Non-Public CRM Attachments

Feature for role: All Sales Team users of the CRM.
Goal: Store private company files, like contracts, without exposing them to the public.
Value: It will make HubSpot more convenient to the Sales Team as they can store sales-related documents on HubSpot instead of our Company intranet.
Examples: Yes, Salesforce and most CRMs have this feature.

In the HubSpot CRM, all File Attachments are stored in the CMS File System.

These files are stored in a PUBLICLY ACCESSIBLE CDN--with a URL like

These files will be INDEXED by Google, which makes them searchable to the public.
That means that your competitors or someone malicious can search Google for interesting documents that you've uploaded to your CRM.

This is not a problem for documents meant to be accessible to the public. However, this is a BIG PROBLEM for documents, like Contracts, or private company memos NOT meant for the public's eyes.

HubSpot's suggested workarounds are not sufficient. Try explaining the following to the Sales Team: 1) You may use "Upload File" but 2) You MUST NOT use Add file -> Upload file (those 2 buttons are right next to each other). Oh, and 3) You can use Add File -> Upload a File -- but only if you place it in the correct folder and only if that folder has a Robots.txt file that is correctly configured.  If you place it in the wrong folder or someone deletes or misconfigures that robots.txt file, you are out of luck.


The CMS file system allows you to select from DropBox or Google Drive. However, instead of just inserting the link to DropBox or Google Drive, the CMS File System copies the file over to the CMS File System, making the file indexable by Google and searchable and accessible by the public.

Our company quickly came to the conclusion that if we wish to keep our PRIVATE COMPANY DOCUMENTS as PRIVATE, that we could not allow the Sales Team to use the HubSpot Attachments widget.


Please provide an attachment system that is made to store and organize all attachments in a manner requiring authentication. This should be a separate workflow from storing attachments meant to be distributed to the public.

In addition to a CMS File System (meant for public distribution), we need a CRM File System meant for private company files--a systems that provide authentication at a minimum, and possibly authorization (permissions) somewhere down the road.

It would be helpful to have a CRM file widget that allows you to insert a link from DropBox, Google Drive or AWS WorkDocs--not copy the file, just provide the link. That way, the CRM users would have the ability to allow this 3rd party service to provide access control.

Lastly, we need a way to Turn OFF, or control access to the CMS File Widget. We don't want the website team to have access to it, but we don't want the Sales Team to have access to it.

3 Replies
HubSpot Product Team
HubSpot Product Team

Thank you for submitting your idea!


We currently do not publicly expose files that are exchanged in 1:1 communication, such as those files that are uploaded to HubSpot through email attachments.


We recently rolled out a feature that also enables you to specify the public visibility of the files, and search index crawling. Read more about this feature here.

HubSpot Product Team
HubSpot Product Team
updated to: Delivered
New Member



Is it possible to manage this setting through the API? There is no mention of it in the docs, it would be very useful for us...