Skip to content

Manage your account security using HubSpot Security Health

Last updated: May 14, 2024

Available with any of the following subscriptions, except where noted:

All products and plans

Use HubSpot's Security Health to review a list of security measures to understand how well-protected your HubSpot account is from security incidents. If a security measure needs improvement, you can click links to resolve any security risks. The score can then be reassessed to reflect the improvements in your account’s security.

Please note: to access HubSpot Security Health and manage security settings, you must be a super admin or have Security Center access permissions.

Access HubSpot's Security Health

  • In your HubSpot account, click the settings settings icon in the top navigation bar.
  • In the left sidebar menu, navigate to Security.
  • The Security Health screen will display a rating of Good or Needs review for each of the security measures. In the left sidebar menu, switch between the different tabs to review security measures labeled as high risk, medium risk, or low risk to your account.


  • To resolve the security measures, click Manage next to the security measure that needs review. Follow the prompts to resolve the security action.

Please note: super admins will receive quarterly notifications if there are scoring measures that say Needs review. The notification explains the importance of the security measures and directs you to the Security Health to action recommendations. Learn how to opt-out of notifications you no longer want to receive.

Which security measures are assessed?

  • Super admins: a lower number of super admins ensures that the risk of users taking risky actions is reduced. Learn how to manage your super admin permissions to determine if any can be removed.
  • Risky permissions: knowing which users have risky permissions can help admins assess risk and get rid of risky access for users based on HubSpot's recommendations.
  • Two-factor authentication: two-factor authentication (2FA) is the best way to protect your HubSpot account from unauthorized access, and is required for all Starter, Professional, and Enterprise accounts. If you are on a free account, learn how to require 2FA in your HubSpot account. The more users who use 2FA, the more your account is protected from unauthorized access.

Please note: making partner users super admins allows them to view and manage billing, add and delete users, and perform tasks that could add risk to your account. As with any other user, a lower number of super admins reduces security risks. Learn how to manage partner user permissions to determine if any can be removed as super admin.

  • Inactive users: only users who need access to your HubSpot account should be able to access it. HubSpot considers users inactive if they have not logged on in the past 90 days. Learn how to remove or deactivate users.
  • Inactive private apps: having less than one private app inactive will help ensure your account only has apps that are being used correctly. Learn how to uninstall apps.
  • Content approvals enabled: having content approvals enabled requires users to receive approval before content is published.
Was this article helpful?
This form is used for documentation feedback only. Learn how to get help with HubSpot.