Security
Last updated: March 24, 2026
How we protect your HubSpot data. Everything on this page describes what is actually implemented today.
EU-only infrastructure
Finland, France + Netherlands
AES-256-GCM encryption
Tokens encrypted at rest
Self-hosted database
No third-party SaaS
No US data storage
Infrastructure + AI in EU
Infrastructure
All PortalPilot infrastructure runs in the EU. We self-host our database and analytics on our own servers, not through third-party SaaS.
| Service | Provider | Location |
|---|---|---|
| Application + database | Hetzner Cloud (self-hosted Supabase) | Helsinki, Finland |
| AI processing | Mistral AI | Paris, France |
| Analytics | Plausible CE (self-hosted) | Helsinki, Finland |
| Payments | Mollie B.V. | Netherlands |
| Transactional email | Lettermint B.V. | Zwolle, Netherlands |
Encryption
- OAuth tokens: Encrypted with AES-256-GCM using PBKDF2 key derivation (100,000 iterations) and a random 16-byte salt per operation. Tokens are never stored in plaintext.
- In transit: All connections use TLS 1.2 or higher.
- Backups: Database backups (including authentication data) are GPG-encrypted with AES-256 and stored off-server.
- Client-side: No sensitive data is stored in the browser. Authentication tokens are handled by Supabase's secure session management.
Authentication and access control
- HubSpot OAuth 2.0: We never see or store your HubSpot password. Access is granted via OAuth consent and can be revoked at any time from your HubSpot settings.
- Application auth: Supabase JWT-based authentication with secure session handling.
- Row-Level Security: Every database table is protected by RLS policies. Users can only access data belonging to their own portals.
- Edge function auth: Every API call validates the JWT, verifies the user identity, and confirms portal ownership before processing.
Enterprise security hardening
As of March 2026, PortalPilot implements a comprehensive, multi-layer security hardening programme:
- Portal ownership verification: Every API endpoint verifies that the requesting user owns or is a team member of the portal before processing. Cross-tenant data access is impossible.
- AI prompt sanitisation: User-controlled data is sanitised before being sent to AI models, preventing prompt injection attacks.
- Data retention enforcement: Configurable per-portal retention policies with automated enforcement. Analysis history, pipeline data, and form analytics are automatically pruned based on your settings.
- Account deletion completeness: Deleting your account revokes all HubSpot OAuth grants, removes security audit records, and cleans up all associated data across 40+ database tables.
- Encrypted backups: Database backups (including auth data) are GPG-encrypted with AES-256 and stored off-server for disaster recovery.
- Supply chain protection: Build-time dependencies are pinned to exact versions. CI enforces authentication checks on all API endpoints.
Access controls
- Minimal team: PortalPilot is founder-operated. No third-party contractors or external personnel have access to production systems or customer data.
- Least privilege: All system access follows the principle of least privilege. Database access is restricted to scoped service roles.
- MFA required: Multi-factor authentication is enforced for all infrastructure access.
- SSH key authentication: Server access requires passphrase-protected SSH keys. No password-based authentication is permitted.
- Application isolation: Edge functions run in sandboxed Deno workers with no shared state between requests or tenants.
Incident response
We maintain a documented incident response process:
- Detection: Automated monitoring of authentication events, API access patterns, and system health. Comprehensive audit logging on all data access operations.
- Assessment: Incidents are classified by severity and impact. Personal data breaches are escalated immediately.
- Notification: In the event of a personal data breach, affected customers are notified within 72 hours as required by GDPR Article 33. The relevant supervisory authority is notified where required.
- Remediation: Root cause analysis, fix deployment, and post-incident review for every security event.
Contact: security@portalpilot.io
Business continuity
- Automated backups: Daily database backups including all schemas and authentication data.
- Encrypted at rest: All backups are GPG-encrypted with AES-256 and stored off-server, separate from the primary infrastructure.
- Recovery: Tested restoration procedures. Container orchestration via Coolify enables rapid service recovery.
- Data durability: Primary data resides on Hetzner's enterprise-grade storage with hardware redundancy.
Logging and monitoring
- Audit logging: All write operations, authentication events, and data access actions are logged with timestamps, user identifiers, and action details.
- Retention: Audit logs are retained for 90 days.
- PII protection: Email addresses and other personal identifiers are masked in log output to prevent accidental PII exposure.
- Security monitoring: Authentication failures, rate limit violations, and anomalous API access patterns are monitored.
Responsible disclosure
We welcome reports from security researchers who discover vulnerabilities in our application, API, or infrastructure.
- Report to: security@portalpilot.io
- Acknowledgement: We will acknowledge receipt within 3 business days and provide an initial assessment within 10 business days.
- Scope: The PortalPilot application (portalpilot.io), API endpoints, and supporting infrastructure.
- Safe harbour: We will not take legal action against researchers who report vulnerabilities in good faith, follow responsible disclosure practices, and avoid accessing or modifying other users' data.
Data handling
We access your HubSpot portal to analyse property configurations and compute health scores. Here is exactly what we access and store:
| Data type | Accessed | Stored |
|---|---|---|
| Property definitions (names, types, labels) | Yes | Yes (metadata only) |
| Record samples (up to 1,000 per object) | Yes | No — processed in memory, then discarded |
| Aggregate scores and statistics | Computed | Yes |
| Individual contact/deal/company records | No | No |
| Write operations (property edits) | User-initiated only | Audit log (90-day retention) |
AI processing
AI features (property suggestions, descriptions, embeddings) are processed by Mistral AI in Paris, France.
- Only property metadata is sent (names, descriptions, types) — not individual record values
- Per Mistral AI's data processing terms, API data is not stored beyond the request and is not used for model training
- All processing stays within the EU
GDPR compliance
- Data controller: NordScope, a Finnish sole trader (toiminimi), Y-tunnus 3148476-5, owner-operator Peter Sterkenburg
- DPA: A Data Processing Agreement is available for all customers
- Data export: Full export available on request
- Right to erasure: Delete your account and all associated data at any time. HubSpot OAuth grants are automatically revoked and all security audit records are cleaned up
- Supervisory authority: Office of the Data Protection Ombudsman (Finland)
Standards & frameworks
Frameworks PortalPilot has measured itself against:
Self-attested
EU Cloud Code of Conduct framework — self-attestation document, 2026-04-30
Self-attestation is PortalPilot's own structured assessment against a publicly-published cloud-compliance framework — not a monitoring-body-validated declaration. Submission to SCOPE Europe is on our compliance roadmap.
Security roadmap
What we're working on next:
Planned
SOC 2 Type II certificationPlanned
ISO 27001 certificationPlanned
Bug bounty programme (responsible disclosure active now)Questions?
For security questions, vulnerability reports, or to request a security questionnaire, contact us at security@portalpilot.io.