APIs & Integrations

Carlos_Mostek
Member

Engagement Attachments of Confidential information

According to this page it says you should not use file manager for sensitive files because they are uploaded to a publicly accessible CDN. However earlier in the docs it says that if you set hidden to true, you can use them only for attaching to engagements.

If I set hidden to true, does that put them somewhere other than the CDN so that I can attach sensitive information (like an invoice) to an engagement?

Thanks!

Carlos

0 Upvotes
4 Replies 4
Derek_Gervais
HubSpot Alumni
HubSpot Alumni

Engagement Attachments of Confidential information

Hi @Carlos_Mostek,

I understand; thanks for the clarification! I just wanted to make sure to mention that since I wasn't sure exactly what info was in the invoices you mentioned. Files with the hidden flag set to true are only accessible by users logged into HubSpot, with a single exception: If a logged in user is viewing the image in-app, and then clicks the 'View' button, HubSpot will generate a public image URL with authentication details in the URL as query parameters, as well as an expires parameter.

This link is essentially a temporary public URL, and can be shared until it expires. This means that if a user were to generate this link and share it, anyone could view the file until the link expired. If that level of access is alright with you, then you should be all set to use hidden files.

0 Upvotes
Carlos_Mostek
Member

Engagement Attachments of Confidential information

That sounds great, thanks!

Derek_Gervais
HubSpot Alumni
HubSpot Alumni

Engagement Attachments of Confidential information

Hi @Carlos_Mostek,

Setting the hidden flag makes them inaccessible via public image links, but storing sensitive information may still violate our Privacy Policy (see below). I wouldn't expect that the hidden flag affects the requirements with respect to storing sensitive data:

https://legal.hubspot.com/privacy-policy

0 Upvotes
Carlos_Mostek
Member

Engagement Attachments of Confidential information

I'm just concerned if anyone can access the information. The information in the invoices is all information that is already stored in hubspot such as company name, email address, and deal totals. All of that info is already in hubspot, so I hope it doesn't violate your privacy policy :). As long as hidden does not put it on a public CDN I'm guessing we are okay, I just wanted to confirm there isn't some other unauthenticated way to get at the data I'm uploading. This should be security through authentication, not obscurity.

Basically, they are sensitive from a public standpoint, but not from a internal company relationship standpoint. I just want to attach an invoice to an email.

0 Upvotes