Written byHubSecure Editorial Team

Practical guides for secure client portals, RBAC, onboarding and regulated client operations.

Reviewed byHubSecure Security & Compliance Review

Reviewed for security positioning, workflow accuracy and implementation clarity.

Last updatedMay 7, 2026

Checked against the current HubSecure marketing site and product positioning.

Customer Relationship Management (CRM) platforms are, by their nature, repositories of personal data. For regulated businesses — law firms, fintechs, healthcare providers — the data in the CRM may include legally privileged communications, health information, financial records, and AML/KYC data. The stakes of a CRM data breach or non-compliant data transfer are therefore disproportionately high.

This guide is written for DPOs, Compliance Officers, and senior partners who are responsible for assessing CRM data security and ensuring GDPR compliance.

Related HubSecure buying path

Compliance CRM guidecompliance CRM for growing companiesCRM moduleHubSpot comparisoncompliance CRM guideGuide Librarybook a workflow demo

Best fit and not best fit

Best forNot best for
Regulated teams that need client records, secure files, workflow ownership, RBAC and audit history together.Teams that only need a single-purpose tool and do not need governed client operations or compliance evidence.

Related security, privacy and governance resources

Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.

Related use case

This guide belongs to the Compliance CRM Guides cluster. Continue with the product hub for compliance crm.

The Five Biggest CRM Data Security Risks

High

International data transfers without adequate safeguards

HubSpot and Salesforce are US-based companies. Unless you have signed Standard Contractual Clauses (SCCs) and conducted a Transfer Impact Assessment (TIA), your CRM data transfers to the US may be unlawful under GDPR Chapter V. Following the Schrems II ruling and the invalidation of Privacy Shield, the EU-US Data Privacy Framework (DPF) provides a legal basis — but only if your vendor is certified. Check: does your vendor's DPA reference DPF certification or Module 2 SCCs?

High

AI training on your client data

Both HubSpot and Salesforce have rolled out AI features that, in some configurations, train on your data. By default, some of these features are enabled. If client data is used to train a model that could surface information across accounts, this is a serious breach risk. Check: read your vendor's AI policy carefully. Is training opt-in or opt-out? Is it covered in the DPA?

High

Uncontrolled sub-processor chains

Enterprise CRMs typically have hundreds of sub-processors. HubSpot's sub-processor list runs to over 200 vendors. Each sub-processor represents a potential data transfer and a potential weak link in the data protection chain. Under GDPR Article 28, you are responsible for all sub-processors your processor uses. Are you reviewing this list annually?

Medium

Retention and deletion gaps

Most CRMs do not automatically delete data based on your retention schedules. Data sits in the CRM indefinitely unless manually deleted or a custom retention rule is configured. For regulated businesses with strict retention obligations (5 years for AML records, 7 years for financial records), this creates a compliance gap: the CRM may hold data that should have been deleted.

Medium

Access control and privilege creep

CRM access rights tend to grow over time. Users gain access they no longer need; former employees are not promptly deprovisioned; external integrations accumulate read/write access. Access to personal data must be limited to those who need it — "need to know" — and access rights must be reviewed periodically.

HubSpot vs Salesforce vs HubSecure: A DPO Comparison

HubSpot

  • ~ Singapore-hosted, EU infrastructure arriving Q3 2026 available on Enterprise tier only
  • EU-US DPF certified + SCCs available
  • ~ AI Copilot features opt-out required (not opt-in)
  • 200+ sub-processors — high audit burden
  • No native AML/KYC module
  • No end-to-end encryption for contacts
  • ~ Retention policies require manual custom properties

Salesforce

  • ~ Singapore-hosted, EU infrastructure arriving Q3 2026 via Hyperforce (additional cost)
  • EU-US DPF certified + SCCs
  • ~ Einstein AI — training opt-out via admin settings
  • 300+ sub-processors — very high audit burden
  • No native AML/KYC
  • Shield Encryption add-on available
  • ~ Retention requires custom workflow automation

HubSecure

  • EU infrastructure Q3 2026, Singapore now
  • GDPR DPA included — no separate negotiation
  • AI Operator uses your data only — no cross-account training
  • Minimal sub-processor chain — transparent list
  • Native AML/KYC with 27 UBO registries
  • ML-KEM-768 encrypted mail + Vault
  • Automated retention schedules per data category

What Your DPA With a CRM Vendor Must Contain

Under GDPR Article 28, any CRM vendor processing personal data on your behalf is a data processor, and you must have a written Data Processing Agreement (DPA). The DPA must cover:

  • Subject matter and duration of processing
  • Nature and purpose of the processing
  • Type of personal data and categories of data subjects
  • Obligations and rights of the controller (your organisation)
  • Processing only on your documented instructions
  • Confidentiality obligations on all authorised persons
  • Implementation of appropriate technical and organisational measures (Article 32)
  • Conditions for engaging sub-processors, including written authorisation
  • Assistance with data subject rights requests (access, erasure, portability)
  • Assistance with security obligations, breach notification, DPIA, and prior consultation
  • Deletion or return of data on termination of services
  • Provision of audit information and cooperation with audits

Many off-the-shelf CRM DPAs provided by US vendors are drafted primarily in their interest. Pay particular attention to the sub-processor approval mechanism — "general written authorisation" is common, but you should receive 30 days' notice of new sub-processors and have a right to object.

The Transfer Impact Assessment (TIA) for US-Based CRMs

If your CRM vendor is subject to US law — which includes FISA 702 and Executive Order 12333 surveillance powers — you must conduct a Transfer Impact Assessment when relying on SCCs. The TIA must assess:

  1. The categories and sensitivity of data being transferred
  2. The legal framework of the destination country and its intelligence access laws
  3. Whether supplementary measures (encryption, pseudonymisation) can effectively protect the data
  4. Whether the transfer can proceed or must be suspended

The EU-US Data Privacy Framework reduces (but does not eliminate) TIA obligations for DPF-certified transfers. If your vendor is DPF-certified, document this in your RoPA and keep a copy of their certification.

DPO's 15-Point CRM Audit Checklist

  • 1
    Confirm signed DPA with all Article 28 requirements
  • 2
    Verify data residency location — EU, US, or other
  • 3
    Check EU-US DPF certification or confirm SCCs are in place
  • 4
    Conduct or update Transfer Impact Assessment
  • 5
    Review sub-processor list — identify high-risk processors
  • 6
    Check AI / ML opt-out settings — verify no cross-account training
  • 7
    Audit access rights — deprovision leavers, review privilege levels
  • 8
    Confirm MFA is enforced for all CRM users
  • 9
    Check encryption at rest and in transit (TLS 1.2+)
  • 10
    Map CRM processing in your Record of Processing Activities
  • 11
    Verify data subject rights request workflow (response in 30 days)
  • 12
    Configure or verify retention schedules — test deletion
  • 13
    Review breach notification SLA in DPA (72 hours to inform you)
  • 14
    Check audit logs — are admin actions logged and retained?
  • 15
    Assess whether a DPIA is required for high-risk processing in the CRM
HubSecure

A CRM built for DPOs, not just sales teams

HubSecure ships with a GDPR DPA on day one, a minimal sub-processor chain, automated retention schedules, and no AI training on your client data. No separate DPA negotiation, no Transfer Impact Assessment anxiety.

Book a demo → Security overview