Skip to content

Store Sensitive Data in HubSpot

Last updated: December 16, 2024

Available with any of the following subscriptions, except where noted:

Marketing Hub   Enterprise
Sales Hub   Enterprise
Service Hub   Enterprise
Operations Hub   Enterprise
Content Hub   Enterprise



To store sensitive information in your HubSpot account, such as personal identification, financial, health, or medical information, users with Super Admin permissions can turn on the Sensitive Data setting. Once the setting is turned on, you can create custom properties that store Sensitive Data, then restrict user access to the properties using field level permissions.

Before you get started

Before you begin storing Sensitive Data, review the following information, including requirements, limitations, and recommendations related to Sensitive Data functionality.

  • You can only store certain types of Sensitive Data in HubSpot. Refer to the Sensitive Data terms page to understand which types of Sensitive Data you can store and where these features are available.
  • Only users with Super Admin permissions can turn on Sensitive Data. Once the Sensitive Data setting is turned on, it cannot be turned off.
  • Only users with Super Admin permissions can create, edit, or delete Sensitive Data properties. Partner Admin users cannot create, edit, or delete Sensitive Data properties unless they are also assigned Super Admin permissions.
  • Sensitive Data properties are unavailable in certain tools, including personalization tokens, sandboxes, chatbots and playbooks.
  • After turning on Sensitive Data, you may encounter limits when summarizing records. For example, you will not be able to summarize certain activities such as calls and sales emails. 

Turn on Sensitive Data

Prior to creating Sensitive Data properties, you'll need to turn on Sensitive Data in your Privacy & Consent settings, and accept the related terms and conditions. Users must have Super Admin permissions to turn on Sensitive Data.

Please note: once you’ve turned on Sensitive Data, it’s not possible to turn it off. Once you select a category of data, you cannot remove it, but you can add categories as needed.

  • In your HubSpot account, click the settings settings icon in the top navigation bar.
  • In the left sidebar menu, navigate to Privacy & Consent.
  • Click Configure sensitive data settings. If you’ve already turned on Sensitive Data, click Edit sensitive data settings to select additional data categories.

configure-sensitive-data-setting

  • In the right panel, select the checkboxes to specify the categories in which you’ll be storing Sensitive Data. Refer to the Sensitive Data terms to understand what types of data can be stored in the categories.
  • To store HIPAA-covered data, you must select both the Health/Medical Data checkbox and the We are a HIPAA-covered entity or business associate checkbox.

Please note: while HubSpot provides a robust security program to protect your personal and sensitive data no matter the content, these data type identification processes help ensure your HIPAA and regulatory needs are supported. By identifying as a HIPAA Covered Entity or Business Associate, HubSpot can track the application of the Business Associate Agreement (BAA) and fulfill regulatory obligations.


category-selection-sensitive-data
  • Click Next.
  • Read the Sensitive Data Terms and if applicable, the Business Associate Agreement. Select the checkbox to accept the terms and conditions.
  • Click Turn on sensitive data settings, or if you added categories, click Update sensitive data settings.

Access recommendations for storing Sensitive Data

Once you’ve turned on the setting to store Sensitive Data, you may need to take actions or update certain settings to better protect your data. To review recommendations to help you manage Sensitive Data:

  • In your HubSpot account, click the settings settings icon in the top navigation bar.
  • In the left sidebar menu, navigate to Privacy & Consent.
  • Click Check recommendations.

check-sensitive-data-recommendations

  • In the right panel, review recommended actions. For each recommendation, click a link to learn more or navigate to the relevant settings.

Create properties to store Sensitive Data

Super Admins can mark a property as sensitive. You can also indicate if the property will store protected health information. By default, data in HubSpot is encrypted in transit and at rest. Marking a property as sensitive adds an additional layer of encryption, application layer encryption, which gives individual accounts and their Sensitive Data increased protection and isolation. Sensitive Data needed for search and reporting are stored in protected environments with highly restricted access. Access to the unencrypted values for Sensitive Data properties is restricted to designated HubSpot applications and user-approved connected private apps. 

  • In your HubSpot account, click the settings settings icon in the top navigation bar.
  • In the left sidebar menu, navigate to Properties.
  • Click Create property.
  • Enter the property’s basic details, select the field type, then click the Sensitive data tab.
  • To mark the property as sensitive, select Sensitive data. If you’re storing highly sensitive information (BETA), select Highly-sensitive data. Learn more about the Highly Sensitive Data beta in this article.

sensitive-data-property-creation

Please note: the following is expected when creating properties:

  • Once a property is created, its Sensitive Data setting cannot be changed. An existing Sensitive Data property cannot be set as non-sensitive, and an existing non-sensitive property cannot be set as sensitive.
  • Score and calculation properties cannot store Sensitive Data.
  • You cannot require unique values for Sensitive Data properties.

Manage Sensitive Data

In the sections below, learn more about using Sensitive Data properties and managing Sensitive Data in HubSpot tools.

Use Sensitive Data properties

Once you’ve created a property to store Sensitive Data:

  • Super Admins can set up field level permissions to restrict view and edit access for the property to specific users and teams. This is highly recommended to ensure Sensitive Data can only be seen or modified by select users.
  • Super Admins can view user actions related to Sensitive Data property values in the audit log.
  • Super Admins can edit or delete the Sensitive Data property.
  • Users with access to the property can update the property’s values manually or via import and workflows.
  • Users with access to the property can use the property in HubSpot tools, including CRM records, views, lists, workflow triggers and actions, reports, search, and mobile. Sensitive Data will be unavailable in all other HubSpot tools.
  • If your account allows HubSpot employees access to troubleshoot support issues, HubSpot employees will not have access to view Sensitive Data property values.

Please note: if downgrading from an Enterprise subscription with Sensitive Data turned on:

  • Super Admins can delete existing Sensitive Data properties, but cannot create new Sensitive Data properties or edit the details of existing Sensitive Data properties.
  • Super Admins will still be able to view and edit a Sensitive Data property’s values. Non-admin users that previously had access to the values will no longer be able to view or edit them.

Forms 

With the ability to store Sensitive Data in HubSpot, you can use HubSpot forms and non-HubSpot forms to collect sensitive information from your visitors confidently. Sensitive Data collected via forms will be encrypted and synced into the CRM securely. Any files uploaded via form submissions associated with a Sensitive Data property will also be considered sensitive.

Only users with the appropriate permissions to view Sensitive Data will be able to view form submission values and files marked as sensitive. All form submission notifications will also adhere to the Sensitive Data user permission requirements.

Integrations

Developers can use the API documentation to build integrations that sync Sensitive Data. Per the Sensitive Data terms, if you choose to integrate with or otherwise use third party products in connection with the Subscription Service, you acknowledge that Customer Data hosted or processed by such Third-Party Products would be hosted in accordance with policies maintained by those third-parties.

If you’re storing HIPAA-protected Sensitive Data, the Snowflake Data Share integration is only supported for the following regions: AWS US_EAST_1 and AWS EU_CENTRAL_1.

Attachments

With the ability to store Sensitive Data, you can store files containing sensitive information in tools across HubSpot. Once you turn on the Sensitive Data setting, attachments uploaded in the below ways will be protected by an additional layer of encryption in HubSpot’s database storage. This will also remove the option to share files externally without authentication, and will disallow HubSpot employees from accessing the attachments.

When added via the following methods, files will be protected:

You can control user access to attachments through permissions for each tool. For example, you can restrict access to contacts for specific users who shouldn’t have access to contact files.

Please note: files will not be protected in the following scenarios:

  • Only files uploaded after Sensitive Data is turned on will have the additional protection. Existing files will use the standard level of security even if they were uploaded in the above ways.
  • Files uploaded to and hosted on the files tool will not have additional protection, so files containing Sensitive Data should not be stored in the files tool. In other HubSpot tools, if a user attaches a file stored in the files tool (i.e. via the Choose existing option on upload), those files will use the standard level of security.
  • HubSpot won’t restrict access to CRM attachments if you share the URL with another authenticated user in your account. Avoid sharing attachment URLs with users who shouldn't be able to view the files.

Notifications

Once Sensitive Data is turned on in your account, certain notifications will not include previews (e.g., a preview of a note body) to avoid displaying Sensitive Data. This will currently occur for the following notifications: you're @-mentioned on a record or in a comment, you're assigned or receive a reminder for a task, there's activity on a record you follow, or there's a comment on an activity you're involved in.

Workflows

If you’re using a Sensitive Data property in workflows, it's recommended to limit access to the workflows tool because workflows don't currently enforce field-level permissions.

The following are not currently supported in workflows:

  • Association actions that use or reference Sensitive Data properties
  • Personalization tokens that use or reference Sensitive Data properties 
  • Enrollment triggers based on changes to Sensitive Data property values

HubSpot AI tools

HubSpot’s AI tools, can help you automate tasks, gather data insights, draft content, and more across the HubSpot customer platform. Only users with Super Admin permissions can turn on certain AI tools, such as AI Assistants.

If you turn on Sensitive Data, the Sensitive Data properties that you create will not be used to train HubSpot’s AI models. However, other Customer Data within your account may be used to train HubSpot’s AI models. You may opt-out of having your Customer Data used for machine learning by emailing privacy@hubspot.com. For more information, please review HubSpot’s Terms of Service and HubSpot’s Privacy Policy.

Please note: avoid sharing any sensitive information in your prompts. To improve the product, HubSpot logs and stores your prompts, generated language, and usage metrics when you use AI Products. HubSpot shares your prompts with AI Service Providers in order to enable your use of AI Products and AI Service Providers will store your prompts for content moderation purposes. Your prompts will be attributable to you. Your use of HubSpot’s beta AI Products will be governed by our Beta Terms and AI Products incorporated within our Subscription Services will be governed by our Product Specific Terms.

HubSpot’s AI Products are not part of the Sensitive Data features. Certain AI Products may process Sensitive Data which you may not have intended to include when generating results based on the prompt entered. These tools include:

For example, if you discuss Sensitive Data during a conversation, you should not use the Conversations Summaries tool. While you may not have intended to input Sensitive Data in your prompt, the Conversation Summaries tool would process all content in the conversation. 

For more information about HubSpot's AI tools, refer to the AI model cards. Avoid using AI tools if you don't want the AI tools to process your Sensitive Data.

Data Centers

You can store sensitive information in any Data Center that you use. However, once you turn on the Sensitive Data setting, you won’t be able to migrate to a different Data Center at this time.

Additional resources

Was this article helpful?
This form is used for documentation feedback only. Learn how to get help with HubSpot.