Book Free Call
HubSpot GDPR compliance and data processing agreement for German businesses
tools

HubSpot GDPR Compliance for German Businesses: DPA, AVV, and AI Act Guide

HubSpot is GDPR-compliant when used with the correct contractual setup. HubSpot offers a Data Processing Agreement (DPA) available to all customers, supports EU data residency options, and uses Standard Contractual Clauses (SCCs) for transatlantic data transfers. German companies must sign the DPA — the equivalent of an Auftragsverarbeitungsvertrag (AVV) under Article 28 DSGVO — before processing personal data of EU residents through HubSpot.

Does HubSpot Have a Data Processing Agreement (DPA)?

Yes. HubSpot provides a Data Processing Agreement to all customers, regardless of plan tier. This makes HubSpot different from some AI tools that restrict DPA access to enterprise plans only.

The HubSpot DPA covers:

  • Processing purposes and scope: The categories of personal data processed on your behalf (contacts, leads, deal data, email recipients)
  • Sub-processor obligations: HubSpot’s use of third-party services (AWS, Google Cloud, and others listed on their sub-processor page)
  • EU data transfer mechanisms: Standard Contractual Clauses for transfers of personal data from the EU/EEA to HubSpot’s US infrastructure
  • Data subject rights: Procedures for handling access, deletion, and portability requests
  • Security measures: Technical and organizational measures (TOMs) HubSpot maintains to protect customer data

The DPA can be accessed through HubSpot’s customer portal and is incorporated by reference into HubSpot’s standard terms of service. Unlike some vendors, HubSpot does not require separate negotiation for the DPA — it is a standardized document made available to all paying customers.

HubSpot AVV for German Businesses — What to Sign

Under German law, the Data Processing Agreement is referred to as an Auftragsverarbeitungsvertrag (AVV) — the contract required by Article 28 DSGVO whenever a controller engages a processor to handle personal data on its behalf.

HubSpot’s DPA serves as the AVV. Key steps for German companies:

  1. Accept the DPA in your HubSpot account settings or request it through your account manager. The DPA is typically pre-signed on HubSpot’s side.
  2. Document the acceptance in your records of processing activities (Verzeichnis von Verarbeitungstätigkeiten) as required by Article 30 DSGVO.
  3. Review the sub-processor list and ensure your privacy notice reflects the categories of data shared with HubSpot and its sub-processors.
  4. Verify Standard Contractual Clauses are in place for EU-US transfers. HubSpot incorporates the current EU SCCs (Commission Decision 2021/914) into its DPA.

Note that the AVV is not optional — operating HubSpot as a CRM without a signed DPA while processing EU residents’ personal data constitutes a GDPR violation and can result in supervisory authority fines.

GDPR Compliance: Where HubSpot Stores Your Data

HubSpot’s infrastructure is hosted primarily on Amazon Web Services (AWS). HubSpot offers customers in qualifying regions the option to select the EU as their data region, meaning contact and company data is stored in AWS data centers in the European Union.

Important distinctions:

  • EU data residency: Available to customers who select it during account setup or by contacting HubSpot support. Not all HubSpot data is stored in the EU even with this setting — some operational and support data may still transit US servers.
  • Standard Contractual Clauses: Required for any personal data processing that involves HubSpot’s US-based entities or infrastructure, even with EU data residency enabled.
  • Sub-processor locations: HubSpot’s sub-processors include companies in the US and other third countries. The current sub-processor list is published at trust.hubspot.com and is updated as HubSpot adds or removes vendors.

For German companies with strict data localization requirements — common in healthcare, financial services, and public sector procurement — verify the specific data categories stored in EU vs. US regions before committing to HubSpot as your CRM.

Compare HubSpot’s data residency model with Salesforce Einstein, which similarly offers EU data centers but involves complex sub-processor chains, or Zapier, which routes HubSpot data through additional third-party connectors requiring separate DPA review.

HubSpot AI Features and the EU AI Act

HubSpot’s AI-powered suite, branded as Breeze AI, includes features across the CRM, marketing, sales, and service hubs:

  • Breeze Copilot: Conversational AI assistant for CRM tasks
  • Content Assistant: AI-generated email copy, blog posts, and social content
  • Predictive lead scoring: AI-based contact prioritization
  • Conversation intelligence: AI transcription and analysis of sales calls

Under the EU AI Act, which applies from August 2026 for most AI system providers, the risk classification of these features varies:

HubSpot AI FeatureEU AI Act Risk Level
Breeze Copilot (assistant)Minimal risk
Content Assistant (text generation)Minimal risk (GPAI obligations apply to underlying model)
Predictive lead scoringLimited to minimal risk
Conversation intelligence (employee monitoring)Limited risk — transparency obligations apply

GPAI obligations: If HubSpot’s AI features rely on a General Purpose AI model (as defined under Article 3(63) EU AI Act), HubSpot as the deployer may be subject to transparency requirements. Businesses deploying HubSpot Breeze AI features should verify what model underlies each feature and whether the EU AI Act Code of Practice obligations apply.

For a full guide to AI Act compliance for CRM deployments, see our EU AI Act compliance overview.

Works Council (Betriebsrat) Requirements When Deploying HubSpot

In Germany, deploying a CRM system like HubSpot across a workforce frequently triggers co-determination rights under §87(1) No. 6 BetrVG (Betriebsverfassungsgesetz). This provision gives works councils the right to participate in decisions about the introduction and use of technical systems capable of monitoring employee behavior or performance.

HubSpot can capture:

  • Email open and click tracking (for sales reps)
  • Call activity logs and recordings (via Conversation Intelligence)
  • Deal pipeline activity per user
  • Task completion and response time metrics

These features mean HubSpot may be classified as a monitoring system for employees — not just a customer database. Before deploying HubSpot in an organization with a Betriebsrat, you should:

  1. Notify the works council about the planned introduction of HubSpot and its AI features
  2. Negotiate a Betriebsvereinbarung (works agreement) that defines permissible use cases, data access rights, and retention periods
  3. Limit tracking features where the works council has co-determination rights, or agree on specific technical configurations that satisfy both business needs and employee data protection

Failure to involve the works council can result in injunctions against using the system and, in some cases, invalidity of related employment actions.

Key Compliance Checklist for HubSpot in Germany

Use this checklist before going live with HubSpot in a German business context:

  • DPA/AVV signed: Accept HubSpot’s Data Processing Agreement in your account settings
  • EU data region selected: Request EU data residency if required by your sector or internal policy
  • SCCs confirmed: Verify Standard Contractual Clauses are incorporated via HubSpot’s DPA
  • Sub-processor list reviewed: Check trust.hubspot.com for current sub-processors and update your privacy notices accordingly
  • Records of processing updated: Add HubSpot to your Article 30 DSGVO processing register
  • Privacy policy updated: Disclose HubSpot’s use in your website and/or employee-facing privacy notices
  • DPIA conducted if needed: Required if processing at large scale, using sensitive data categories, or deploying AI features affecting individuals
  • Betriebsrat consulted: Works council participation required if HubSpot will track employee activity
  • Betriebsvereinbarung concluded: Negotiate a works agreement covering HubSpot’s permissible features
  • AI Act assessment completed: Review Breeze AI features against EU AI Act risk classifications

Compound Law can assist with DPA review, SCC gap analysis, DPIA preparation, and works council negotiations for HubSpot deployments across Germany and the DACH region. See our compliance services for details.

Frequently Asked Questions

Is HubSpot GDPR compliant in Germany?

HubSpot can be used in a GDPR-compliant manner when the Data Processing Agreement is signed, Standard Contractual Clauses are in place, and your records of processing activities are updated. HubSpot offers EU data residency for customers who request it. Compliance depends on your configuration and use of the platform, not HubSpot’s certification status alone.

Does HubSpot have an AVV (Auftragsverarbeitungsvertrag)?

Yes. HubSpot’s Data Processing Agreement functions as the AVV required under Article 28 DSGVO. It is available to all paying customers and can be accepted through the HubSpot customer portal. You do not need to be on an enterprise plan to access the DPA.

Where does HubSpot store data for German customers?

By default, HubSpot stores data on AWS infrastructure in the United States. EU data residency is available to customers who select it, routing core contact and CRM data to EU-based AWS data centers. Some operational and support data may still be processed in the US. Verify the current data region settings in your HubSpot account settings.

Do I need a Betriebsrat agreement to use HubSpot?

If your organization has a works council (Betriebsrat) and HubSpot will be used in ways that could monitor employee behavior — such as email tracking, call recording, or activity logging — co-determination rights under §87(1) No. 6 BetrVG are likely triggered. A Betriebsvereinbarung (works agreement) governing the use of HubSpot should be concluded before deployment.

Are HubSpot’s AI features compliant with the EU AI Act?

HubSpot’s Breeze AI features generally fall into the minimal to limited risk categories under the EU AI Act. Features involving employee monitoring or performance assessment (such as Conversation Intelligence) carry transparency obligations. Businesses should assess each AI feature individually and ensure appropriate documentation and human oversight is in place.

Related Tool Guides

Claude Enterprise GDPR compliance review for companies in Germany
tools

Claude Enterprise in Germany: GDPR Compliance, DPA, SCCs & EU Hosting Guide

Can German companies use Claude Enterprise under GDPR? Covers DPA/AVV, SCCs, EU hosting options, data residency, and a compliance checklist before rollout.
GitHub Copilot DPA and GDPR compliance guide for German companies
tools

GitHub Copilot GDPR: DPA, IP & German Compliance Guide

GitHub Copilot is GDPR-compliant only on Business or Enterprise plans with a signed DPA. German companies: IP, Betriebsrat, and data residency checklist.
Notion DPA and GDPR compliance guide for German companies
tools

Notion DPA and GDPR: Can German Companies Use Notion Compliantly?

Notion DPA, GDPR compliance, EU data hosting, and AVV requirements for German companies. Practical guide for legal, privacy, and IT teams.
ChatGPT Enterprise GDPR and DPA compliance guide for Germany
tools

ChatGPT Enterprise GDPR & DPA: Compliance Guide for German Companies 2026

Is ChatGPT Enterprise GDPR compliant? OpenAI DPA, EU data residency, SOC 2, AI Act obligations, and works council requirements for German companies.
AI tools for lawyers Germany BRAO GDPR professional secrecy compliance
tools

AI APIs for Law Firms in Germany: BRAO, GDPR & Secrecy Guide

Can lawyers in Germany use AI tools like Claude or ChatGPT? BRAO §43a, GDPR Art. 28, and BRAK guidance explained — with a 7-point compliance checklist.
Make.com DPA and GDPR compliance for German companies
tools

Make.com DPA: Does Make Have a Data Processing Agreement? (GDPR Guide)

Make.com offers a DPA for paid plan customers. What German companies must verify for GDPR compliance — EU data residency, sub-processors, and BetrVG.

Browse More AI Tools

Frequently asked questions

Is HubSpot GDPR compliant in Germany?

HubSpot can be used in a GDPR-compliant manner when the Data Processing Agreement is signed, Standard Contractual Clauses are in place, and your records of processing activities are updated. HubSpot offers EU data residency for customers who request it. Compliance depends on your configuration and use of the platform, not HubSpot's certification status alone.

Does HubSpot have an AVV (Auftragsverarbeitungsvertrag)?

Yes. HubSpot's Data Processing Agreement functions as the AVV required under Article 28 DSGVO. It is available to all paying customers and can be accepted through the HubSpot customer portal. You do not need to be on an enterprise plan to access the DPA.

Where does HubSpot store data for German customers?

By default, HubSpot stores data on AWS infrastructure in the United States. EU data residency is available to customers who select it, routing core contact and CRM data to EU-based AWS data centers. Some operational and support data may still be processed in the US. Verify the current data region settings in your HubSpot account settings.

Do I need a Betriebsrat agreement to use HubSpot?

If your organization has a works council (Betriebsrat) and HubSpot will be used in ways that could monitor employee behavior — such as email tracking, call recording, or activity logging — co-determination rights under §87(1) No. 6 BetrVG are likely triggered. A Betriebsvereinbarung (works agreement) governing the use of HubSpot should be concluded before deployment.

Are HubSpot's AI features compliant with the EU AI Act?

HubSpot's Breeze AI features generally fall into the minimal to limited risk categories under the EU AI Act. Features involving employee monitoring or performance assessment (such as Conversation Intelligence) carry transparency obligations. Businesses should assess each AI feature individually and ensure appropriate documentation and human oversight is in place.

Book Free Call