Talk legal to me
Last Modified: January 17, 2025
[Want a pdf copy? Click here.]
This DORA Addendum (“DORA Addendum”) is incorporated into and forms part of your Agreement with HubSpot and applies to the extent that (i) the Customer is a financial entity to whom DORA applies and (ii) the Subscription Service constitutes ICT services, each as defined below. This DORA Addendum does not apply if Customer uses the Free Services only.
1. Definitions
2. General
3. Services
7. Co-operation with Regulators
8. Additional Customer Termination Rights
9. Reporting Material Developments
10. Business Continuity and Security
11. Threat-led Penetration Testing
12. Subcontracting
13. Customer Audit
14. Exit
1. DEFINITIONS
The following terms have the meanings given below, and terms not otherwise defined in this DORA Addendum have the meaning set forth in the Agreement:
"Agreed Service Levels" means the service levels set out in the ‘Service Uptime Commitment’ section of the Product Specific Terms.
"competent authority" means the national authority with binding authority to regulate the Customer’s financial services activities as specified in Article 46 of DORA.
"critical or important function" means a function, the disruption of which would materially impair the financial performance of the Customer, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of the Customer with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.
“Customer Data” has the meaning set out in the General Terms.
"cyber threats" means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons.
"DORA" means Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.
“Downtime” will have the meaning set out in the ‘Service Uptime Commitment’ section of the Product Specific Terms.
"financial entity" has the meaning given in Article 2(2) of DORA.
“ICT related incident” means a single unplanned event or a series of linked unplanned events that compromises the security of the Subscription Service, and has an adverse impact on the availability, authenticity, integrity or confidentiality of Customer Data or the Subscription Service.
"ICT services" has the meaning given in Article 3 of DORA.
"Implementing Regulations" means any legally binding delegated or implementing regulation issued by a competent authority pursuant to DORA including regulatory technical standards.
“Regulator” means a government body, regulatory body, competent authority or resolution authority (wherever located) with binding authority to regulate the Customer's financial service activities under DORA.
"Required TLPT" means threat-led penetration testing or pooled threat-led penetration testing by an external tester that: (a) the Customer is required to undertake in accordance with DORA and the Implementing Regulations; (b) concerns a critical or important function that is supported by the ICT Services; and (c) will or may impact on the ICT Services,
"resolution authorities" means the national regulatory entity that is empowered to apply resolution tools and exercise resolution powers in respect of the Customer.
"Security Measures" means the security measures, tools and policies described in Annex 2 of the HubSpot Data Processing Agreement as may be updated from time to time by HubSpot at its discretion provided that this does not result in any material degradation to the information security or operational resilience measures that HubSpot has in place to protect the Subscription Service and Customer Data.
“Subcontractor” means the infrastructure sub-processors identified in Annex 3 to the DPA.
"Subscription Service" means the Subscription Service provided by HubSpot to the Customer under the General Terms.
"threat-led penetration test" or "TLPT" means a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems.
2. GENERAL
2.1 Application. Part 1 of this DORA Addendum applies to the Subscription Service provided by HubSpot to the Customer pursuant to the Agreement. Part 2 of this DORA Addendum applies only to the Subscription Service used by the Customer to support a critical or important function.
2.2 HubSpot Solutions Partners. In the event Customer is a HubSpot Solutions Partner purchasing the Subscription Service on behalf of an End User (as defined in the HubSpot Solutions Partner Agreement), this DORA Addendum will apply to the extent that the End User is a financial entity to whom DORA applies.
2.3 Confidentiality. Any information, responses and documentation provided by HubSpot in connection with or pursuant to rights under this DORA Addendum (including information provided in accordance with the ‘Threat-Lead Penetration Testing’ or ‘Customer Audit’ sections of this DORA Addendum (“Confidential Compliance Information”) will be treated as confidential information of HubSpot. The obligations of confidentiality set out in the Agreement will apply to such Confidential Compliance Information. Notwithstanding the foregoing, Confidential Compliance Information may be disclosed by the Customer to the Regulator, provided that the Customer obtains confidential treatment or similar protections for such information.
2.4 Conflict. If there is any conflict or inconsistency between the provisions of this DORA Addendum and the other provisions of the Agreement, the provisions of this DORA Addendum will prevail over the other provisions in the Agreement to the extent of such conflict or inconsistency.
2.5 Termination. In the event that the Customer ceases to be within scope of or otherwise subject to DORA in connection with its use of the Subscription Service, this DORA Addendum will terminate immediately and will cease to have any further effect.
3. SERVICES
3.1 Description. A description of the Subscription Service is set out in other portions of the Agreement.
3.2 Service Levels. HubSpot will provide the Subscription Service in accordance with the Agreed Service Levels.
4. LOCATION OF SERVICES
4.1 Hosting Location. Customer Data will be hosted in the hosting location specified in the Account Defaults page of the Customer’s HubSpot account. HubSpot will notify the Customer at least 30 days in advance of any changes to the hosting location.
![]() |
4.2 Sub-Processor Locations. HubSpot uses Sub-Processors to provide part of the Subscription Service. Our Sub-Processors and the location of data processing is specified in Annex 3 of the DPA.
4.3. Changes to Sub-Processors. Customers may subscribe to receive notifications by email if HubSpot makes changes to the Sub-Processors (including changes to the location from which they provide services) as specified in the ‘Sub-Processors’ section of our DPA. If the Customer opts in to receive such email, HubSpot will provide at least 30 days prior notice in accordance with the ‘Sub-Processor’ section of our DPA.
5. INFORMATION SECURITY
5.1 Security Measures. HubSpot will implement and maintain the Security Measures to ensure availability, authenticity, integrity and confidentiality of the Subscription Service and Customer Data. Further information in relation to the Security Measures is available in HubSpot’s Security and Compliance Overview, and SOC2 report which are available for download from the HubSpot Trust Center available at https://trust.hubspot.com.
5.2 Incident Management. HubSpot will provide reasonable assistance that Customer may reasonably require where an ICT related incident occurs that impacts the Customer’s use of the Subscription Service.
5.3 Security Training Programmes. HubSpot will ensure that all HubSpot employees complete regular security awareness training on an annual basis, on HubSpot’s security policy, processes and standards as relevant to their role and in accordance with industry practice.
6. RECOVERY OF DATA
6.1 Retrieval Period. Following the termination or expiry of the Agreement (including upon the expiry of any Transition Period, as defined below), HubSpot will provide Customer with a 30 day period during which HubSpot will not take any action to remove Customer Data (“Retrieval Period”).
6.2 Retrieval Process. Upon Customer’s written request during the Retrieval Period, HubSpot will at its option either provide the Customer with temporary access to the Subscription Service to retrieve Customer Data or will provide Customer with copies of all Customer Data then in HubSpot’s possession or control. If HubSpot provides the Customer with temporary access to the Subscription Service, we may charge a re-activation fee. After the 30 day retrieval period has passed, HubSpot will have no obligation to maintain or provide Customer with the Customer Data.
6.3 Customer Enablement. The Subscription Service provides Customer with controls to retrieve Customer Data at any time during the Subscription Term.
![]() |
6.4 Data Retrieval on Insolvency. Without limiting any rights under the Agreement, Customer will have the immediate right to retrieve all Customer Data unless prohibited by law or the order of a governmental or regulatory body or insolvency practitioner (or equivalent), including in the event that HubSpot:
(i) is declared bankrupt or in liquidation (or equivalent);
(ii) is dissolved or wound up; or
(iii) discontinues its entire business operations of providing the Subscription Service (except as the result of any assignment permitted under the Agreement).
7. CO-OPERATION WITH REGULATORS
HubSpot will cooperate in good faith with Regulators (including other persons appointed by them) in the course of such Regulators performing their regulatory functions in relation to the Subscription Service. The Customer will notify HubSpot if it receives inquiries from a Regulator which relate to the Subscription Service. HubSpot may charge the Customer reasonable fees for any assistance provided pursuant to this section.
8. ADDITIONAL CUSTOMER TERMINATION RIGHTS
8.1 Termination Rights. Subject to the ‘Cure Period’ section below the Customer may terminate the Agreement by giving 30 days written notice to HubSpot in the following circumstances:
(i) HubSpot has committed a material breach of applicable laws or regulations or the Agreement;
(ii) the Customer can reasonably demonstrate that there are circumstances identified through the monitoring of ICT third party risk which are capable of altering the performance of the Subscription Service including material changes that affect the Agreement or the situation of HubSpot;
(iii) the Customer can reasonably demonstrate that there are weaknesses pertaining to HubSpot' overall ICT risk management, and in particular in the way HubSpot ensures the availability, authenticity, integrity and confidentiality of Customer Data;
(iv) where the competent authority can no longer effectively supervise the Customer as a result of the conditions of, or circumstances related to, the Agreement; or
(v) where required to do so by binding order of a Regulator.
8.2 Cure Period. HubSpot will have 30 days from the date of the notice under the ‘Termination Rights’ section above, to remedy the breach or default to the reasonable satisfaction of the Customer. If HubSpot fails to remedy within the specified time period, Customer may terminate the Agreement immediately.
8.3 Payment of Fees. If the Customer exercises its right to terminate under this ‘Additional Customer Termination Rights’ section, other than as a result of a breach by HubSpot of the Agreement, the Customer will:
(i) promptly pay all unpaid fees due through the end of the Current Term; and
(ii)have no ability to bring a claim for breach of contract or otherwise against HubSpot in connection with this Agreement.
9. REPORTING MATERIAL DEVELOPMENTS
9.1 Notice of Material Developments. HubSpot will notify the Customer without undue delay of any development that might have a material impact on HubSpot's ability to provide the Subscription Service in accordance with the Agreed Service Levels as follows:
(i) ICT Related Incidents are reported either directly to the Customer by email or via a public posting on the HubSpot Trust Center.
(ii) Downtime in accordance with HubSpot’s Service Uptime Commitments are reported via https://status.hubspot.com.
(iii) Developments resulting in degraded functionality are reported via in-app banners or “fire alarms”. HubSpot will email Customers directly if there is any action needed by the Customer.
No separate notification is required if HubSpot has reported a failure to meet the Agreed Service Levels in accordance with the Agreement.
10. BUSINESS CONTINUITY AND SECURITY
10.1 Business Continuity Plans. HubSpot will implement, maintain and test appropriate business continuity plans at regular intervals.
10.2 Security. HubSpot will maintain the Security Measures during the Subscription Term to provide an appropriate level of security for the provision of the Subscription Service.
11. THREAT-LED PENETRATION TESTING
11.1 Required TLPT. HubSpot will participate and fully cooperate in the Required TLPT in accordance with this ‘Threat-led Penetration Testing’ section.
11.2 Third Party Penetration Test Reports. HubSpot will make penetration test reports (certified by third party) available to the Customer via the HubSpot Trust Center.
11.3 Request for Required TLPT. Where the Customer reasonably determines that the third party thread lead penetration test report provided by HubSpot is not sufficient to meet its regulatory obligations Customer may request further testing in accordance with the conditions in this section. Customer will:
(i) provide no less than 90 days' written notice to privacy@hubspot.com if it intends to conduct Required TLPT;
(ii) identify jointly with HubSpot which parts of the Subscription Service form part of the relevant underlying information, communication, and/or technology systems, processes and technologies supporting the Customer’s critical or important function(s);
(iii) enter into or require an external tester to enter into contractual arrangements with HubSpot as HubSpot considers appropriate taking into account the potential adverse impact on the quality or security of the Subscription Service and customers and on the confidentiality of data relating to the Subscription Service;
(iv) ensure effective risk management controls will be applied in respect of the Required TLPT in order to mitigate the risks of any potential impact on data, damage to assets, and disruption to critical or important functions, services or operations relating to the Subscription Service and customers;
(v) comply with HubSpot’s vulnerability testing guidelines, and any policies and procedures relating to information security and operational resilience so far as the Required TLPT may impact the Subscription Service; and
(vi) comply and ensure that any external tester complies with all applicable laws and regulations relating to the Required TLPT.
11.4 Required TLPT fees. The Customer will reimburse HubSpot for all fees, costs and expenses reasonably incurred by HubSpot in connection with the performance of the Required TLPT.
12. SUBCONTRACTING
12.1 Subcontractors. The Customer acknowledges that HubSpot engages the Subcontractors to provide part of the Subscription Service.
12.2 Responsibility for Subcontractors. HubSpot will remain responsible for the acts and omissions of its Subcontractors in the performance of the Subscription Service in accordance with the Agreement.
12.3 Monitoring of Subcontractors. HubSpot will monitor the Subcontractors for the purpose of ensuring that HubSpot’s obligations to the Customer are met in accordance with the Agreement.
12.4 Risk assessment of Subcontractors. HubSpot will assess risks associated with the location of the Subcontractor and its parent company, and the location from which the relevant part of the Subscription Service will be provided.
12.5 Information on Subcontractors. HubSpot will, on reasonable request from the Customer and subject to its obligations of confidentiality to its Subcontractors, provide information regarding the contractual documentation between HubSpot and its Subcontractors and on relevant performance indicators.
12.6 Subcontractor Agreements. Where HubSpot engages a Subcontractor, HubSpot will have in place a written agreement, which includes:
(i) appropriate monitoring and reporting obligations of the Subcontractor towards HubSpot;
(ii) appropriate measures to ensure the continuity of the subcontracted services;
(iii) appropriate service levels; and
(iv) appropriate ICT security standards with reference to international standards like ISO27001 and ISO27002, SOC2 and NIST (as appropriate).
12.7 Subcontractor Audits. HubSpot will use reasonable efforts to enter into a written agreement with the Subcontractors to permit the Customer or a Regulator to carry out audits and inspections of the Subcontractor, on terms equivalent to those in the ‘Customer Audit’ section of this DORA Addendum.
12.8 Proportionality. In entering into such written agreements with its Subcontractors, HubSpot will consider the requirements in the ‘Subcontractor Agreements’ section in a risk-based and proportional manner, taking into account the legal requirements, the context and the nature of the services. HubSpot may take into account if a Subcontractor has been designated as a critical ICT third party service provider by a European Supervisory Authority under DORA in determining the extent to which the written agreement must comply with the ‘Subcontractor Agreements’” sections of this DORA Addendum.
12.9 Material Change to Subcontractors. Customer may object on reasonable grounds to a material change to the Subcontractors, within 30 days of notification in accordance with the ‘Changes to Sub-processors’ section, if Customer acting reasonably considers that a planned change has a material adverse impact on HubSpot's ability to provide the Subscription Service in accordance with the Agreement. If Customer notifies HubSpot of such an objection, the parties will discuss the Customer’s concerns in good faith with a view to achieving a commercially reasonable solution. If no such resolution can be reached, HubSpot will, at its sole discretion, either not make the material change to the subcontracting arrangement, or permit Customer to terminate the affected part of the Subscription Service without liability to either party (but without prejudice to any fees incurred by the Customer for services prior to termination).
13. CUSTOMER AUDIT
13.1 Audit Right. HubSpot grants the Customer, a third party appointed by the Customer and the Regulators (each a "Requester") the right to access, inspect and audit:
(i) HubSpot's performance of the Subscription Service; and
(ii) HubSpot's compliance with this Agreement generally (the “Audit Right”),
in accordance with the ‘Customer Audit’ section of this DORA Addendum.
13.2 Exercise of Audit Right in Proportional Manner. The Customer and any third party appointed by the Customer will exercise the Audit Right in a risk-based and proportional manner, taking into account the legal requirements, the context and the nature of the Service. In this regard, Customer acknowledges that HubSpot does not host the Subscription Service or Customer Data on HubSpot’s own premises, and hosting services are subcontracted to AWS.
13.3 Independent Audit Reports. In advance of exercising any Audit Right, the Customer will first consider if one or more of the elements listed in this ‘Independent Audit Reports’ section of this DORA Addendum are sufficient to provide the required level of assurance, and the Customer will only exercise the on-site Audit Right where Customer reasonably determines that the information provided pursuant to this section is not sufficient to meet its regulatory obligations:
(i) independent audit reports made on behalf of HubSpot;
(ii) audit reports of HubSpot' internal audit function;
(iii) HubSpot' third-party certifications, such as its SOC2 certification made available on the HubSpot Trust Center; and
(iv) the use by the Customer of other relevant available information or other information that HubSpot makes available to the Customer.
13.4 Cooperation with Requester. HubSpot will fully cooperate with a Requester in its exercise of the Audit Right to perform on-site inspections and audits and will allow the Requester to take copies of relevant documentation on-site if such documentation is critical to HubSpot's operations.
13.5 Notice of Audit. The Customer must give HubSpot at least 60 days prior written notice before the proposed date(s) on which the Audit Right will be exercised by the Customer or a third party appointed by the Customer, unless such notice is not possible due to an emergency or crisis situation or the requirement of a Regulator. Notice must be submitted to privacy@hubspot.com. In such prior written notice, the Customer must include: (i) a detailed information request list, and (ii) where applicable, the identity of the third party appointed by the Customer to exercise the Audit Right.
13.6 Appointment of Third Party Auditor. Where the Customer wishes to appoint a third party to exercise the Audit Right:
(i) the Customer will ensure such third party is not a competitor of HubSpot;
(ii) the Customer will verify that the third party and its personnel exercising the Audit Right have the necessary skills, knowledge and experience to exercise the Audit Right; and
(iii) the third party will be required to enter into confidentiality arrangements with HubSpot on terms satisfactory to HubSpot (acting reasonably).
13.7 Disruption to Business. The Customer and any third party appointed by the Customer will ensure that its exercise of the Audit Right does not hinder HubSpot' ability to provide the Service or carry out its normal business.
13.8 Alternative Assurance Levels. If the exercise of the Audit Right by the Customer or any third party appointed by the Customer could, in HubSpot' reasonable opinion, affect the rights of another Customer of HubSpot (for example, an impact on service provision, data security, service levels, availability of data or HubSpot' confidentiality obligations), HubSpot and Customer will agree alternative assurance levels.
13.9 Audit Conditions. The Audit Right may be exercised by the Customer (including via a third party appointed by the Customer) no more than once during any 12-month period, unless a more frequent exercise of the Audit Right is required by a Regulator. Each exercise of the Audit Right will be planned for a duration of maximum 3 business days, during HubSpot’s standard business hours, unless a longer period is required by a Regulator.
13.10 Fees in Connection With Audit. The Customer will reimburse HubSpot for all fees, costs and expenses reasonably incurred by HubSpot in connection with the exercise of the Audit Right.
14. EXIT
14.1 Transition Period. Upon termination or expiry of the Agreement, except in the event of suspension of the Subscription Service or termination by HubSpot for cause in accordance with the Agreement, the Customer may require the Subscription Service to continue for a transitional period of up to three (3) months following the effective date of the termination or expiry of the Agreement (“Transition Period”), provided that the Customer will be required to:
(i) notify HubSpot at least 30 days prior to the termination or expiry of the Subscription Term that Customer wishes to extend the Subscription Service for the Transition Period;
(ii) enter into a new Order for the Subscription Service covering the Transition Period; and
(iii) continue to pay the Subscription Fees in full.