update - New Security Contact Role

HubSpot is excited to announce a new Security Contact role in all customer accounts. To access it, users with Billing Admin permissions can log in and navigate to Company Name (top right) > Account & Billing > Company Info.

We strongly recommend designating your Cybersecurity and Incident Response team, Chief Information Security Officer, or other individual best suited to receive Security notifications from HubSpot. Distribution lists are allowed, and this role does not have to be a user in the HubSpot portal. For more information on setting up this new role, and your Account’s other Primary Contacts, please visit our Knowledge Base.


HIPAA Attestation & 2025 SOC 2 Report Now Available

We are pleased to announce that HubSpot has obtained independent HIPAA attestation, now available for customers on the HubSpot Trust Center. This compliance achievement demonstrates the effectiveness of HubSpot’s security practices in supporting our HIPAA-regulated customers, reinforcing our ongoing commitment to safeguarding Protected Health Information (PHI) and to helping organizations meet their HIPAA obligations with confidence.

Additionally, our 2025 SOC 2 Type II report is now available for download on the Trust Center. The report covers the period of 5/1/2024 - 4/30/2025 and includes several new controls and enhancements to existing controls that strengthen our security and compliance posture. We’ve detailed these new controls and control enhancements in an updated version of our Compliance FAQs, available on the Trust Center.

All systems and features that have launched in General Availability on or before 4/30/2025 are included in the report, including Breeze and our three new Regional Data Centers.


Customer Advisory - Fraudulent HubSpot Account Notification Emails

HubSpot is aware of recent phishing email campaigns designed to look like HubSpot account notifications. The emails have used various subject lines such as “New Login Detected,” “Credential Reset Request,” and “Urgent: Review Your Recent Email Campaign.” The emails appear to come from a HubSpot sender, imply that certain features within a HubSpot portal have been temporarily restricted, and may contain a malicious link to review certain activity.

These emails are fraudulent and were not sent from HubSpot. Please do not click any link or provide any personal information, such as email addresses or passwords, to the sender or through the web pages linked within these emails. If you provided your username or password, or suspect your portal has been compromised, please reset your password and review your account activity.

All legitimate communications from HubSpot, including password reset, account validation, and renewal emails, are sent from the hubspot.com domain. If you receive a suspicious email, be sure to check the sender’s address and exercise caution with any links or attachments. HubSpot offers the ability for Super Admins to restrict the available login methods for users in their account, or set up Passkeys for passwordless authentication. For users with two-factor authentication (2FA) enabled, please be sure to enter 2FA verification codes on official HubSpot login pages only.

When logging into HubSpot, ensure that you verify the domain is a legitimate HubSpot domain at hubspot.com. These phishing campaigns are using fake domains designed to appear similar to a HubSpot domain, but they are not legitimate. Our investigation is ongoing and we will provide updates on this page as needed. If you receive this, or any other suspicious email impersonating HubSpot, please report it to abuse@hubspot.com.


Customer Advisory - Fraudulent HubSpot Account Notification Emails

HubSpot is aware of recent phishing email campaigns designed to look like HubSpot account notifications. The emails have used various subject lines such as “HubSpot SPAM Complaint Notice” and “Account Restriction Notice.” The emails appear to come from a HubSpot sender, imply that certain features within a HubSpot portal have been temporarily restricted, and may contain a malicious link to “Review Complaint”.

These emails are fraudulent and were not sent from HubSpot. Please do not click any link or provide any personal information, such as email addresses or passwords, to the sender or through the web pages linked within these emails. If you provided your username or password, or suspect your portal has been compromised, please reset your password and review your account activity.

All legitimate communications from HubSpot, including password reset, account validation, and renewal emails, are sent from the hubspot.com domain. If you receive a suspicious email, be sure to check the sender’s address and exercise caution with any links or attachments.

Our investigation is ongoing and we will provide updates on this page as needed. If you receive this, or any other suspicious email impersonating HubSpot, please report it to Customer Support or your Customer Success Manager so we can investigate.


Updated Security Overview Now Available

HubSpot is pleased to announce that an updated version of our Security & Compliance Overview is now available on the HubSpot Trust Center for review. This document serves as HubSpot’s in-depth guide to our Security, Compliance, and Privacy posture.

The Security Overview will also be available localized in all of HubSpot’s supported languages (German, Spanish, French, Japanese, and Portuguese) in the coming weeks.

We have also published a new DORA FAQ to address customer questions around the Digital Operational Resilience Act (DORA), and have updated the CAIQ pre-filled questionnaire.


HubSpot Update on October 2024 Lottie Player Security Incident

On October 30, 2024, at 6:45 pm ET, HubSpot was made aware of a vulnerability in Lottie Player, a widely-used JavaScript animation library which enables animations created in Adobe After Effects to integrate into web and mobile applications. Affected customers may have included Lottie Player on their HubSpot website independently, or may have used a Marketplace template which included Lottie Player.

Affected customers would have seen an unintended pop-up on their webpage(s) directing them to “Connect Wallet” or “Get a Wallet”.

The vulnerability has been identified and Lottie Player maintainers implemented a fix at 7:30 pm ET. For more context on the supply chain attack targeting Lottie Player, see LottieFiles’ official statement and timeline here.

No additional action is needed from customers.

If you are concerned about the security of Lottie Player, please ensure you are running the latest released version (2.0.8), or you can remove associated code from your HubSpot website. This may mean removing a template or working with template creators to find alternative modules. For specific guidance, we encourage you to review this information with your IT or Security team.


Customer Advisory - Bad Actors Impersonating HubSpot Employees

HubSpot is encouraging customers to stay alert of bad actors who may be impersonating HubSpot employees.

Through recent reports, we have found that bad actors are spoofing HubSpot support numbers and/or impersonating HubSpot employees in an attempt to gain access to HubSpot accounts.

Here’s how to spot a HubSpot impersonator:

  • Receiving an unprompted call from a HubSpot employee. HubSpot’s support team will not proactively reach out to you unless you have initiated a call back through your account. If you are unsure whether a call is from a legitimate HubSpot employee, hang up and contact us using one of our contact methods.

  • The caller instills a sense of fear or urgency. We will never use scare tactics to convince you to share account information. We will never ask you to share your HubSpot account credentials, including your password and two-factor authentication code(s).

Ensure your account is secure by:


New Sensitive Data Resources & Updated Security Documents Now Available

HubSpot is thrilled to announce a new product feature which allows customers to store Sensitive Data within HubSpot. We have published a new Sensitive Data FAQ and Sensitive Data Implementation Guide to the Trust Center to help empower your understanding and use of these new product features.

We have also updated a number of other Trust Center resources, including the Compliance FAQs, and the CAIQ and SIG pre-filled questionnaires.


Customer Advisory - Fraudulent HubSpot Account Notification Emails

HubSpot is aware of recent phishing email campaigns designed to look like HubSpot account notifications. The emails have used various subject lines such as “New Login Detected/Location” and “Action Required: Validate Your Account.” The emails appear to come from a HubSpot sender, imply a potential account compromise and may contain a malicious link to "Re-Login" or "Validate your account."

These emails are fraudulent and were not sent from HubSpot. Please do not click any link or provide any personal information, such as email addresses or passwords, to the sender or through the web pages linked within these emails.

All legitimate communications from HubSpot, including password reset, account validation, and renewal emails, are sent from the hubspot.com domain. Please review the “sent from:” email address if you receive suspicious or unusual emails.

Our investigation is ongoing and we will provide updates on this page as needed. If you receive this, or any other suspicious email impersonating HubSpot, please report it to Customer Support or your Customer Success Manager so we can investigate.


HubSpot’s AI Trust FAQs and 2024 Application Pentest Attestation Now Available

HubSpot is excited to announce the release of our AI Trust FAQs, now available for download in the Trust Center. This new resource addresses common questions surrounding the security, privacy, compliance, and governance of AI products offered by HubSpot.

In addition, the 2024 Application Pentest Attestation is now available for download. This report provides a summary of our latest third-party penetration test against the HubSpot web application.


HubSpot June 2024 Security Incident

July 12, 2024

HubSpot June 2024 Security Incident Investigation Complete

As of July 12, 2024, our investigation is complete. At the close of our investigation, we confirmed that bad actors were able to gain unauthorized access to less than 30 HubSpot customer portals. All impacted customers have been notified via email and steps have been taken to secure their accounts.

The incident began June 22, 2024 and was resolved by June 27, 2024. We have seen no new instances of unauthorized access in 14 days.

In response to this incident, our Security team:

  • Deactivated and blocked bad actor accounts as we identified them;
  • Audited login and signup activity to identify all affected customers;
  • Reset passwords of some users based on the results of the investigation;
  • Provided audits of portal activity to impacted customers.

The core tenets of HubSpot’s security program are to safeguard customer data and to maintain customer trust. HubSpot uses a defense-in-depth approach to implement layers of security throughout our organization. We’re passionate about developing new security controls and continuously refining our existing ones to protect our customers. Please see our Security Overview document and request a copy of our SOC 2 Type 2 Report for more information on our security program overall.


July 1, 2024

July 1, 2024 Update: HubSpot June 2024 Security Incident

HubSpot continues to investigate this incident, however as of 12pm ET on July 1, 2024, we have seen no new instances of unauthorized access in over 90 hours. We have contacted all impacted customers at this time. We will post an update at the end of the investigation.


June 28, 2024

On June 22, 2024, HubSpot identified a security incident that involved bad actors targeting a limited number of HubSpot customers and attempting to gain unauthorized access to their HubSpot accounts.

HubSpot triggered our incident response procedures, and since June 22, we have contacted impacted customers and taken necessary steps to revoke the unauthorized access to protect our customers and their data. In addition, the HubSpot Security team has been actively investigating and blocking attempts to gain access to customer accounts.

While our investigation is still underway, we believe based on our initial assessment that the bad actors were able to gain unauthorized access to less than 50 HubSpot accounts.

As of 4:00 pm ET, June 28, we have seen no new instances of unauthorized access in the last 24 hours, and we have contacted all impacted customers at this time.

Though the investigation is ongoing, based on our current assessment of the incident, we believe that the impact will be isolated to a small subset of the HubSpot customer base. We will post an update at the end of the investigation in the spirit of continued transparency. We have also posted this update to our Investor Relations page at https://ir.hubspot.com/news-releases/news-release-details/hubspots-statement-regarding-june-22-2024-security-incident.


HubSpot Achieves EU Cloud Code of Conduct Level 2 Compliance, Report Now Available

We are proud to share that HubSpot is now certified by the EU Cloud Code of Conduct for demonstrating GDPR compliance as a cloud service provider.

Achieving the Code’s Level 2 Compliance Mark reinforces our commitment to safeguarding our customer’s data and our high standards for security, privacy and compliance.

The report is available for download from the HubSpot Trust Center, and the EU Cloud Code of Conduct public register.


HubSpot’s 2024 SOC 2 and Updated Security Documents Now Available

HubSpot is pleased to announce the release of our 2024 SOC 2 Type II report, now available for download in the Trust Center. The report covers the period of 5/1/2023 - 4/30/2024 and includes several new controls, as well as enhancements to existing controls, that strengthen our security and compliance posture. All systems and features that have launched in General Availability on or before 4/30/2024 are included in the report, including most AI-powered features (excluding ChatSpot).

In addition to our SOC 2, we’re excited to share the following resources as part of our commitment to accessible & transparent information regarding our approach to security, privacy and compliance:

  • Sensitive Data Beta FAQs - New!
  • Compliance FAQs - New!
  • SOC 3 - Updated
  • Corporate Pentest Attestation - Updated
  • Pre-filled security questionnaires:
    • CAIQ v4 - Updated
    • SIG Lite - Updated
  • Clearbit SOC 2 Report - Legacy
  • Clearbit TRUSTe Certification - Legacy

HubSpot Update on Dropbox Sign Security Incident

On May 2, 2024, HubSpot was notified by our service provider, Dropbox, about a security incident involving their e-signatures service. This service is used by some HubSpot customers as part of the quoting tool.

What Happened:
On April 24, Dropbox discovered a third party gained unauthorized access to Dropbox Sign, a tool used by some HubSpot customers in Sales Hub and Commerce Hub.

Based on Dropbox’s investigation, HubSpot customers’ contacts who have received or signed a quote, up to and including April 24, through our e-signatures tool had their email address and name exposed. Additionally, the email address and name of any countersigner on your HubSpot portal has also been exposed. However, there is no evidence to suggest unauthorized access to the contents of HubSpot customers’ quotes, or their payment information.

Customers or customer contacts who created a Dropbox Sign account also had information such as email addresses, usernames, phone numbers and hashed passwords exposed. In addition, general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication may have been compromised. Dropbox will be contacting these individuals directly.

Actions to Date & Next Steps:
HubSpot rotated any API keys and OAuth tokens that may have been exposed to re-secure our e-signature integration. Additionally, we have rotated the passwords for our Dropbox Sign user accounts and, at this time, have found no evidence of unauthorized access to HubSpot’s Dropbox Sign account. See what actions Dropbox has taken here.

At this point, all potentially affected customers have been notified via email. We will continue to monitor the situation and provide updates to affected customers if there are any changes that impact your HubSpot account.


HubSpot Update on HTTP/2 and Libwebp Vulnerabilities

Recently two zero-day vulnerabilities were announced, one related to HTTP/2 (CVE-2023-44487) and the other related to the libwebp library (CVE-2023-4863).

HubSpot has conducted thorough investigations and is fully protected against both vulnerabilities.

There is no evidence of any exploitation, and there is no action required from HubSpot customers. We have checked with our sub-processors regarding both vulnerabilities, and are monitoring their responses.


HubSpot Not Impacted by MOVEit Vulnerabilities

Recently two zero-day vulnerabilities were announced related to the MOVEit file transfer application. HubSpot has conducted a careful review of our Product and Corporate infrastructures and can confirm that there is no use of the MOVEit applications internally at HubSpot. Based upon our review, HubSpot is not impacted by CVE-2023-34362 or CVE-2023-35036.

Additionally, we have reached out to our 3rd party vendors and have confirmed that at this time, there is no evidence of compromise related to these CVEs to any of HubSpot's 3rd party vendors.


HubSpot's 2023 SOC 2 Type 2 & SOC 2 Type 3 Reports Now Available

HubSpot is excited to announce the release of our 2023 SOC2 Type 2 and SOC3 reports, which are now available for download in the Trust Center. The reports cover the period from 5/1/22-4/30/23. Our new reports include all Hubs in one report, including OpsHub which was in a standalone report for the previous period.


HubSpot's SOC 2 & SOC 3 Reports

June 16, 2022

Update to HubSpot's SOC 2 & SOC 3 Now Available

For this year’s audit, we asked for a second helping of SOC reports.

Given the release timing and infrastructure of HubSpot’s new product, Operations Hub (Ops Hub), we elected to cover this in a separate SOC 2 Type II Report. HubSpot’s Ops Hub SOC 2 report covers a 6 month period dating from 11/1/21-4/30/22. The CRM, Marketing Hub, Sales Hub, Service Hub, and CMS Hub are covered under the HubSpot Platform SOC 2 report.

Report Changes
  • In our efforts to comply with the EU data localization requirements per the GDPR, HubSpot launched a new EU Data Center on 07/19/2021. SOC 2 controls were designed/implemented/validated for the EU instances of in-scope systems prior to the EU data center launch and these systems are included in our new report!
  • As of 01/15/2022, HubSpot launched a new HubSpot Payments Tool powered by Stripe. SOC 2 controls were designed/implemented/validated for Stripe prior to the public launch and are included in our new report.

July 26, 2021

HubSpot's SOC 2 Type 2 & SOC 3 Now Available for Download!

We are delighted to announce that HubSpot now has a SOC 2 Type II report and SOC 2 report available for our customers and prospects!
These reports represent an independent third-party verification that HubSpot has specific controls in place governing the security and availability of our product, as well as the confidentiality of our customers' data.


HubSpot's Transfer Impact Assessment (TIA)

January 20, 2023

HubSpot's TIA Now Available in More Languages!

We're excited to share that our TIA is now available in French, German, Portuguese, and Spanish to help support our EMEA customers.


May 10, 2022

HubSpot's TIA Now Available for Download!

We're delighted to announce that HubSpot now makes its Transfer Impact Assessment available for customers and prospects on a self-serve basis.

The new SCCs require data exporters (i.e. customers) to document their data transfer. Our TIA includes infomation to support customers in conducting a risk assessment of transferring data outside of the EU.


HubSpot's Response to Log4J

September 6, 2022

Update to HubSpot's Response to Log4J

A vulnerable version of Log4j was discovered in HubSpot’s infrastructure by a security researcher and responsibly disclosed to us through the HubSpot bug bounty program on August 28, 2022.

HubSpot investigated the reported findings and performed the following actions:

  • Confirmed that a small legacy portion of our logging infrastructure contained the vulnerable version of Log4j
  • Patched and fixed the affected service to remove the vulnerability
  • Inspected multiple log sources to confirm that no malicious attempts to exploit the vulnerability had been found

At this time, no action is required by HubSpot customers. HubSpot Security will continue to monitor for any potential exposure to this vulnerability and assess additional safeguards to help prevent future exploitation. We will update this page as needed.


December 14, 2021

HubSpot's Response to Log4J

HubSpot is aware of ongoing security issues related to open-source Apache “Log4j2”. We know that the security of your HubSpot tools is especially important given the uncertainty around these events. HubSpot customer-facing tools do not use Log4j2 as a logging tool, and are not susceptible to the vulnerabilities that have been discovered thus far.

We are committed to continued monitoring of the situation, thorough review of the HubSpot tools as new information becomes available, and to do our best to provide you with the information you need to feel secure for your business.

Log4J Vulnerability Background

Log4j2 is an open-source Java-based logging tool maintained by the Apache Software Foundation, and used by many services.

HubSpot Response & Actions Taken

We have performed a thorough investigation and found no HubSpot customer-facing tools that use Log4j2.

Since we became aware of the vulnerability, HubSpot has taken a number of steps to identify and mitigate any risk to our products and our customers.
We have implemented:

  • Full scans of all production services to confirm that they don't have a dependency on the Log4j2 library. Precautions to prevent use of the vulnerable version of Log4j2 in future systems.
  • Updated Web Application Firewall rules to avert exploitation attempts.
  • We will continue regular vulnerability scans on all HubSpot systems as outlined in our security resources.
  • We have requested details of any potential vulnerabilities from all sub-processors of the HubSpot product, and are monitoring their responses. HubSpot’s most important sub-processors, including Amazon Web Services, Google Cloud, Cloudflare, and Snowflake were either not vulnerable or have already begun patching the vulnerability across their networks.

Conclusion & Update

HubSpot Corporate Security, which monitors the internal tools that HubSpot employees use, is systematically reviewing each HubSpot Corporate internal system. If any system is found to be vulnerable, we will rapidly patch the instance, or apply other mitigation tactics as advised by the vendors we use.

We will continue to investigate any potential exposure to this vulnerability and alert our customers as required. At this time, HubSpot customers do not need to take any action related to their use of HubSpot software.

If you have specific questions related to this event, please contact HubSpot Support.


Powered by Conveyor, the first end-to-end customer trust platform.
Learn more