HubSpot · HubSpot Sub-Processors · View original document ↗

Sub-Processor Disclosure List

Medium severity Medium confidence Explicitdocumentlanguage Unique · 0 of 352 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity HubSpot recorded 6 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for HubSpot Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

The document publishes an enumerated list of third-party vendors that HubSpot engages to process personal data on behalf of its customers, identifying each vendor by name, processing purpose, and data processing location.

This analysis describes what HubSpot's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This provision serves as the primary GDPR Article 28 disclosure mechanism for HubSpot's processor obligations, enabling business customers acting as data controllers to identify and authorize the third parties who access personal data stored in HubSpot products.

Interpretive note: The full tabular sub-processor data was not fully rendered in the document provided, limiting the ability to assess the complete list of vendors, their specific processing purposes, and geographic locations.

Consumer impact (what this means for users)

The document establishes that personal data entered into HubSpot products may be processed by enumerated third-party vendors across multiple geographic locations, which affects the scope of data sharing that HubSpot's business customers must account for in their own privacy governance frameworks.

Cross-platform context

See how other platforms handle Sub-Processor Disclosure List and similar clauses.

Compare across platforms →

Monitoring

HubSpot has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →
ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

1) REGULATORY LANDSCAPE: This provision directly engages GDPR Article 28(2) and (4), which require processors to obtain controller authorization before engaging sub-processors and to impose equivalent data protection obligations on those sub-processors by contract. The relevant enforcement authorities are the EU data protection supervisory authorities and the UK Information Commissioner's Office. Where the provision discloses sub-processors in third countries, GDPR Chapter V transfer mechanism obligations are implicated. 2) GOVERNANCE EXPOSURE: Medium. The sub-processor list creates a formal disclosure record that controllers must reconcile against their own data processing inventories. Failure to monitor and respond to sub-processor changes could result in a controller operating with an inaccurate Record of Processing Activities, creating regulatory exposure under GDPR Article 30. 3) JURISDICTION FLAGS: EU and EEA controllers face the most direct obligation, as GDPR Article 28 governs the processor relationship directly. UK-based customers operate under an equivalent obligation under the UK GDPR. Swiss customers operating under the nFADP face analogous requirements. Customers in California are subject to CCPA service provider provisions, which similarly require disclosure of the categories of data shared with service providers. 4) CONTRACT AND VENDOR IMPLICATIONS: Business customers should confirm that their executed HubSpot Data Processing Agreement includes a clause granting the right to object to new sub-processors and specifying a notification window. The sub-processor list alone does not confirm that HubSpot has executed compliant sub-processing agreements with each listed vendor, and customers may wish to request confirmation of this as part of vendor due diligence. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should establish a process to receive and review HubSpot sub-processor change notifications, assess each new or modified sub-processor against data sensitivity and regulatory risk, and update their own Records of Processing Activities accordingly. Organizations subject to sector-specific regulations such as HIPAA or financial services data protection rules should evaluate whether any listed sub-processors handle regulated data categories.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 3 platforms — free Get Monitor

Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has jurisdiction over unfair or deceptive data practices affecting US-based businesses and consumers, including representations about data sharing with third parties.
    File a complaint →

Provision details

Document information
Document
HubSpot Sub-Processors
Entity
HubSpot
Document last updated
July 6, 2026
Tracking information
First tracked
July 6, 2026
Last verified
July 6, 2026
Record ID
CA-P-013445
Document ID
CA-D-00932
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
2ee00afb08fb86208fdcf7fbd0be9e10f6c857a01921bb115fe1327f78e066cd
Analysis generated
July 6, 2026 23:16 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: HubSpot
Document: HubSpot Sub-Processors
Record ID: CA-P-013445
Captured: 2026-07-06 23:16:08 UTC
SHA-256: 2ee00afb08fb8620…
URL: https://conductatlas.com/platform/hubspot/hubspot-sub-processors/sub-processor-disclosure-list/
Accessed: July 7, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Get Compliance

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does HubSpot's Sub-Processor Disclosure List clause do?

This provision serves as the primary GDPR Article 28 disclosure mechanism for HubSpot's processor obligations, enabling business customers acting as data controllers to identify and authorize the third parties who access personal data stored in HubSpot products.

How does this clause affect you?

The document establishes that personal data entered into HubSpot products may be processed by enumerated third-party vendors across multiple geographic locations, which affects the scope of data sharing that HubSpot's business customers must account for in their own privacy governance frameworks.

Is ConductAtlas affiliated with HubSpot?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by HubSpot.