January 2020 Revisions to our TOS, DPA and AUP

Terms of Service Updates

HubSpot recently updated the July 2019 version of the HubSpot Customer Terms of Service (a.k.a. the TOS) and we wanted to give you some info on what's changed.  Archived versions of the TOS are available here for your reference.

We think you’ll be happy to see these updates as these have been informed by what customers have been requesting.  We also offer more transparency on how we manage your data. Here's a summary of the changes we've made to our TOS:

• We’ve added ‘Affiliates’ to the ‘Definitions’ section and will now support allowing Affiliates of a customer to access the Subscription Service.  Please keep in mind that as the Customer, you are responsible for all use by your Affiliates.
• We’ve updated the definition of ‘Confidential Information’ to be more specific about the types of information which will be considered confidential.  In the ‘Confidentiality’ section, we’ve added more detail regarding the limited circumstances when Confidential Information may need to be disclosed pursuant to a legal request.
• The definition of ‘Sensitive Information’ has been updated to allow for some types of personal financial account information.  Please note that personal financial account numbers, wire instructions, and any information subject to Payment Card Industry Data Security Standards is still considered Sensitive Information.
• The ‘Availability’ section has been replaced with the ‘Service Uptime Commitment’ section.  This new section defines a ‘Priority 1’ outage, defines what type of unavailability will be excluded from consideration in the uptime commitment, commits to a specific uptime percentage, and provides a remedy in the event that we fail to meet our uptime commitment over the course of two consecutive calendar months.  For more detail, please check out this new section.
• The ‘Prohibited and Unauthorized Use’ section has been modified to remove the restriction on Customers sending communications that are subject to the Gramm-Leach-Bliley Act (the ‘GLBA’) provided that Customers do not use the Subscription Service in a way that would violate GLBA.
• The ‘Early Termination; No Refunds’ section has been replaced with the ‘Early Cancellation’ section, which allows Customers to cancel their Subscription at their convenience provided that Customers must pay all Subscription Fees due for the Subscription term and that HubSpot will not offer any refunds of prepaid but unused fees.
• In the ‘Retrieval of Customer Data’ section, we no longer require that you have paid all Subscription Fees due to us if you need to retrieve your Customer Data after the termination or expiration of your subscription.
• The ‘Limitation of Liability’ section has been updated so that the total liability of each party will be limited to the sum of the total fees paid or payable by Customer in the previous 12 months.  Please note there are some Customer exceptions outlined in this clause.
• We’ve updated the ‘Assignment’ section so that customers no longer need to obtain HubSpot’s consent to assign the Agreement to a successor if engaged in a merger, reorganization, sale of assets, change of control or operation of law so long as the successor is not a competitor of HubSpot.
• For U.S. local, state, and federal government Customers (the ‘Government Customers’), a new set of terms known as the ‘U.S. Government Customer Additional Terms’ shall apply to your Agreement. These terms address certain legal restrictions applicable to U.S. Government Customers only and can be found here.
• Because we’re launching a new version of our Data Processing Agreement (a.k.a. the DPA), we’ve updated the provision in our TOS that incorporates our DPA into our TOS. You’ll find more details about the changes we made to our DPA below.
• We’ve streamlined our section on ‘Customer Data’ and updated it to reflect current data practices. You’ll see we’ve clarified what we mean by ‘Enrichment Data’ and removed the concept of ‘Crowdsourced Data’.
• We’ve made some necessary changes to the ‘Jurisdiction Specific Terms’ section of our TOS to deal with the effects of Brexit, specifically with regards to the transfer of data to the United Kingdom.

Additional Coverage Terms

For customers who have a Total Committed Subscription Value of more than $35,000 USD, we’ve created a new set of terms known as the HubSpot Additional Coverage Terms. These terms will be automatically incorporated into the terms of your Agreement if that threshold is reached.  Included in those terms are:

1. A revised ‘Limitation of Liability’ which includes a carveout that uncaps HubSpot’s liability for our IP indemnification obligations under the ‘HubSpot Indemnification’ section.  
2. The ‘Performance Warranty’ section commits that HubSpot will provide the Subscription Service and Consulting service in a manner consistent with generally consistent industry standards and that we will not knowingly introduce malicious code or viruses into the Subscription Service.
3. We included a ‘HubSpot Indemnification’ section which outlines our indemnity obligations in the event that a Customer is subject to an Action by a third party alleging that the Subscription Service: infringes a valid patent in a member state of the Patent Cooperation Treaty, registered trademark, or copyright (‘IP Indemnification’), or 2) our breach of our confidentiality obligations or our use of Customer Data in violation of the Agreement (‘Confidentiality and Data Misuse Indemnification’).  Please be sure to read through this section carefully as there are important additional details contained therein.
4. We’ve updated the Germany, Colombia, and France Limitation of Liability sections of the ‘Jurisdiction Specific Terms’ to ensure customers in those jurisdiction benefit from the provisions of the Additional Coverage Terms while maintaining compliance with local laws.

Finally, as we usually do when we update the TOS, we made some drafting clean-ups, clarifications and formatting improvements.  Some of these updates were made to help provide a clearer description of the intent of the terms or to make the terms easier to review.

Data Processing Agreement Updates

HubSpot is pleased to announce a new version of our Data Processing Agreement (a.k.a the DPA) which will replace the November 2018 version. Our new DPA will apply across our customer base where HubSpot processes personal data or personally identifiable information on behalf of a customer in connection with their use of HubSpot’s subscription services, and where such personal data is protected by applicable data protection or privacy laws. Archived versions of the DPA are available here for your reference.

You’ll see that we’ve broadened our definition of ‘Data Protection Laws’ to encompass all applicable worldwide data protection and privacy legislation, including the General Data Protection Regulation, the e-Privacy Directive 2002, the California Consumer Privacy Act of 2018 and data protection and privacy laws in Australia and Singapore.

In preparation for Brexit we have included the UK in our definitions of ‘Europe’ and ‘European Data Protection Law’. This is intended to minimise disruption to our UK customers and ensure that their personal data is treated in accordance with applicable national data protection legislation, as currently exists and as may be implemented post Brexit.

Our DPA was originally created specifically for customers subject to European data protection laws and we will continue to maintain our commitments to these customers in line with European data protection laws. Our section entitled ‘Additional Obligations for European Data’ will look very familiar and pulls together all our additional commitments to you.

We’ve clarified that the the Standard Contractual Clauses (‘SCCs’) in Annex 3 of the DPA act as the primary transfer mechanism for data transfers to HubSpot Inc. Privacy Shield is also available as a backup in the event that the SCCs are invalidated in the future.

We've added a new section to the HubSpot DPA called 'Additional Obligations for California Personal Information' which calls out our CCPA obligations. These terms will only apply to customers who process Personal Information subject to the CCPA.

We recognize that our customers’ affiliates may also use our subscription services and may be a data controller under European data protection laws. We have extended our DPA to cover Customer Affiliates where personal data is transferred in their use of the subscription services.

We’d also like to flag that we’ve reorganized our DPA as a result of the above mentioned changes and made it easier to navigate. Our ‘Details of Processing’ section has been moved to Annex 1. Our ‘Security Measures’ section has been consolidated into Annex 2 of the DPA. 

Finally, we’ve also made some drafting clean-ups, clarifications, and formatting improvements to our DPA. As a result our terms should more clearly describe the intent of the terms and be easier to review.

Acceptable Use Policy Updates

We’ve updated our Acceptable Use Policy (a.k.a. the ‘AUP’) such that use of the HubSpot services to engage, promote, facilitate, or instruct others to engage in illegal activity is now restricted. 

We’ve also restricted use of our services in order to promote, encourage or facilitate hate speech, violence or discrimination based on race, color, religion or creed, national origin or ancestry, sex, age, physical or mental disability, veteran status, genetic information, and/or citizenship.