Data Processing Agreement Incorporation

What it is

If your HubSpot account contains personal data about individuals, HubSpot's separate Data Processing Agreement automatically applies and sets the rules for how that data is handled.

Why it matters (compliance & governance perspective)

The DPA governs GDPR and CCPA compliance for personal data processed through HubSpot, and its terms and obligations are legally binding even though they are in a separate document that many customers may not have read.

Consumer impact (what this means for users)

Any customer whose HubSpot account contains contact records, email addresses, or other personal information about individuals is automatically subject to the DPA, which carries its own compliance obligations around data subject rights, breach notification, and international data transfers.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision directly engages GDPR Article 28, which requires a written contract between data controller and data processor covering specified mandatory terms including processing instructions, confidentiality, security measures, sub-processor obligations, data subject rights assistance, and breach notification. CCPA service provider agreement requirements under California Civil Code are also implicated. Enforcement authorities include EU national supervisory authorities and the California Privacy Protection Agency. Legal teams should verify the current DPA version covers all GDPR Article 28 mandatory elements and that standard contractual clauses or other transfer mechanisms are in place for non-EEA data transfers. GOVERNANCE EXPOSURE: High. Incorporating the DPA by reference rather than requiring affirmative execution is operationally convenient but may create audit trail gaps for demonstrating GDPR Article 28 compliance, as regulators may require evidence that a formal data processing agreement was in place at the time of processing. Some EU supervisory authorities have indicated that clear affirmative agreement to DPA terms is preferable to passive incorporation. JURISDICTION FLAGS: EU and EEA customers face heightened exposure if the DPA does not adequately address post-Schrems II transfer mechanisms for US-based processing. UK customers require a separate International Data Transfer Agreement or addendum following Brexit. Healthcare sector customers in the US should assess whether HubSpot's DPA satisfies HIPAA Business Associate Agreement requirements, as a standard GDPR DPA does not constitute a BAA. CONTRACT AND VENDOR IMPLICATIONS: Vendor management programs should maintain a copy of the DPA version in effect at contract execution and monitor for updates. The DPA URL referenced (legal.hubspot.com/dpa) indicates HubSpot may update the DPA independently, which procurement teams should track as part of ongoing vendor assessment. Sub-processor lists referenced in the DPA should be reviewed for adequacy of data transfer protections. COMPLIANCE CONSIDERATIONS: Legal teams should (1) obtain and formally document acceptance of the current DPA; (2) verify that the DPA covers all categories of personal data the customer will process through HubSpot; (3) confirm transfer mechanism adequacy for cross-border data flows; (4) assess sub-processor disclosure completeness; and (5) establish a process for monitoring DPA amendments and assessing their impact on existing data processing activities.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Customer Responsibility for End Users medium
• Limitation of Liability high
• Unilateral Modification of Terms medium
• Governing Law and Forum Selection medium
• Account Suspension and Termination Rights medium
• Intellectual Property Ownership low

Related Analysis

• What 38 AI Companies Actually Say About Your Data (2026)

  We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.