🟡 HubSpot Operations Practical Textbook — 2026 Edition
Chapter 9

Security/Authority/governance design

``A former sales rep who left the company still had access to HubSpot,'' ``An intern exported all his contacts and took them outside,'' and ``A workflow accidentally sent an email to all customers.'' These are real-life examples of HubSpot incidents. Customer data stored in CRM is an organization's most important asset.Appropriate authority design, maintenance of audit logs, response to GDPR/personal information protection, incident response proceduresIt should not be used in production without it. This chapter systematically explains the overall picture of governance design.

📖 Estimated reading time: 25 minutes
🎯 Target: HubSpot administrators, information system staff, CISOs, compliance staff
🔧 Required plan: Professional ~ (permission settings) / Enterprise (advanced control)

📋 Contents of this chapter

  1. 9-1Basics of authority design—3-layer structure of role, team, and data scope
  2. 9-2Access control by team and person—who can see what?
  3. 9-3Complying with GDPR/Personal Information Protection Law—consent management and deletion response
  4. 9-4Audit logs/API key management/incident response procedures
Section 9-1

Basics of authority design—3-layer structure of role, team, and data scope

HubSpot permission management isWhat you can do (role)」「Which team's data is it (team)?」「What range of records (data scope)” Designed in three layers. By combining these three, it is possible to achieve detailed control such that ``Members of the East Japan sales team can only view and edit contacts and companies for which they are responsible, but cannot export all contacts.''

🔐 5 layers of HubSpot permissions—the higher the level, the stronger the permissions
🔴 Super Admin
Unlimited access to all settings, data, user management and billing. You can change all HubSpot settings.
Target: CTO/RevOps leaders (narrow down to a maximum of 2-3 people)
🟠 Admin
Most settings can be changed. Addition/deletion of users, authority settings, workflow management, report creation. Billing information is hidden.
Target audience: HubSpot administrators and RevOps engineers
🟡 Sales Manager / CS Manager
View team member records. Creating reports, changing the person in charge, and changing some settings. The permission to export all items needs to be considered.
Target: Sales managers and CSM leaders
🟢 Sales / CS / Marketing User
View/edit your own records, create tasks, and send emails. In principle, export is not possible. Settings cannot be changed.
Target: Sales personnel, CSM, marketers (most general users)
⚪ View Only
Only view the specified object. Editing, deleting, exporting, and emailing data are all prohibited.
Target: Management, reference persons from other departments, external partners (people who only need to read)

Ensuring the “principle of least privilege”

The basic principle of authority design is"Grant only the minimum authority necessary for that person's work."is. Designs such as ``leaving it as Admin for now'' or ``giving export privileges to everyone because it would be inconvenient not to be able to export'' become hotbeds for security incidents.

Common patterns of excessive privilegesriskCorrect action
Make everyone an admin Anyone can change or delete workflows. Risk of email being sent to all customers due to incorrect operation Admins are limited to 2 to 3 people. Set appropriate custom roles for general users
All export permissions for everyone Retired employees or internal fraudsters can take all customer data outside. May be a violation of GDPR Export privileges are limited to managers and above. General users are responsible only for themselves
Retirement account neglect Former employees who left the company can still access the CRM at any time. Process account deactivation and owner reassignment on the day of retirement
Share API keys and reuse them across multiple systems If one system is compromised, all systems using that key are at risk. Issue dedicated private app tokens for each system and set minimum scope
Section 9-2

Access control by team and person—who can see what?

With HubSpot's Teams feature,Users in which teams can work with which recordscan be precisely controlled. The design allows the East Japan sales team to only view and edit contacts, companies, and transactions in the East Japan area.

Three stages of data scope

scope level 1
Only in charge of myself
You can only view and edit records whose hubspot_owner_id matches you (or a team member). You cannot see other people's records.
Recommended for:General sales person/CSM(You only need to be able to manage your own pipeline)
scope level 2
whole team
All members belonging to the same team can view the records they are responsible for. You can edit records only for yourself or for all teams.
Recommended for:Sales manager/team leader(I want to understand the status of members)
scope level 3
Company-wide (global)
All records can be viewed and edited regardless of the person in charge. Scope for managers, RevOps, and executives.
Recommended for:Administrator/RevOps/Management(You need to look at the numbers for the entire company)

Departmental access privilege matrix (design example)

📊 Departmental access privilege matrix
◎=Full authority ○=Only for own person △=View only ✗=No access
Function/Object Sales person Sales MG marketer CSM CS MG RevOps management team
Contact View ○In charge ◎Team ◎All items ○In charge ◎Team ◎All items △View
Contact Edit ○In charge ◎Team ◎All items ○In charge ◎Team ◎All items
Contact export ○My team ○ Own segment ○My team ◎All items
View deals ○In charge ◎Team △View △View △View ◎All items △View
Workflow creation/editing △View only ◎All items
Report Dashboard △Specification only ◎For teams ◎Can be created △Specification only ◎For CS ◎All items △View
User/authority settings ◎Admin
✅ Conduct quarterly permission design reviews

Organizational changes, personnel transfers, retirements, new employees, additions and terminations of external partners—it is necessary to confirm that authority is optimal each time these occur.Export the "all users' permission list" once a quarter and review whether the current roles and permissions match.Incorporate this into your cadence. You can export from HubSpot's Settings → Users & Permissions → Users.

Section 9-3

Complying with GDPR/Personal Information Protection Law—consent management and deletion response

HubSpot has built-in functions that support compliance with GDPR and the Personal Information Protection Act. however,There is a difference between having functionality and being legally compliant.is. Compliance can only be achieved when the functions are properly configured and operated. Below is a list of key things HubSpot needs to cover.

📋 GDPR/Personal Information Protection Law Compliance Checklist
Need to address both HubSpot setup and operational processes
🔒 Obtaining and recording consent
Added an "I agree to the handling of personal information" checkbox to HubSpot forms so that the form cannot be submitted without consent.
The consent date and time, location (form name/URL), and consent text are automatically saved in HubSpot's "GDPR consent record" property.
The legal basis for sending emails (consent/legitimate interest/fulfilment of a contract) is recorded for each contact.
An unsubscribe (opt-out) link is included in all marketing emails, with a click to immediately unsubscribe.
🗑️ Dealing with data deletion and access rights
The response procedure (reception → confirmation → execution of deletion → notification of completion) when an individual requests that their data be deleted is documented.
The design or procedure is such that when "contact deletion" is performed in HubSpot, the DWH (Snowflake/BigQuery) sync data is also deleted.
There is a procedure to output HubSpot's contact timeline, properties, and consent record in response to a request to "disclose my data" (access rights).
The person in charge and escalation path are determined to respond within 72 hours (GDPR) or 30 days (Personal Information Protection Act) of receiving a deletion request.
🌏 Cross-border data transfer
Verify HubSpot's data center region (default US) and have entered into a Data Processing Addendum (DPA) with HubSpot if you handle personal data of EU entities.
Regarding the data transferred to Snowflake/BigQuery, we have confirmed that there are no problems in those regions (Asia Pacific, etc.) under the Personal Information Protection Act.
📱 HubSpot's GDPR feature settings
"Settings → Privacy & Consent → Enable GDPR" is turned on
A cookie banner (cookie consent banner) is enabled in HubSpot's settings to obtain tracking consent from website visitors.
The subscription category is set appropriately in "Settings → Marketing → Email → Subscription Type" and the design is designed to allow contacts to partially opt out.
Section 9-4

Audit logs/API key management/incident response procedures

HubSpot Audit Log

On the Enterprise planAll operation logs of “who did what, when, and what.”is recorded as an audit log. You can later check who changed the workflow and when, who exported the data, and who added or deleted users. This function is essential for compliance response, incident cause investigation, and fraud detection.

🔍 HubSpot audit log — recent activity history
timestamp
user
action
detail
2026/03/09 09:12:34
[email protected]
EXPORT
Export 3,421 contacts (filter: Lifecycle = MQL)
2026/03/09 08:55:10
[email protected]
UPDATE
Changed the trigger condition of the workflow "MQL automatic promotion WF" (lead_score threshold: 40 → 50)
2026/03/09 08:42:17
[email protected]
CREATE
new user [email protected] Add (Role: Sales User)
2026/03/08 18:31:05
[email protected]
DELETE
Delete contact "Taro Yamada (ID: 123456)" (Reason for deletion: Request for deletion from the person)
2026/03/08 09:00:00
system
API access from external IP 203.0.113.x (Private app: Salesforce Sync)

Manage API keys and private app tokens

Not recommended
Legacy API Key
A “master key” with full access to your entire HubSpot account
If leaked, it allows unlimited access to all data.
The principle of least privilege cannot be observed because the scope (range of authority) cannot be narrowed down.
HubSpot recommends deprecating old API keys after 2023. Currently unavailable
Recommended
private app token
Can be issued by specifying scope (crm.contacts.read / crm.deals.write, etc.) individually
Separate tokens are issued for each system, so even if one is leaked, other systems are safe.
You can check the token usage status and last usage date in the log.
Tokens that are no longer needed can be immediately invalidated (rotation possible)
API token scoping rulesSetting example
Read-only systems (analytics/BI tools) crm.objects.contacts.read / crm.objects.deals.read only. Never give Write scope
CRM update system (external enrichment) crm.objects.contacts.write only. Delete/Settings scope is not assigned
Fully integrated system (Salesforce two-way synchronization) Only read/write required objects. Does not grant access to all objects
Token rotation Reissue tokens every 90 days and invalidate old tokens. Tokens for systems involving retired employees will be rotated on the same day

Security incident response procedures

🚨 Incident response flow—“When unauthorized access or data leakage is suspected”
The 72 hours from the time of discovery are crucial. Decide in advance who will be in charge of each phase and what actions they will take.
Phase 1
Immediately
Detection and initial response (0 to 1 hour)
① Immediately deactivate suspicious accounts or private app tokens (HubSpot Settings → Users → Deactivation/Settings → Private Apps → Token Deactivation). ② Identifying the scope of impact: Check the operation history of the relevant account/token for the past 30 days in the audit log. ③ Immediately escalate to information security officer/CISO.
Phase 2
~4 hours
Identification of affected area (1-4 hours)
① Identify abnormal operations such as "export/deletion/mass update" from the audit log. ② Create a list of contacts, companies, and transactions that may have been affected. ③ Evaluate the possibility of information leakage to the outside (if there is an export, treat it as a leak and take action). ④ Consult with the legal department and confirm whether there is a notification obligation.
Phase 3
~24 hours
Containment/evidence preservation (4 to 24 hours)
① Download audit logs and access logs and preserve them as evidence (logs are deleted after a certain period of time, so take action immediately). ② Force all users who may have been affected to reset their passwords and use MFA. ③ Contact HubSpot Support to request technical support (Enterprise plans have priority support).
Phase 4
~72 hours
Notification/Report (24-72 hours)
① In the case of GDPR: If a leak of personal data is confirmed, there is an obligation to notify the supervisory authority (in the case of the EU, the DPA of each country) within 72 hours from the date of discovery. ② In the case of the Personal Information Protection Act: Confirm the obligation to report to the Personal Information Protection Commission (depending on the scale and content of the leak) and the obligation to notify the person. ③ Prepare and send a notification document to the affected person after confirming with the legal affairs department.
Phase 5
~2 weeks
Recurrence prevention/postmortem (72 hours to 2 weeks)
① Identify the root cause of the incident (defective authority settings, password management issues, social engineering, etc.) and implement countermeasures. ② Review permission settings for all users and reduce excessive permissions. ③ Provide security training to all users. ④ Document measures to prevent recurrence and incorporate them into the quarterly review process.
⚠️ Enforcing MFA (multi-factor authentication) is a top security measure

The majority of password leaks are credential stuffing attacks, in which ``even if the password is set correctly, that password is used from another service's leak.''Turn on MFA enforcement for all users in HubSpot Settings → Security → Multi-Factor AuthenticationThis is the most cost-effective security measure. Enforced MFA prevents most unauthorized access even if passwords are compromised.

📌 Chapter 9 Summary

Privilege design starts with the “principle of least privilege”

“Admin for now” and “Export permission for everyone” are typical patterns of excessive privileges. It is designed with three layers: role, team, and data scope, and general users start with ``only those in charge cannot view, edit, or export.'' Incorporate quarterly entitlement reviews into your process.

MFA enforcement is a top security measure

Simply forcing MFA for all users from the settings screen can prevent most credential stuffing attacks. Measures that provide maximum effectiveness at zero cost. If you haven't installed it yet, enable it now. Super Admin should set MFA as a top priority.

GDPR/Personal Information Protection Act requires not only “settings” but also “operational processes”

Merely enabling HubSpot's GDPR functionality does not ensure legal compliance. Document the procedures for responding to deletion requests, the management of consent records, and the data deletion process when collaborating with DWH, and establish a system that actually functions. A legal review once a year is recommended.

API tokens are issued with a minimum scope for each system and rotated for 90 days.

Old API keys are obsolete. Private app talk