HubSpot, GDPR & Schrems II: An Honest 2026 Field Guide for European Compliance Officers

Most "is HubSpot GDPR-compliant?" articles are written by HubSpot partners.

So they skip the parts that don't sell licences.

This one is written for the person who has to put their name on the risk-acceptance memo.

The Head of IT, the Compliance lead, the CISO, the Finance Director who chairs the vendor risk committee. The person who isn't the buyer, but is the veto-holder.

The candid answer is that HubSpot GDPR compliance is achievable for the vast majority of European B2B use cases — provided you treat the platform as a system to be governed, not a checkbox to be ticked.

Key takeaways

1. HubSpot GDPR compliance is achievable for most European B2B use cases, but the platform has to be governed, not just configured. The work that breaks compliance in practice is the absence of a TIA, a documented retention rule, and an audit trail wrapped around the product.

2. HubSpot operates in three legal roles: processor, independent controller, and controller-alongside-customer. The third role activates when you use Breeze Intelligence or have Tracking Code Intent data sharing enabled — the latter auto-enabled on 1 December 2024 unless you actively opted out. Verify it in your portal today.

3. Transfer risk is mitigated by a layered mechanism. The EU-US Data Privacy Framework (HubSpot participant ID 5812) is primary; the 2021 SCCs sit underneath as Schrems-III fallback. You still need to run your own TIA covering FISA 702, EO 12333, EO 14086 and residual CLOUD Act exposure.

4. EU hosting in Frankfurt is free, self-service and runs in around 8 hours, but it doesn't cover everything. Telemetry, support activity, and several feature sub-processors (Twilio, Stripe, Litmus, Mux, WhatsApp, OpenAI) flow to the US regardless of your hosting region.

5. HubSpot itself is not ISO 27001 certified — only the AWS infrastructure layer underneath is. SOC 2 Type II is the primary independent attestation. BSI C5 and TISAX are not held either. Document the gap and secure executive risk acceptance if your policy mandates ISO 27001.

6. HubSpot's lawful-basis property is a documentation layer, not a legal layer. Selecting "Legitimate interest – Lead" in a dropdown does not create a legitimate interest — only a documented LIA does. The same goes for the cookie banner: "Notification" mode is informational only and not GDPR/ePrivacy-valid in EU markets.

7. NIS2, DORA, the EU AI Act and the EU Data Act are the 2024–2026 regulatory layer to brief your board on. There is no public HubSpot DORA addendum yet — financial-services customers should open the conversation in writing during the next renewal.

HubSpot has done substantially more than most US-headquartered SaaS vendors to be defensible in Europe: a counter-signed DPA, EU hosting in Frankfurt since 2021, dual transfer mechanisms (EU-US DPF plus 2021 SCCs), a published sub-processor list with 30-day notice, and a granular set of privacy tools inside the product.

It also has gaps. We'll name them.

This guide gives you the mental model, the things to verify in your own portal this week, the country-by-country quirks for B2B email, the recent regulatory layer (NIS2, DORA, AI Act, ePrivacy Regulation withdrawal) you should be briefing your board on, and a 20-point governance checklist you can hand to audit. 

What's in this guide

• HubSpot GDPR compliance in 90 seconds
• HubSpot's legal posture: processor, controller, and the dual role most customers miss
• Schrems II, the EU-US DPF, and what your TIA actually has to say
• EU hosting in Frankfurt: what it solves and what it doesn't
• Sub-processors: the ones you can't opt out of, and the ones you can
• Lawful basis, consent, and the parts where the UI lies
• DSARs, retention and audit trails
• The 2024–2026 regulatory layer to brief your board on
• Common pitfalls — pre-built risk register
• The 20-point HubSpot governance checklist
• The Superwork view

HubSpot GDPR compliance in 90 seconds

For the reader who only has time for the bottom line:

What works in HubSpot's favour. HubSpot publishes a current DPA at legal.hubspot.com/dpa with 2021 EU SCCs, the UK Addendum (IDTA) and Swiss modifications. EU customers can host their core CRM in Frankfurt at no additional cost via a self-service migration that typically completes in 8 hours.

HubSpot is certified under the EU-US Data Privacy Framework (participant ID 5812), with the UK Extension and Swiss-US DPF also active. SOC 2 Type II is audited annually, with a public SOC 3 summary.

The product itself ships with the controls you'd expect: data privacy settings, cookie consent management, subscription types, lawful-basis fields, double opt-in, a Data Privacy Request portal and a Permanent Delete API.

What changes in 2026. Three things make the platform meaningfully more defensible than it was two years ago: the four new data centres that went live on 4 February 2025 (Montreal, Sydney, Oregon, plus Frankfurt since 2021), HubSpot's voluntary continuation of the dual DPF + SCCs mechanism as Schrems-III insurance, and the AI Trust commitments published alongside the Breeze suite (no training on customer data, AI inheriting portal permissions, processing in the customer's data centre region).

What doesn't go away. HubSpot itself is not ISO 27001 certified — only its underlying AWS infrastructure is. There's no customer-managed key option (no BYOK). Even Frankfurt-hosted accounts have telemetry, support activity and several feature sub-processors (Twilio, Stripe, Litmus, Mux, WhatsApp, Google reCAPTCHA) that flow data to the US.

The HubSpot Tracking Code's "Intent data sharing" setting auto-enabled on 1 December 2024 unless customers actively opted out — many didn't. Bulk DSAR deletion is API-only. The DPA binds by reference, which procurement teams rarely accept gracefully.

What the next 90 days should look like. Audit the tracking-code intent setting. Subscribe to sub-processor change notifications. Pull the latest SOC 2 Type II via the Trust Center. Document a TIA covering FISA 702, EO 12333 and CLOUD Act exposure. Confirm hosting region.

Configure cookie banner in opt-in mode. Populate lawful-basis fields. Define a retention rule. If you're in financial services, start the DORA Article 30 conversation with your account team in writing — there's no public addendum yet.

That's the executive summary. The rest of this article is what's behind it.

HubSpot's legal posture: processor, controller, and the dual role most customers miss

The first thing to understand is that HubSpot is not just your processor.

The DPA establishes a three-way role split. HubSpot acts as a processor when you use the Subscription Services — CRM, Marketing, Sales, Service, Content, Operations and Commerce Hubs — to process contact data. It acts as an independent controller when individuals interact directly with HubSpot itself (visiting hubspot.com, attending events, signing up for trials), with HubSpot Ireland Limited named as the controller for EEA and UK individuals.

And — this is the part most customers miss — it becomes an independent controller alongside you in two specific scenarios: when you use Breeze Intelligence enrichment, and when you use the HubSpot Tracking Code with the Intent data sharing toggle enabled.

That second scenario matters more than it sounds. On 18 September 2024, HubSpot published a Legal Stuff update that gave customers until 1 December 2024 to opt out of Tracking Code Intent data sharing. After that date, the toggle auto-enabled.

The result: many EU portals are now in an unintended Controller-to-Controller data flow with HubSpot, and the people responsible for compliance don't know it. This is the first thing to verify in your account. Settings → Tracking & Analytics → Tracking Code → Intent.

The DPA is incorporated by reference into the Customer Terms of Service §5.4 — there's no separate signature ceremony. HubSpot publishes a counter-signed PDF dated 3 September 2025 (signed by Nicholas Knoop, HubSpot's DPO).

Most procurement and vendor-risk teams want their own counter-signed copy for the file. We recommend doing that even though it adds nothing legal — it makes your audit trail cleaner and saves an awkward conversation eighteen months later.

One contractual detail with operational consequences: special categories of personal data are explicitly out of scope of the standard DPA. The clause reads "Special categories of Customer Personal Data will not be Processed under this DPA."

If you're in healthcare or HR and you're putting Article 9 data into a vanilla HubSpot portal, you're processing outside what the contract contemplates. The separate Sensitive Data Settings and HIPAA path on Enterprise tiers (with its own Sensitive Data Terms) is the only sanctioned route. Confirm this before any compliance-sensitive sector goes live.

Schrems II, the EU-US DPF, and what your TIA actually has to say

HubSpot, Inc. is headquartered in Cambridge, Massachusetts. Every EU-to-HubSpot data flow is therefore a restricted transfer under Chapter V of the GDPR, and the Schrems II judgment of 16 July 2020 (CJEU C-311/18) is the framework everything else sits on top of.

Schrems II invalidated the EU-US Privacy Shield and held that Standard Contractual Clauses remain valid only when paired with a case-by-case assessment of whether the destination country provides essentially equivalent protection — focused on US surveillance laws (FISA §702, EO 12333). The EDPB's Recommendations 01/2020 (final 18 June 2021) operationalised that as the Transfer Impact Assessment requirement.

HubSpot's response is, for once, exactly what European compliance officers want to see: a layered, redundant mechanism with explicit fallback if any single instrument fails.

The primary mechanism is the EU-US Data Privacy Framework, adopted by Commission adequacy decision on 10 July 2023 and grounded in Executive Order 14086 (October 2022), which introduced necessity/proportionality safeguards and the Data Protection Review Court. HubSpot's certification (NON-HR scope, recourse through the EU DPA panel, FTC enforcement) is active and verifiable at dataprivacyframework.gov/participant/5812. The Swiss-US DPF is active alongside FDPIC adequacy that took effect 15 September 2024. The UK Extension is active under the UK "Data Bridge" effective 12 October 2023.

The fallback mechanism is the 2021 EU SCCs. The DPA uses Module 2 (Controller-to-Processor) when you're the controller, Module 3 (Processor-to-Processor) when you're a processor for your own customers, and Module 1 (Controller-to-Controller) for the Breeze and Tracking Code Intent flows. Clause 7 docking applies, Clause 9 Option 2 is selected (general written authorisation for sub-processors), and Clauses 17/18 default to Irish law and the Irish DPC. The UK Addendum (IDTA Version B.1.0) and Swiss FADP modifications are layered on top.

The dual-mechanism approach is deliberate. HubSpot's DPA §11.1 and §11.2 make clear that if DPF is invalidated by a future "Schrems III" challenge — and noyb has telegraphed exactly that intention — the SCCs continue to apply without needing a renegotiation. That continuity insurance is one of the more thoughtful pieces of HubSpot's compliance posture.

Now the candid bit. Adequacy doesn't make CLOUD Act exposure go away. The US CLOUD Act of 2018 lets US authorities compel a US-headquartered provider to produce data regardless of where it's stored — including in Frankfurt. HubSpot publishes a Transfer Impact Assessment that addresses this, but it's gated under NDA via the Trust Center on Conveyor rather than as a public PDF on legal.hubspot.com.

Request it during procurement. Do not skip your own TIA on the strength of HubSpot's. Your TIA needs to address FISA §702 (reauthorised in April 2024 for two years), EO 12333, EO 14086 safeguards, your specific data categories, and the residual CLOUD Act exposure.

The supplementary technical measures HubSpot offers — TLS 1.2/1.3 with ≥2,048-bit keys in transit, AES-256 at rest, internal KMS, no customer-managed keys — are the headline mitigants you'll cite.

If your sector regulator has explicitly questioned US transfers (parts of German public sector, certain financial supervisors, some health authorities), the dual mechanism plus EU hosting will get you a long way. It will not get you to absolute data sovereignty, and any vendor — not just HubSpot — telling you otherwise is selling you something.

EU hosting in Frankfurt: what it solves and what it doesn't

HubSpot launched its first EU data centre in Frankfurt on AWS (eu-central-1) on 19 July 2021. On 4 February 2025, three more centres went live — Canada (Montreal), Australia (Sydney) and US West (Oregon) — bringing the total to five regional locations. US East (Virginia) remains the global default.

The mechanics for an EU customer in 2026 are straightforward:

• New paid customers. Data centre is automatically assigned at sign-up by IP geolocation. EMEA-based new accounts default to Frankfurt.
• Free-tools-only accounts. Always assigned to the US, regardless of location.
• Existing customers. Stay in their original location until they migrate.

The migration itself is the easiest piece of regulatory housekeeping you'll do all year. It's available through Account Defaults → Data Hosting on Starter, Professional and Enterprise (free accounts have to upgrade first). Self-service. No charge.

Typical run-time around 8 hours, capped at 36 hours of partial unavailability, with public-facing assets staying live throughout. All workflows, reports, historical data and analytics are preserved. You can reschedule up to two days before the migration window.

There are exactly three caveats worth noting: sandboxes are not migrated (you lose them), HubSpot Payments is removed if you migrate outside the US, and accounts with Sensitive Data Settings enabled cannot proceed without account-team involvement.

Now the part most articles don't tell you. Per Customer Terms §5.5.1 and the Regional Data Hosting Policy, EU hosting does not cover everything. The following routinely flow outside the EU even when your portal is in Frankfurt:

• Add-ons, Beta services and third-party integrations from the App Marketplace
• Consulting services delivered by HubSpot or partners
• Breeze Intelligence enrichment data
• Telemetry and usage data (explicitly transferred to the US per the Cloud Infrastructure FAQ)
• Sub-processors flagged with asterisks on the public list
• User access from outside the hosting region (e.g., your EU admin logging in while travelling in Singapore)
• Customer support, security and abuse-prevention activities (handled by global HubSpot teams)

HubSpot's own Terms of Service contain the all-caps disclaimer:

"WE MAKE NO WARRANTY THAT A SPECIFIC HOSTING LOCATION WILL MEET YOUR DATA RESIDENCY REQUIREMENTS."

Read that twice. EU hosting solves the primary storage of CRM core data — contacts, deals, marketing assets, activity logs, files. It is a meaningful reduction in transfer risk. It is not absolute data sovereignty, and it does not eliminate the Chapter V analysis.

Some EU financial-services customers (per published Vantage Point and Huble analyses) deliberately operate separate EU- and US-hosted instances rather than try to make a single global portal carry both regulatory weights.

The other thing worth flagging upfront: HubSpot itself is not ISO 27001 certified. Only the AWS infrastructure layer underneath it is. Several third-party blog posts state otherwise; the HubSpot Knowledge Base contradicts them. SOC 2 Type II is HubSpot's primary independent attestation.

If your organisation's vendor-management policy mandates direct ISO 27001, you'll need to either secure executive risk acceptance for the gap or escalate the request to your HubSpot account team in writing. BSI C5 (the German federal cloud assurance scheme) and TISAX are not held either. For German public-sector or automotive supply-chain procurement, this can be a hard stop.

Quick action for you this week: if your account was created before 19 July 2021 and you've never migrated, you're almost certainly still on US-East hosting. Confirm in Settings → Account Defaults → Data Hosting. If migration is on the table, make sure your TIA reflects the move and update your RoPA accordingly.

Sub-processors: the ones you can't opt out of, and the ones you can

HubSpot's public sub-processor list lives at legal.hubspot.com/sub-processors-page, last modified 2 February 2026, and is incorporated into the DPA by reference. Subscribe to change notifications at legal.hubspot.com/subscribe-subprocessor-updates — this is non-negotiable for any serious vendor-management programme.

HubSpot commits to 30 days' prior notice of new sub-processors, material changes or country changes. The customer's right to object is also 30 days; if no resolution is reached, the customer may suspend or terminate the affected service.

The list breaks into three categories.

Infrastructure (mandatory, EU-hosted).

These four cannot be opted out of. All four parent entities are US-incorporated, which is the source of the residual CLOUD Act exposure even when the data centres themselves sit in Frankfurt. Your TIA needs to address this explicitly.

Feature-specific (optional, depend on what you turn on). Ably (chat — Ireland/Germany), AWS for AI in the EEA, ConvertAPI (Netherlands/Germany), Google reCAPTCHA, Dropbox eSign (Germany), Litmus (US, email previews), Meta/WhatsApp (US), Mux (US, video), OpenAI (EEA and Switzerland), Stripe (US, Commerce Hub payments), Twilio (US, calling and SMS).

The honest read: even with EU hosting active, these features individually trigger their own US transfers and deserve their own line in your processing register. If you don't use the feature, you don't trigger the sub-processor.

HubSpot affiliates in IE, DE, AU, SG, JP, CO, SE, FR, UK, BE, CA, ES, NL and IN. Mostly customer support and engineering staffing, governed by intra-group data transfer agreements.

Two specific calls to action. First, treat OpenAI as a separate decision rather than a default. Enabling Breeze AI features means OpenAI processes prompt and context data on HubSpot's behalf, with contractual restrictions in place against using customer data for model training. That posture is solid — but it is a new sub-processor relationship, and your DPIA screening (see §9 below) should reflect it.

Second, when an App Marketplace integration is installed, you've effectively added a new sub-processor that didn't go through HubSpot's vetting process. The third party has its own DPA with you, not with HubSpot. Vendor-risk teams routinely miss this.

Lawful basis, consent, and the parts where the UI lies

HubSpot's GDPR tooling is genuinely good for a US SaaS vendor. It is also widely misunderstood, and the consequences of the misunderstanding tend to land on whoever signs the Article 30 record.

HubSpot splits lawful basis into two distinct layers:

• Lawful basis to PROCESS — recorded on each contact record via the hs_legal_basis property. Default options include Legitimate interest – Lead, Legitimate interest – Customer, Legitimate interest – Other, Performance of a contract, Freely given consent from contact, and Not applicable. There's a free-text Lawful basis explanation field alongside it.
• Lawful basis to COMMUNICATE — recorded per-subscription type. Each subscription type can be Subscribed, Unsubscribed or Not specified, and Visibility Rules can hide types from defined audiences.

A contact may have basis to process but not to communicate. With the Send emails to contacts with legal basis setting on (Settings → Privacy & Consent), HubSpot will block marketing sends in that case. Up to 1,000 subscription types per account. Best practice is to align each subscription type to a specific purpose — newsletter, product updates, webinars, customer success digest — rather than one generic "marketing" bucket. That alignment satisfies GDPR's specificity requirement and Germany's Zweckbindung principle.

The honest part. HubSpot's tooling is a documentation and audit layer. It does not validate whether the basis you've chosen is legally defensible. Selecting "Legitimate interest – Lead" in a dropdown does not create a legitimate interest. Only a documented Legitimate Interests Assessment does. The CJEU's KNLTB judgment (C-621/22, 4 October 2024) confirmed that purely commercial interests can qualify, but EDPB Guidelines 1/2024 (8 October 2024) tightened the expectations — vague justifications won't hold up, and necessity must be assessed in light of data minimisation following CJEU C-252/21 Meta v Bundeskartellamt. Treat the property as a label, not a basis.

Country variation. The ePrivacy Directive's Article 13(5) leaves Member States flexibility for B2B email, which is why the same HubSpot send produces 27 different national risk profiles. The shape your team needs in their head:

Germany sits at the strict end. UK, France and the Nordics are more permissive. If your marketing team operates pan-European campaigns out of a single HubSpot portal, the safe default is the strictest applicable rule — which usually means double opt-in and per-purpose subscription types. HubSpot supports double opt-in on all paid tiers (per-form and multilingual on Pro and Enterprise), with the caveat that its DOI is technically an email address confirmation rather than a per-subscription confirmation. Strict per-subscription DOI for Germany requires custom workflow design.

Cookies and the banner. Article 5(3) of the ePrivacy Directive requires consent for cookies regardless of whether the data is personal — and legitimate interest cannot substitute. HubSpot's built-in cookie banner v2 (default for accounts created after November 2022; v1 auto-migration begins 11 May 2026) supports Notification, Opt-in and Opt-out modes with category-level consent (Necessary / Analytics / Functional / Advertisement) and Global Privacy Control honouring as a toggle. The "Notification" banner type is informational only — it is not GDPR/ePrivacy-valid for EU markets. Ship it as Opt-in.

The structural limitation worth knowing: HubSpot's banner records consent but does not technically block third-party scripts loaded outside HubSpot — custom HTML modules, GTM tags, externally embedded LinkedIn Insight Tag, Hotjar, YouTube. The HubSpot tracking code itself sets cookies on page load by default unless opt-in mode is enabled.

CNIL fined multiple organisations through 2024–2025 for exactly this gap. If you have meaningful third-party tracking on the site, the recommended pattern is to disable HubSpot's built-in banner, use an external CMP (Cookiebot, OneTrust, Usercentrics), and let the CMP block the HubSpot tracking script until consent is granted. HubSpot exposes the _hsp JavaScript object with addPrivacyConsentListener, revokeCookieConsent and doNotTrack API hooks for exactly this integration.

DSARs, retention and audit trails

The day-to-day operational substance of GDPR — responding to data subjects, deleting on request, retaining only as long as necessary, proving who did what — is mostly downstream of the contracts and the architecture, but it's where most enforcement actually happens.

Permanent Delete (formerly "GDPR delete"). Path: CRM → Contacts → record → Actions → Delete → "Permanently delete this contact and all its associated content to follow privacy laws and regulations". Up to 30 days to fully purge across replicas. Once permanently deleted, the email address cannot be re-added through the UI or via import — but it can still re-enter via form submission, connected inbox or API.

That last piece is a governance loophole worth designing around: a suppression list outside HubSpot, plus form/inbox-side blocking rules. Permanent Delete cannot be performed in bulk via lists or workflows — individual records only. A high-volume DSAR programme needs the API endpoints DELETE /crm/v3/objects/contacts/gdpr-delete and the delete-by-email variant. Anonymised analytics persist (sessions in traffic-source reports, aggregate email open/click metrics) — this is fine under Recital 26, but flag it in your DSAR response template.

Cross-object cascade. Associated objects (companies, deals, tickets, custom objects) are not automatically cascaded by Permanent Delete. Decide your policy in advance: either build a workflow that deletes associations explicitly, or document that the cascade is a manual step in your DSAR runbook.

Subscription preferences are tied to email address, not contact record. They survive delete-and-recreate cycles. This is actually helpful for honouring opt-outs, but worth knowing.

Data Privacy Request portal. Available under Settings → Privacy & Consent → Data Privacy Request. Self-service public form with reCAPTCHA and verification email, plus a Data Request Manager queue with deadlines. Supports data deletion, data export and enriched-data deletion. KB last updated 5 March 2026. Stand this up rather than handling DSARs by inbox.

Retention. HubSpot's default is no automatic time-based deletion — data is retained for as long as your subscription is active. You can configure "Delete inactive contacts automatically" under Privacy & Consent, keyed on Create date, Last session, Last marketing email open or Last engagement. Workflow-based deletion handles property-driven scenarios.

Document the business justification per data category in your RoPA. Ninety days post-cancellation, the entire portal is permanently deleted. The recycle bin offers a 90-day recovery window for soft-deleted records — useful for operational recovery, but not a backup. For legal-hold scenarios deploy independent backup tooling (backHUB, ProBackup) or scheduled CSV exports.

Audit logs and access controls. Audit logs are richer on Enterprise (login activity, security activity, property change history). Most regulated customers export to a SIEM. SSO and SAML are Enterprise. MFA is available on all tiers — enforce it. The Security Contact role added in 2024–2025 is the right inbox for incident notifications; assign it to a real person, not a shared mailbox.

The 2024–2026 regulatory layer you have to brief your board on

Four pieces of EU regulation that didn't exist (or weren't in force) the last time most customers reviewed HubSpot:

NIS2 Directive (2022/2555). Transposition deadline 17 October 2024; uneven national implementation across the EU (Germany's NIS2 Implementation Act applied from December 2025, with roughly 38% on-time registration). HubSpot Ireland Limited likely qualifies as an Important Entity under Annex II as a cloud computing service provider. HubSpot has not made a public NIS2 statement at the time of writing.

If your organisation is itself an Essential or Important Entity, you need to flow Article 21 supply-chain security requirements down the chain: 24-hour early warning, 72-hour notification, 1-month final report. Penalties go up to €10M or 2% of turnover for Essential entities; €7M or 1.4% for Important. Senior-management personal liability applies. Raise this in writing during your annual review — vendor responsiveness on NIS2 is itself a useful procurement signal.

DORA (Regulation 2022/2554). Applies from 17 January 2025 to roughly 22,000 EU financial entities and their critical ICT third-party service providers. If you're a bank, insurer, payment institution, fund manager or in-scope financial entity, HubSpot is an "ICT third-party service provider" under DORA, which means Article 30 contractual provisions, audit rights, exit strategy, ICT incident reporting cooperation and Threat-Led Penetration Testing cooperation. The standard HubSpot DPA is unlikely to be DORA-fully-compliant out of the box. Expect to negotiate a bespoke DORA addendum. As of April 2026 there is no public HubSpot DORA addendum — start the conversation early.

EU AI Act (Regulation 2024/1689). In force 1 August 2024. Prohibitions and AI literacy obligations from 2 February 2025. GPAI rules from 2 August 2025. Full applicability to general systems from 2 August 2026. HubSpot's Breeze suite — Copilot, the Customer / Prospecting / Content / Knowledge Base / Social Media / Data Agents, Breeze Intelligence (built on the Clearbit acquisition), AI Email Writer, AI Content Writer, AI Website Generator, AI Chatbot — is mostly in the limited-risk band. That triggers Article 50 transparency obligations: inform users they're interacting with AI, and label AI-generated content. Y

our deployment may push the classification to high-risk (employment screening, credit scoring) — that's the customer's responsibility. HubSpot's AI Trust page commits to encryption, audited systems, contractual restrictions on third-party AI providers (no training on customer data), AI inheriting portal permissions, and AI processing staying within the customer's data centre region. A feature-level Article 50 mapping has not been published — request one during procurement.

EU Data Act (2023/2854). Effective 12 September 2025. HubSpot has published an EU Data Act Addendum covering the switching and portability requirements for cloud services. Confirm it's referenced in your procurement file.

ePrivacy Regulation withdrawn. For completeness: the long-pending ePrivacy Regulation was officially withdrawn (Commission Work Programme 11 February 2025; formally approved 16 July 2025; published in the Official Journal 6 October 2025 as C/2025/5423). The 2002 Directive and its 27 national implementations remain in force indefinitely. There is no replacement on the horizon. The regulatory patchwork you're navigating today is the regulatory patchwork you'll be navigating in 2030.

Recent EDPB guidance worth flagging. Opinion 28/2024 on AI models (17 December 2024) sets a high bar for anonymity claims and confirms that legitimate interest can be a basis for AI development and deployment — case by case. Guidelines 1/2024 on Article 6(1)(f) (8 October 2024) tightened LIA expectations and confirmed that cookie consent cannot be replaced by legitimate interest. Opinion 08/2024 on pay-or-consent (April 2024) made clear that large platforms generally cannot rely on a binary pay-or-consent for behavioural advertising — relevant to anyone running cookie walls on a HubSpot CMS site.

No major DPA enforcement action has been brought against HubSpot itself in this period.

Common pitfalls — Risk register

The same configuration mistakes show up across most HubSpot portals we audit. Each of these is something to hand to your audit team as a discrete check.

1. DPA not counter-signed for procurement files. Online incorporation binds automatically, but vendor-risk wants a copy in the file.
2. Pre-2021 customers still on US hosting with no TIA on file. The migration is free and self-service — there's no good reason not to do it.
3. Cookie banner in "Notification" or "Opt-out" mode. Not GDPR/ePrivacy-valid in the EU. Set to Opt-in.
4. Imported purchased contact lists. Article 6 and Article 14 violation, and a HubSpot Acceptable Use Policy breach. The Bisnode precedent (PLN 943,000 fine, upheld by the Polish Supreme Administrative Court) makes the risk concrete.
5. Generic shared logins undermining the audit trail. Article 32 issue. Enforce per-user accounts and SSO.
6. Lawful basis fields left blank. Accountability becomes impossible.
7. The "non-marketing contact" loophole. High-volume 1:1 sequences to a "non-marketing" segment are de facto direct marketing under the substance-over-form approach regulators (especially CNIL) take. The HubSpot billing classification is not a legal exemption.
8. Indefinite retention of inactive prospects. Article 5(1)(e) violation. Configure inactivity-based auto-deletion.
9. Sub-processor change notifications ignored. The 30-day objection window passes silently. Subscribe and triage.
10. Breeze AI features deployed without "talking to AI" disclosure. Article 50 transparency obligation from 2 August 2026.
11. Soft-delete used in lieu of permanent delete for Article 17 erasure. They are not the same thing.
12. App Marketplace integrations adding silent sub-processors. Each integration brings its own DPA. Vendor-risk needs to see them.
13. TLS 1.0/1.1 still configured on customer-controlled CMS sites. Deprecated by HubSpot since 8 March 2021.
14. No external backup beyond the 90-day recycle bin. Insufficient for legal hold.
15. "Transactional Email" add-on used for promotional content. Substance-over-form regulators will see through it.
16. Tracking-code Intent data sharing silently auto-enabled after 1 December 2024. The number of EU portals now in unintended Controller-to-Controller flows with HubSpot is, in our audit experience, very high. Check this today.

If you'd like a free 30-minute audit conversation that walks through these sixteen items against your live portal, that's the mid-article offer — book a quick scoping call with Superwork. 

The 20-point HubSpot governance checklist

The artefact for the run-book. We use this on every Compliance Posture Review we run.

1. ☐ Acknowledge the HubSpot DPA at legal.hubspot.com/dpa; confirm SCCs Module 2/3 active; UK Addendum and Swiss modifications applicable as relevant; counter-sign the published PDF for the file.
2. ☐ Confirm data residency — EU (Frankfurt) vs US — and migrate if required (no charge, ~8h).
3. ☐ Conduct and document a TIA covering FISA 702, EO 12333, EO 14086 and CLOUD Act exposure.
4. ☐ Subscribe to sub-processor change notifications at legal.hubspot.com/subscribe-subprocessor-updates; assess opt-in sub-processors (OpenAI, Snowflake, Stripe, Twilio, Dropbox).
5. ☐ Obtain SOC 2 Type II + SOC 3 + latest pen test summary via the Trust Center.
6. ☐ Document the ISO 27001 gap (HubSpot itself not certified) as residual risk; secure executive risk acceptance if your policy mandates it.
7. ☐ Activate Privacy Tools: enable Data Privacy settings; configure cookie banner in opt-in mode; populate lawful basis fields; turn on "Send to contacts with legal basis"; enable GPC honouring.
8. ☐ Configure data retention — define inactivity period for auto-delete; document business justification per data category.
9. ☐ DPIA screening — mandatory for HIPAA/Sensitive Data, large-scale Breeze profiling, AI-augmented marketing automation, Breeze Customer Agent on consumer-facing surfaces.
10. ☐ Configure SSO (Enterprise) and enforce MFA; appoint a Security Contact.
11. ☐ Set role-based permissions, partitioning and field-level permissions; review user list quarterly; deprovision leavers.
12. ☐ Define an audit-log review process; export to SIEM if needed.
13. ☐ AI / Breeze governance: document features enabled; ensure transparency notices on consumer-facing chat surfaces; restrict who can configure agents; obtain written training-data assurances.
14. ☐ Cookie & consent: external CMP (Cookiebot, OneTrust, Usercentrics) where third-party scripts beyond HubSpot are present; pass consent state to HubSpot.
15. ☐ RoPA entry covering purposes, categories, retention, sub-processors, transfers and security.
16. ☐ Sector overlay: Financial services → DORA Article 30 addendum, exit strategy, ICT third-party register entry. Healthcare → HIPAA BAA via Sensitive Data Settings (Enterprise only) plus the GDPR layer. NIS2 Essential/Important → flow-down clauses, incident reporting timelines, pen-test rights. German public sector → BSI C5 absent; escalate.
17. ☐ Independent backup — the 90-day recycle bin is insufficient for legal hold.
18. ☐ Annual vendor re-assessment — re-pull SOC 2, update DPA version, revalidate TIA, audit Tracking Code Intent sharing setting and Breeze configuration.
19. ☐ Incident response runbook covering HubSpot breach notifications, NIS2/DORA timelines, GDPR Article 33 (72h).
20. ☐ Marketing legal hygiene — no purchased lists; basis documented per contact; double opt-in in Germany; subscription types mapped to specific purposes; no use of transactional emails for promotional content.

The Superwork view

We're a HubSpot Solutions Partner. Most of our work is implementation and RevOps. Some of our most useful conversations, though, are the ones we have with the person sitting on the other side of the table from the buyer — the Compliance lead, the CISO, the Head of IT — who needs to know what's actually in the box before they sign off.

That conversation is shorter than it used to be. HubSpot has done a substantial amount of compliance work in the last five years, and it's broadly defensible for European B2B use cases. The thing that breaks compliance, in our experience, is almost never a HubSpot limitation. It's the absence of a governance model wrapped around the product — no TIA on file, no documented retention rule, no audit trail of who configured the cookie banner or when, no sub-processor change subscription, no annual re-assessment cadence.

That's the work we do. Specifically: a 90-minute HubSpot Compliance Posture Review that produces four deliverables you can put on the shared drive the same week — a TIA worksheet sized for your data flows, a sub-processor audit reflecting the features you've actually turned on, a cookie banner configuration recommendation, and a RoPA template populated with HubSpot-specific entries. No licence purchase required. No follow-up sales sequence triggered.

If your organisation is evaluating HubSpot, has been on it for three years and never re-audited, or is being asked uncomfortable questions by a regulator, that's the offer. Book a Compliance Posture Review with Superwork — and we'll either tell you that your HubSpot GDPR compliance posture is in good shape, or we'll tell you exactly what to fix and how long it will take.

The board doesn't ask whether your CRM is compliant. They ask whether you can prove it. The work in this guide is what the answer "yes, here's the file" actually looks like.