Skip to main content

Security & Privacy

At HubSpot Deploy, the security of your data and the integrity of your HubSpot instances are our highest priorities. This page explains how we handle authentication, encryption, and data access.

Authentication

We use industry-standard protocols to connect to your HubSpot and GitHub accounts.

HubSpot OAuth & PKCE

HubSpot Deploy uses OAuth 2.0 to authenticate with HubSpot. We implement PKCE (Proof Key for Code Exchange) to provide an additional layer of security during the authorization flow, preventing authorization code injection attacks.

When you connect a portal:

  1. You are redirected to HubSpot's official authorization page.
  2. You review and grant only the specific permissions (scopes) requested.
  3. HubSpot returns an authorization code, which we exchange for access and refresh tokens.

Scopes & Granular Access

We only request the scopes necessary to read and deploy metadata. We do not request access to your CRM records (Contacts, Deals, etc.) unless specifically required for a specialized feature.

Data Encryption

Tokens at Rest

All authentication tokens (access tokens and refresh tokens) for both HubSpot and GitHub are encrypted at rest in our secure database. We use AES-256 encryption, and the encryption keys are managed separately from the data.

Data in Transit

All data transmitted between your browser and our servers, and between our servers and HubSpot/GitHub APIs, is encrypted using TLS 1.2+.

Privacy & PII

HubSpot Deploy is a Metadata Management tool.

PII Data Access

By design, we focus on the structure of your HubSpot portal (workflows, properties, configurations), not the data within it.

  • We do not backup or store CRM record data (like contact names, emails, or phone numbers) in our standard metadata snapshots.
  • Our extraction logic explicitly skips data-heavy CRM objects and focuses on the configuration level.

Metadata vs. Records

Metadata includes things like:

  • Workflow logic and step definitions.
  • Custom object schemas and property definitions.
  • Email templates (the design, not the recipients).
  • Lists (the criteria, not the members).

Instance Protection

Disaster Recovery

Our Scheduled Backups feature is designed for disaster recovery. By pushing metadata snapshots to your Git repository, you maintain a full, versioned history of your HubSpot configuration. If a workflow is accidentally deleted or a schema is incorrectly modified, you can use the Git history to restore the previous state.

Change Management

The Assisted Deployment mode allows for human verification at every step of a migration. This ensures that no changes are applied to your production environment without a final review by a qualified administrator.