In recent months, there's been a rising buzz within the HubSpot ecosystem—whispers suggesting that SOC 2 compliance might soon become mandatory for all HubSpot SaaS and service partners. Even now, current HubSpot partners report that they are required to comply with a recent data security update by completing a data security assessment that inquires about security practices mirroring SOC 2 compliance controls. Even after rolling out this new update, HubSpot has yet to communicate transparently about the elevated level of security it demands of its partners. 

What does HubSpot Require of its Partners?

With over 100,000 customers in more than 120 countries, HubSpot has always emphasized its dedication to upholding strict security standards in order to protect customer data across its expansive footprint. While HubSpot itself boasts SOC 2 Type II and SOC 3 compliance, the company has not explicitly required the same level of security of its SaaS partners, though many of them are feeling pressured to acquire SOC 2 in order to fulfill HubSpot’s stringent security expectations.

An illustration of HubSpot’s security standards comes in the form of the security assessment that HubSpot requires its CRM Integration Accredited partners to complete. According to HubSpot, the goal of this assessment is to review third-party data access and verify that the controls implemented by third-party organizations align with the baseline security control expectations required by HubSpot for its own employees.

What HubSpot refers to as ‘basic’ security control expectations, require a robust data security compliance effort on the part of partners. The questionnaire asks if a potential partner company has the following:

  • Information security policies that are read and acknowledged by employees
  • Compliance with industry standard security frameworks, such as ISO27001, CIS, SOC 2, etc
  • Pre-completed security questionnaires that can be shared for review (SIG, SIG Lite, CAIQ etc.)
  • Regular data security and privacy training for employees
  • Full disk encryption, anti-virus, authentication requirements for devices that are used to perform services for HubSpot and its customerssome text
  • A high-level overview of controls that are employed on these devices
  • Capability to attest to deletion of all HubSpot data or HubSpot customer data that may have been collected and stored during the engagement in the event of the termination of the partner’s relationship with HubSpot
  • Ability to attest that after an employee terminates, they no longer have access to HubSpot data
  • Up to date privacy policy that outlines how the partner collects, uses, manages, and protects personal information
  • Compliance with applicable global and local data protection laws (GDPR, CCPA, etc.)

While SOC 2 compliance is not listed anywhere as a mandatory requirement for HubSpot’s CRMI partners, the security controls and standards inquired about in this assessment lead partners to believe that the more security controls they integrate, the more likely HubSpot is to accept their partner application. 

Because HubSpot is already asking for such an elevated level of security from its partner organizations, it is not unlikely that they will begin requiring SOC 2 compliance. If your organization is currently a partner in the HubSpot ecosystem, or hoping to become one, would you be able to fulfill this requirement? How long would it take your team to obtain SOC 2? Six months? What if HubSpot only gives you three? Would you be able to remain in the HubSpot ecosystem, or would your current security infrastructure hold you back?

Impact on SaaS and Service Partners

For many SaaS and service partners, obtaining SOC 2 compliance is not a simple undertaking. It involves considerable time, effort, and financial investment. The process can be especially onerous for smaller partners who may not have the organizational depth to allocate team members and resources toward the pursuit of SOC 2 compliance.

The current ambiguity from HubSpot leaves partners in a precarious position. Should they start the expensive and time-consuming certification process now, just in case? Or should they wait for an official announcement, risking their application being rejected from HubSpot if the requirement is suddenly enforced?

BD Emerson’s SOC 2 Compliance Expertise

For HubSpot partners feeling overwhelmed by the potential of mandated SOC 2 compliance, BD Emerson offers comprehensive solutions to streamline the certification process. With extensive experience in SOC 2 compliance, BD Emerson helps businesses develop robust internal controls and policies that meet the rigorous standards of SOC 2.

Comprehensive Readiness Assessments

BD Emerson provides readiness assessments that identify gaps in a company’s current security posture. By performing a thorough evaluation, we help organizations understand what specific areas need improvement to meet SOC 2 standards. This proactive approach ensures that organizations can address issues before they become compliance risks.

Customized Policy Development

Developing and implementing the necessary policies for SOC 2 compliance can be daunting. BD Emerson works closely with teams to create tailored policies and procedures that align with business operations while satisfying SOC 2 requirements. 

Continuous Monitoring and Support

Maintaining SOC 2 compliance is an ongoing effort. BD Emerson offers continuous monitoring services to ensure that controls remain effective and compliant over time. This ongoing support helps organizations stay ahead of any changes in compliance requirements, providing peace of mind and allowing them to focus on core business functions.

Read more about BD Emerson’s SOC 2 Compliance Consulting Services

The Need for Transparency

The call for transparency is not about resisting HubSpot’s enhanced security measures. On the contrary, many partners acknowledge the importance of such certifications in safeguarding customer data and enhancing trust. However, the way forward needs to be clear and direct.

If HubSpot is indeed planning to enforce SOC 2 certification requirements, it's crucial for them to communicate this clearly and provide ample time for SaaS and service partners to comply. Such a move would not only help partners prepare adequately but also strengthen the overall security posture of the HubSpot ecosystem.

Conclusion

As the speculation continues, it's essential for HubSpot to address these concerns head-on. Clear, transparent communication is key to maintaining trust and ensuring that all partners are on the same page. Whether these certification requirements are fact or fiction, HubSpot owes its partners an honest conversation.

In the meantime, for those looking to get ahead of potential requirements, partnering with BD Emerson can give you peace of mind. 

Are you a HubSpot partner feeling the heat of these rumors? Share your thoughts and experiences with us. Let’s get the conversation started.

Is HubSpot Requiring its Partners to be SOC 2 Compliant?

About the author

Name

Role

Managing Director

About

Drew spearheads BD Emerson's Governance, Risk, Compliance, and Security (GRC+Sec) division, where he channels his expertise into guiding clients through the labyrinth of Information Security, Risk Management, Regulatory Compliance, Data Governance, and Privacy. His stewardship is key in developing tailored programs that not only address the unique challenges faced by businesses but also foster a culture of security and compliance.

FAQs

No items found.

All articles