hubspot security & risk management overview ... 5.2 hubspot crm 13 5.3 hubspot sales hub 13 5.4...
Post on 09-Apr-2020
Embed Size (px)
Last Update: October 2019
Security Overview – Internal Information 1 HubSpot Security & Risk Management Overview
Table of Contents
1 OUR COMPANY AND PRODUCTS 2
2 HUBSPOT SECURITY AND RISK GOVERNANCE 2
3 OUR SECURITY AND RISK MANAGEMENT OBJECTIVES 2
4 HUBSPOT SECURITY CONTROLS 2
4.1 HUBSPOT PRODUCT INFRASTRUCTURE 3
4.2 APPLICATION PROTECTION 5
4.3 CUSTOMER DATA PROTECTION 6
4.4 PRIVACY 8
4.5 BUSINESS CONTINUITY & DISASTER RECOVERY 9
4.6 HUBSPOT CORPORATE SECURITY 10
4.7 INCIDENT MANAGEMENT 11
5 PRODUCT SECURITY FEATURES 12
5.1 HUBSPOT MARKETING HUB 12
5.2 HUBSPOT CRM 13
5.3 HUBSPOT SALES HUB 13
5.4 HUBSPOT SERVICE HUB 14
6 COMPLIANCE 14
7 DOCUMENT SCOPE AND USE 14
Security Overview – Internal Information 2 HubSpot Security & Risk Management Overview
HubSpot Security Overview
1 OUR COMPANY AND PRODUCTS HubSpot is the world’s leading inbound marketing, sales, and services platform. Since 2006, HubSpot has been on a mission to make the world more inbound. Today, tens of thousands of customers in more than 90 countries use HubSpot’s software, services, and support to transform the way they attract, engage, and delight customers. HubSpot’s inbound marketing software, ranked #1 by VentureBeat, GetApp, Capterra, and G2Crowd, includes social media publishing and monitoring, blogging, SEO, website content management, email marketing, and reporting and analytics, all in one integrated platform. HubSpot Sales Hub and CRM, HubSpot’s award-winning sales applications, enables sales and service teams to have more effective conversations with leads, prospects, and customers. HubSpot Service Hub is the best solution for creating frictionless and delightful customer experiences.
The HubSpot products are offered as Software-as-a-Service (SaaS) solutions. These solutions are available to customers through purpose-built web applications, application programming interfaces (APIs), and email plugins.
2 HUBSPOT SECURITY AND RISK GOVERNANCE HubSpot’s primary security focus is to safeguard our customers’ and users’ data. This is the reason that HubSpot has invested in the appropriate resources and controls to protect and service our customers. This investment includes the implementation of dedicated Enterprise Security and Product Security teams. These teams are responsible for the HubSpot’s comprehensive security program and the governance process. We are focused on defining new and refining existing controls, implementing and managing the HubSpot security framework as well as providing a support structure to facilitate effective risk management. Our Chief Security Officer, who reports to the Chief Operating Officer, oversees the implementation of security safeguards across HubSpot and its products.
3 OUR SECURITY AND RISK MANAGEMENT OBJECTIVES We have developed our security framework using best practices in the SaaS industry. Our key objectives include:
• Customer Trust and Protection – consistently deliver superior product and service to our customers while protecting the privacy and confidentiality of their information.
• Availability and Continuity of Service – ensure ongoing availability of the service and data to all authorized individuals and proactively minimize the security risks threatening service continuity
• Information and Service Integrity – ensure that customer information is never corrupted or altered inappropriately.
• Compliance with Standards – implement process and controls to align with current international regulatory and industry best practice guidance. We have designed our security program around best-of-breed guidelines for cloud security. In particular, we leverage standards like COBIT and Cloud Security Alliance CCM, and align our practices with ISO 27001 and NIST SP 800-53.
4 HUBSPOT SECURITY CONTROLS In order to ensure we protect data entrusted to us, we implemented an array of security controls. HubSpot’s security controls are designed to allow for a high level of employee efficiency without
Security Overview – Internal Information 3 HubSpot Security & Risk Management Overview
artificial roadblocks, while minimizing risk. The following sections describe a subset of controls. For more information about the HubSpot security program, please check out all the details at https://www.hubspot.com/security.
4.1 HUBSPOT PRODUCT INFRASTRUCTURE
4.1.1 DATA CENTER SECURITY HubSpot outsources hosting of its product infrastructure to leading cloud infrastructure providers. Principally, the HubSpot product leverages Amazon Web Services (AWS) and Google Cloud Platform (GCP) for infrastructure hosting. These solutions provide high levels of physical and network security and well as hosting provider vendor diversity. At present, HubSpot’s AWS cloud server instances reside in US locations; GCP cloud instances reside in Germany. Both providers maintain an audited security program, including SOC 2 and ISO 27001 compliance. HubSpot does not host any product systems within its corporate offices.
These world-class infrastructure providers leverage the most advanced facilities infrastructure such as power, networking, and security. Facilities uptime is guaranteed between 99.95% and 100%, and the facilities ensure a minimum of N+1 redundancy to all power, network, and HVAC services. Access to these providers’ sites is highly restricted to both physical access as well as electronic access through public (internet) and private (intranet) networks in order to eliminate any unwanted interruptions in our service to our customers.
The physical, environmental, and infrastructure security protections, including continuity and recovery plans, have been independently validated as part of their SOC 2 Type II and ISO 27001 certifications. Certificates are available at the AWS compliance site and Google Cloud Platform security site.
4.1.2 NETWORK SECURITY & PERIMETER PROTECTION The HubSpot product infrastructure is built with internet-scale security protections in mind. In particular, network security protections are designed to prevent unauthorized network access to and within the internal product infrastructure. These security controls include enterprise-grade routing and network access control lists (firewalling).
Network-level access control lists are implemented in AWS Virtual Private Cloud (VPC) security groups or GCP firewall rules, which applies port- and address-level protections to each of the server instances in the infrastructure. These firewalling technologies deny unintended traffic by default, and all network traffic is logged and used to inform our monitoring systems (more about that in Section 4.1.4). These network access rules allow for finely grained control of network traffic from a public network as well as between server instances on the interior of the infrastructure. Within the infrastructure, internal network restrictions allow a many-tiered approach to ensuring only the appropriate types of devices can communicate.
Changes in the network security model are actively monitored and controlled by standard change control processes. All existing rules and changes are evaluated for security risk and captured appropriately.
4.1.3 CONFIGURATION MANAGEMENT Automation drives HubSpot’s ability to scale with our customers’ needs. The product infrastructure is a highly automated environment that flexibly expands capacity and capability as needed. Server instances are fully puppetized, meaning that any server’s configuration is tightly controlled from birth through deprovisioning.
https://www.hubspot.com/security https://aws.amazon.com/compliance/ https://cloud.google.com/security/compliance
Security Overview – Internal Information 4 HubSpot Security & Risk Management Overview
All server type configurations are embedded in images and Puppet configuration files. Server- level configuration management is handled using these images and configuration scripts when the server is built. Changes to the configuration and standard images are managed through a controlled change management process. Each instance type includes its own hardened configuration, depending on the deployment of the instance.
Patch management and configuration control is typically handled by removing server instances that are no longer compliant with the expected baseline and provisioning a replacement instance in its place. Rigorous and automated configuration management is baked into our day-to-day infrastructure processing.
4.1.4 ALERTING & MONITORING Not only does HubSpot fully automate its build procedures, we invest heavily in automated monitoring,
alerting and response technologies to continuously address potential issues. The HubSpot product
infrastructure is instrumented to alert engineers and administrators when anomalies occur. In
particular, error rates, abuse scenarios, application attacks, and other anomalies trigger automatic
responses and alerts to the appropriate teams for response, investigation, and correction. As
unexpected or malicious activities occur, systems bring in the right people to ensure that the issue is
Many automated triggers are also designed into the system to immediately respond to foreseen
situations. Traffic blocking, quarant