If you use HubSpot to handle personal data covered by privacy laws like GDPR, you must sign a separate Data Processing Agreement with HubSpot — and it's your responsibility to make sure you're allowed to share that data with HubSpot in the first place.
This analysis describes what HubSpot's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The provision clarifies the operational framework for data handling compliance by designating a separate DPA as the governing instrument for regulated data processing and allocating the compliance obligation for pre-transfer authorization to the customer organization.
Business customers processing EU, UK, or other regulated personal data through HubSpot must separately execute the DPA to maintain legal compliance — failure to do so creates significant GDPR enforcement risk that falls entirely on the business customer.
How other platforms handle this
If you are using our Services pursuant to a separate agreement with Figma that includes data processing terms, such as an enterprise agreement, those terms will govern the processing of personal data to the extent they conflict with this Privacy Policy.
Signal can optionally discover which contacts in your address book are Signal users, using a service designed to protect the privacy of your contacts. Information from the contacts on your device may be cryptographically hashed and transmitted to the server in order to determine which of your contac...
Runway is considered the "data controller" of the "personal data" (as defined under the General Data Protection Regulation) we handle under this Privacy Policy. In other words, Runway is responsible for deciding how to collect, use, and disclose personal data, subject to applicable law. The laws of ...
Monitoring
HubSpot has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"To the extent that HubSpot processes any Customer Data that is subject to Data Protection Laws on Customer's behalf, the terms of the HubSpot Data Processing Agreement ('DPA'), which are incorporated into this Agreement by reference, shall apply. The DPA is available at https://legal.hubspot.com/dpa. Customer is responsible for ensuring that it has all necessary rights, consents, and legal bases required under applicable Data Protection Laws to transfer Customer Data to HubSpot for processing.— Excerpt from HubSpot's HubSpot Terms of Service
(1) REGULATORY FRAMEWORK: GDPR Art. 28 requires that data controllers only use processors providing sufficient guarantees, and that processing is governed by a binding contract (the DPA). Standard Contractual Clauses (SCCs, Commission Decision 2021/914) are required for transfers to the US from the EU/EEA under GDPR Chapter V. UK GDPR and the UK International Data Transfer Agreement (IDTA) apply to UK-to-US transfers. CCPA §1798.140(ag) requires service provider agreements for businesses disclosing personal information to service providers. Primary enforcement: Irish DPC (EU lead authority for HubSpot), UK ICO, California Privacy Protection Agency. (2)
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The provision clarifies the operational framework for data handling compliance by designating a separate DPA as the governing instrument for regulated data processing and allocating the compliance obligation for pre-transfer authorization to the customer organization.
Business customers processing EU, UK, or other regulated personal data through HubSpot must separately execute the DPA to maintain legal compliance — failure to do so creates significant GDPR enforcement risk that falls entirely on the business customer.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by HubSpot.