July 2021 Legal Stuff Update and Regional Data Hosting
We are excited to announce that we are launching our first regional data center in the EU. From today, new HubSpot customers based in EMEA can use the new data center. For further detail please see the HubSpot Regional Data Hosting Policy which we have just published today on our Legal Stuff pages. Please note that for existing HubSpot customers, we are currently building the ability to migrate data to HubSpot’s EU data centre. We anticipate that the EU data center will be available for existing customers in 2022. Existing customers can learn more about our plans for migrating customer data here.
Our new Regional Data Hosting Policy sets out our commitment to hosting Customer Data in a specific location and the exclusions to that commitment. The first regional data center we are offering is in the EU and it is now available to new HubSpot customers based in EMEA. The location of data hosting will be indicated on your Order Form and in your HubSpot account. If no location is specified in your Order Form your Customer Data is hosted in the United States of America (USA).
Our commitment to storing customer data in a specific location is subject to certain exclusions. HubSpot Inc. is based in the USA and certain storage and processing may continue outside of the specified location, including in the USA and other regions where we, our Affiliates and Sub-processors operate.
Please see below a summary list of the exclusions to our commitment to storing Customer Data in a specific location:
Customer and Product Development Support; HubSpot employees from other locations may access your account in order to provide customer support and for product development purposes.
Security and Abuse Prevention; HubSpot employees from other office locations may access your HubSpot account and Customer Data to investigate or remediate security incidents and/or product abuse.
Integrations; If you choose to use integrations that process Customer Data, those integrations may process and/or store Customer Data in locations other than the Location.
Operations Hub; Our infrastructure that supports the Operations Hub sync engine is hosted in the USA (AWS East). This means that if you use sync features powered by Operations Hub, data will be transferred to, processed, and stored in the USA.
User Access; Your Users may log in to your HubSpot account from areas outside of the Location. This means that data may be accessed and transferred from the User’s location.
Usage data; As described in the ‘Customer Data’ section of the Customer Terms of Service, we may collect data about how you use and interact with the Subscription Service. This usage data will be transferred from the Location to the USA.
Some of our Sub-Processors do not have data centers in the EU and we specifically call out these Sub-Processors as exclusions. You may choose not to use the features and functionality provided by some of these sub-processors as described in our Regional Data Hosting Policy.
We would recommend that you read our Regional Data Hosting Policy carefully to ensure you understand the terms on which we are making our EU data center available.
We have added a section on Regional Data Hosting to the ‘Customer Data’ section of the Master Terms. With the launch of our new EU data center today new HubSpot customers based in EMEA will have their Customer Data stored in Europe by default. Existing customers and new customers located outside of EMEA will have their data hosted in the USA. For more information please see our Regional Data Hosting Policy.
We have also updated the ‘DISCLAIMERS; LIMITATION OF LIABILITY’ section of our Master Terms. We now offer a performance warranty to all HubSpot customers with paid subscriptions; it does not apply to you if you only use our Free Services. We warrant that: (i) the Subscription Service and Consulting Services will be provided in a manner consistent with generally accepted industry standards, and (ii) we will not knowingly introduce any viruses or other forms of malicious code into the Subscription Service. The remedy for non-conformance will be to use commercially reasonable efforts to fix the non-conformance and if it cannot be corrected within sixty days then either party may terminate the Agreement by providing thirty day’s written notice to the other. If you terminate the Agreement we will promptly refund any prepaid but unused fees covering use of the Subscription Service after termination. We also list some exceptions to this performance warranty. We will not have any liability under this section if the non-conformance is caused by or based on: (i) any combination of the Subscription Service with any hardware, software, equipment, or data not provided by us, (ii) modification of the Subscription Service by anyone other than us, or modification of the Subscription Service by us in accordance with specifications or instructions that you provided, or (iii) use of the Subscription Service in violation of or outside the scope of this Agreement. This section states our entire liability and your sole and exclusive remedy for any claims arising under this section. Since we offer this performance warranty to a greater proportion of our customers we have removed the performance warranty offered in our ‘Additional Coverage Terms’ in Appendix 1 of our Master Terms.
We’ve made some drafting clean-ups, clarifications and formatting improvements. Some of these updates were made to help provide a clearer description of the intent of the terms or to make the terms easier to review.
Product Specific Terms
We have made some minor changes to our Call Recording clause in the ‘Consulting and Other Services’ section of our Product Specific Terms. These changes are intended to simplify the clause and make it easier to review.
Data Processing Agreement
We have amended the definition of “European Data Protection Laws” by updating the reference to any applicable national UK legislation that replaces or converts GDPR into national law with the GDPR as as it forms parts of United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018.
We have added a new Security section to the ‘Customer Responsibilities’ section of the DPA. We clarify that you are responsible for independently determining whether the data security provided for the Subscription Service adequately meets your obligations under applicable Data Protection Laws. We also highlight that you are also responsible for your secure use of the Subscription Service, including protecting the security of Personal Data in transit to and from the Subscription Service.
In the ‘Limitation of Liability’ section of our DPA we have clarified that neither party’s liability will be limited with respect to any individual's data protection rights under this DPA.
We have also updated our list of Sub-Processors in Annex 4 of our DPA and we have added the following Sub-Processors: Ably.io, Google reCAPTCHA, ConvertAPI, HelloSign, Litmus and Mux. We have also split our Sub-Processors into two tables so you can clearly see Third-Party Sub-Processors and HubSpot Sub-Processors. For our Third-Party Sub-Processors we have included a column to this table to indicate the Sub-Processor location for both our US and EU data centers. We have also removed the language about our Sub-Processor Snowflake, Inc. as this is no longer applicable.
We’ve also made drafting clean-ups and clarifications to the following sections in our DPA: ‘Deletion or Return of Personal Data’ section, the ‘Data Transfers’ section and the ‘Transfer Mechanisms for Data Transfers’ section.
Please remember that this is just an informal, high-level summary of the most recent changes to these documents, and that you should always make sure you’ve read and understood the complete Customer Terms of Service before you use our software or services.