A Brave New Blog

HubSpot Sensitive Data Updates for 2026

Written by Josh Dougherty | Jul 02, 2026

When it comes to sensitive data and your CRM, data security and trust are essential. That’s why I was so excited to have Hank Lander back on my A Brave New Podcast last week.

Hank is a Group Product Manager at HubSpot working on their sensitive data functionality. This functionality is essential for organizations who need to be HIPAA compliant, but also be able to do great marketing and patient engagement. I first had him on the podcast a year ago to discuss sensitive data. When we connected last month he was eager to come back on because so much has changed over the last 12 months. This post gives a great recap of what we discussed.

AI Changed Everything

Ok, that's not just Hank being dramatic for the mic — it's close to word-for-word how he opened our conversation this time: "the elephant in the room is... AI changed everything." A year ago, most teams were just dipping a toe into AI, and the instinct around sensitive data was simple: build a wall and don't let anything cross it. That's not where we are anymore.

Why? Because, as Hank put it, "some of the sensitive data is actually some of the most relevant information for AI" — it gives context to otherwise unstructured data. Wall it off entirely and you're also walling off a lot of what makes AI useful in your CRM in the first place. So the conversation has shifted from "keep it out" to how do you safely leverage AI with your sensitive data.

HubSpot Gives You The Tools — Not The Compliance Stamp

Before I go further I want to provide a bit of a disclaimer:

Neither Hank nor I are attorneys or HIPAA compliance experts. Nothing here is legal advice — go talk to your own risk and compliance team before implementing any of these solutions.

With that said, one of the most common questions I hear from clients is some version of "is HubSpot HIPAA compliant?" Hank's answer hasn't changed from last year, and it's worth repeating: "HubSpot sensitive data doesn’t make you HIPAA compliant out of the box." What HubSpot gives you is the toolset — you sign a BAA, enable sensitive data protections, restrict access, and maintain audit logs. Behind the scenes, HubSpot encrypts that data with a unique, rotational encryption key system on a per-portal basis, with application-level controls that show exactly who accessed or decrypted it. In short, it gives you the tools to be HIPAA compliant.

It’s important to remember here that HubSpot is likely just one of the tools in your broader tech stack. Its functionality needs to be considered in relation to the organization’s broader HIPAA compliance posture.

The New Design Principle: Opt-In, Scoped, Auditable

So how is HubSpot actually squaring "AI needs this data" with "this data needs to stay protected"? Hank gave me the cleanest answer of the conversation: every AI feature that touches sensitive data has to be opt-in, scoped, and auditable.

In practice, that means moving away from one blunt, all-or-nothing toggle. Instead of shipping all of your engagement data to an AI model, an admin can choose to send just the notes, or just one property, depending on what a task actually needs.

Hank tried to sum up the philosophy for me in a couple of words: "choice... is power... we want to give that power to the people who know the context the best." That level of control currently lives mostly at the property and engagement level, and Hank expects it to keep getting more granular — not less.

What surprised me most was how customers are actually responding. In HubSpot's beta, Hank said the reactions split almost evenly into three camps:

  • "Just give me everything." Comfortable managing their own risk.
  • "Never let AI near sensitive data." The polar opposite — the toggle stays off.
  • "Thank you for the control." The group is actually using the granular settings as designed.

Hank told me he wouldn't have predicted an even three-way split going in. Neither would I.

Undo Is The Feature Nobody Asked For And Everybody Needs

Here's the part of the conversation I think matters most for anyone using AI inside HubSpot day-to-day: mistakes happen. Hank was candid about it — whether it's AI hallucinating or a person granting access they shouldn't have, "things happen. It's just life." So HubSpot built restore functionality that lets you roll changes back directly from property history or audit logs — and it's now extending that same capability to AI tools like Claude through the API, currently in private beta.

Here’s a real-life exampleEx: you're at an event, you upload the wrong contact list to Claude, and it goes into HubSpot. Instead of leaving your AI workflow to go fix it manually, you can just tell Claude to undo it, and it calls the restore capability itself. I think that's a bigger deal than it sounds. It's not just a safety net — it's an efficiency play. Hank described his own day-to-day now as Cowork open on one screen and the platform he's working in on the other, moving between the two rather than clicking through a UI himself. You don't have to break that flow to fix a mistake, and that matters more every month as more of us start working that way.

Agents Are Becoming Users, Too

This part is still mostly on the horizon, but it's worth knowing where HubSpot is headed: agents are going to get treated like users. The same permission sets and scopes you'd assign to a person will apply to an agent — first-party HubSpot agents, agents you build yourself in Breeze Agents Studio, and third-party agents alike.

Why does that matter? Because the same admin who controls what a human can see or edit will be able to control what an agent can see or edit, with the same identity, auditability, and permissions attached. Closer to actual shipping, according to Hank, is something HubSpot calls agentic review, currently in private beta. Before content reaches a human reviewer, an AI agent takes a first pass — checking tone, grammar, spelling, broken links, and whether a subject line is actually going to drive engagement. The point isn't to remove the human from the loop. It's to raise the floor, so that by the time a person is reviewing the content, they're making real judgment calls instead of fixing a typo in paragraph one.

Audit Logs Went From Afterthought To Front Page

Audit logs are another key aspect of HIPAA compliance. We spoke about this as well. A year ago, Hank told me plainly, "we weren't talking about audit logs." They were the compliance box you checked and moved on from. That's changed too. Audits are now, in Hank's words, "that paper trail for trust" — the first place anyone goes when something's gone wrong.

HubSpot is investing in making them more discoverable and searchable, and trying to move from reactive (something broke, go check the log) to proactive (flag the unusual activity before it becomes a real problem). Hank was upfront that anomaly detection is hard, and getting harder as data volume grows — but it's also exactly the kind of problem AI is suited to help with.

So, Where Is This All Heading?

I asked Hank to close us out by looking forward to what things will look like in a year with regards to AI and sensitive data. His answer was less about any one capability and more about the foundation underneath all of them: identity, permissions, infrastructure, auditability, and traceability all have to mature together as more work gets delegated to AI agents.

His framing is the one I keep coming back to: this isn't AI replacing people, or people distrusting AI. It's a hybrid model. "We're going to partner on this to create the best outcome possible."

As I close out, here’s my question for you: if an AI agent had the same access to your HubSpot portal as your newest hire, would you be comfortable with what it could see? If you're not sure, my conversation with Hank is probably a great place for you to start to dig in.

Listen to my full conversation with Hank on Episode 120 of A Brave New Podcast. You can also listen on Apple Podcasts or Spotify.