HubSpot Security Settings Every Admin Should Check

HubSpot holds your customer data, your sales pipeline, your service tickets, and probably a fair amount of sensitive information you haven't thought about in a while. Most admins set up security during initial configuration and never touch it again. That's how portals end up with eight super admins, API keys from 2019 still active, and former employees who can still log in.

This isn't a theoretical risk. We've audited portals where ex-employees still had active super admin access months after leaving. One client discovered a third-party integration was silently syncing their entire contact database to a tool nobody used anymore. These things happen quietly until they don't.

User Access and Permissions

Start here because it's the most common problem area.

Super admin count. Pull up Settings → Users & Teams and filter by super admin. If you have more than three or four, that's too many. We regularly see portals with 10+ super admins because it was easier to grant full access than figure out the right permission level. Every super admin can delete contacts in bulk, export your entire database, modify integrations, and change billing. Limit this to the people who genuinely need it.

Inactive users. Sort by last active date. Anyone who hasn't logged in for 90+ days should be deactivated. Not deleted (you'll lose activity history), just deactivated. Pay special attention to users who've left the company. HubSpot doesn't automatically deactivate users when you remove them from your email system unless you're using SSO.

Two-factor authentication. This should be required for all users, full stop. Go to Settings → Account Defaults → Security and enable "Require two-factor authentication." If you're on Enterprise, use SSO through your identity provider instead. Either way, password-only access in 2026 is asking for trouble.

For a deeper look at structuring access as you grow, check out our guide on building a permissions strategy that scales.

API and Integration Security

This is where things get overlooked because it's less visible than user access.

Private apps. Go to Settings → Integrations → Private Apps. List every app. For each one: who created it? Is it still in use? What scopes does it have? Private apps with broad scopes (like full CRM access) that nobody monitors are a liability. If an app only needs to read contacts, it shouldn't have write access to deals.

Connected apps. Settings → Integrations → Connected Apps shows every third-party tool with access to your portal. We've found Zapier connections from three platform migrations ago still actively syncing data. Review each connection quarterly and disconnect anything that's no longer needed.

Legacy API keys. HubSpot deprecated API keys in late 2022, but some portals still have them active. These keys give full access to everything and can't be scoped. If you still have one, migrate to private apps immediately.

Data Export Controls

By default, most HubSpot users can export data. That might be fine for your sales manager pulling a report. It's less fine for a contractor who can download your entire contact database to a CSV and walk away with it.

Check who has export permissions: Settings → Users & Teams, then review each permission set. For most roles, export access should be restricted or limited to specific objects. If you're in a regulated industry (healthcare, finance, anything touching EU data under GDPR), this isn't optional. It's a compliance requirement.

Operational Security

Deleted records. HubSpot keeps deleted records in a recycling bin for 90 days. After that, they're gone. Make sure your team knows this exists and how to recover items. Better yet, restrict bulk delete permissions to admins only. One accidental "select all → delete" on a contact list is all it takes.

Audit logs. Enterprise portals have access to audit logs that track who changed what and when. If you're on Enterprise and not reviewing these periodically, you're paying for a security feature you're not using. Check them monthly for unexpected changes to settings, workflows, or integrations.

Workflow permissions. Workflows can send emails, update records, create tasks, and trigger integrations. If every user can create and modify workflows, you'll end up with conflicting automations. Limit workflow edit access to your ops team or admins. Related: understanding when to use workflows vs. sequences helps prevent people from building the wrong automation type in the first place.

Building a Review Cadence

None of this matters if you check it once and forget about it. Security configurations drift just like data quality does.

Monthly (15 minutes): Review any new users added. Check for deactivated/departed employees still with access. Glance at connected apps for anything unexpected.

Quarterly (30 minutes): Full permission audit. Review all super admins. Check private app scopes. Review export permissions. Test that 2FA is still enforced.

Annually (1-2 hours): Comprehensive security review. Document your security configuration. Update your incident response plan. Review compliance requirements against current settings.

Run our free portal audit to get a baseline. It flags excessive super admin access, inactive users, and common security misconfigurations automatically.

Need help locking down your HubSpot portal? We've built security configurations for companies across regulated and non-regulated industries. See our ongoing support services or book a discovery call.