What can I do about this clause?

{'method': 'WEB_FORM', 'recipient': 'https://legal.hubspot.com/dpa', 'difficulty': 'MODERATE', 'action_type': 'EXPORT_DATA', 'instructions': "Visit https://legal.hubspot.com/dpa to review and execute HubSpot's Data Processing Agreement. Complete the online form to generate a signed DPA for your organization before processing any EU, UK, or other regulated personal data through HubSpot.", 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC enforces against companies that misrepresent their data protection practices, and failure to maintain adequate processor agreements may constitute an unfair or deceptive practice under FTC Act Section 5.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this Data Processing Agreement and GDPR Compliance clause as high severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Data Processing Agreement and GDPR Compliance — HubSpot

Share 𝕏 Share in Share 🔒 PDF

What it is

If you use HubSpot to handle personal data covered by privacy laws like GDPR, you must sign a separate Data Processing Agreement with HubSpot — and it's your responsibility to make sure you're allowed to share that data with HubSpot in the first place.

Consumer impact (what this means for users)

Business customers processing EU, UK, or other regulated personal data through HubSpot must separately execute the DPA to maintain legal compliance — failure to do so creates significant GDPR enforcement risk that falls entirely on the business customer.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Export Your Data

Visit https://legal.hubspot.com/dpa to review and execute HubSpot's Data Processing Agreement. Complete the online form to generate a signed DPA for your organization before processing any EU, UK, or other regulated personal data through HubSpot.

Cross-platform context

See how other platforms handle Data Processing Agreement and GDPR Compliance and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Without a signed DPA, transferring EU personal data to HubSpot may violate GDPR Art. 28, exposing your business to regulatory fines of up to €20 million or 4% of global annual turnover.

View original clause language

To the extent that HubSpot processes any Customer Data that is subject to Data Protection Laws on Customer's behalf, the terms of the HubSpot Data Processing Agreement ('DPA'), which are incorporated into this Agreement by reference, shall apply. The DPA is available at https://legal.hubspot.com/dpa. Customer is responsible for ensuring that it has all necessary rights, consents, and legal bases required under applicable Data Protection Laws to transfer Customer Data to HubSpot for processing.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: GDPR Art. 28 requires that data controllers only use processors providing sufficient guarantees, and that processing is governed by a binding contract (the DPA). Standard Contractual Clauses (SCCs, Commission Decision 2021/914) are required for transfers to the US from the EU/EEA under GDPR Chapter V. UK GDPR and the UK International Data Transfer Agreement (IDTA) apply to UK-to-US transfers. CCPA §1798.140(ag) requires service provider agreements for businesses disclosing personal information to service providers. Primary enforcement: Irish DPC (EU lead authority for HubSpot), UK ICO, California Privacy Protection Agency. (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

The FTC enforces against companies that misrepresent their data protection practices, and failure to maintain adequate processor agreements may constitute an unfair or deceptive practice under FTC Act Section 5.
File a complaint →

Provision details

Document information

Document

HubSpot Terms of Service

Entity

HubSpot

Document last updated

April 29, 2026

Tracking information

First tracked

April 18, 2026

Last verified

April 18, 2026

Record ID

CA-P-002968

Document ID

CA-D-00207

Evidence Provenance

Source URL

https://legal.hubspot.com/terms-of-service

Wayback Machine

View archived versions →

SHA-256

9927299c7582997f7d7d4ec9af87291e8942c38b96b84ff4e2ea6e359778795c

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: HubSpot | Document: HubSpot Terms of Service | Record: CA-P-002968
Captured: 2026-04-18 11:17:02 UTC | SHA-256: 9927299c7582997f…
URL: https://conductatlas.com/platform/hubspot/hubspot-terms-of-service/data-processing-agreement-and-gdpr-compliance/
Accessed: May 2, 2026

Classification

Severity

High

Data Processing Agreement and GDPR Compliance