Install on HubSpot

Data Processing Agreement (DPA)

Last updated: April 5, 2026

1. Parties and scope

This Data Processing Agreement ("DPA") is entered into between:

  • Data Controller ("Customer", "you"): the organization that connects its HubSpot portal to RouteAnything
  • Data Processor ("we", "us"): CRM MANAGER IO, a company registered in France (SIREN: 928 427 897), with its registered office at [PLACEHOLDER — adresse], operator of RouteAnything

This DPA supplements the Terms of Service and applies to all processing of personal data that we perform on your behalf when you use RouteAnything.

2. Definitions

  • "Personal Data", "Processing", "Data Controller", "Data Processor", "Data Subject", and "Supervisory Authority" have the meanings given in the GDPR (Regulation (EU) 2016/679).
  • "Customer Data" means the HubSpot CRM records (contacts, deals, tickets, custom objects) that we access and process on your behalf to execute routing assignments.

3. Subject matter and duration

Subject matter Automated assignment (routing) of HubSpot CRM records to designated team members based on customer-defined rules
Nature of processing Reading CRM record metadata (owner, properties) from HubSpot, applying assignment logic, writing updated owner assignments back to HubSpot
Categories of data subjects Your CRM contacts, leads, deal contacts, ticket requesters, and custom object records
Types of personal data HubSpot record identifiers (record ID, owner ID), names, email addresses, and any custom properties included in HubSpot workflow payloads
Duration For the duration of the Service agreement. Upon termination, see section 10.

4. Processor obligations

We shall:

  • Process Customer Data only on your documented instructions (i.e., the routing rules you configure in the application), unless required by EU or Member State law
  • Ensure that persons authorized to process Customer Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures as described in section 6
  • Not engage sub-processors without your prior authorization (see section 5)
  • Assist you in fulfilling your obligations to respond to data subject requests (access, rectification, deletion, portability)
  • Assist you in ensuring compliance with obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation)
  • At your choice, delete or return all Customer Data upon termination of the Service
  • Make available all information necessary to demonstrate compliance and allow for audits (see section 8)

5. Sub-processors

You hereby provide general written authorization for us to engage the sub-processors listed below. We will notify you at least 30 days in advance of any intended addition or replacement of a sub-processor, giving you the opportunity to object.

Sub-processor Processing activity Data location
Supabase Inc.
USA (EU infrastructure)		 Database storage — account data, rotation configs, encrypted tokens, assignment logs EU West — Paris (AWS eu-west-3)
Vercel Inc.
USA (EU infrastructure)		 Application hosting, serverless function execution, edge routing Paris, France (cdg1)
Upstash Inc.
USA (EU infrastructure)		 Redis — rate limiting counters (IP hashes, user IDs, portal IDs) EU (via Vercel Marketplace)
Resend Inc.
USA		 Transactional email delivery (welcome, billing, security notifications) [PLACEHOLDER — vérifier région]
Stripe Inc.
USA (EU infrastructure)		 Payment processing, subscription management, invoicing EU (Ireland)

Note: HubSpot is not a sub-processor — it is your own platform. We access it via the OAuth credentials you grant us.

6. Technical and organizational security measures

6.1 Encryption

  • All data in transit: TLS 1.2+
  • Database: encrypted at rest (AES-256, managed by Supabase/AWS)
  • HubSpot OAuth tokens: AES-256-GCM application-layer encryption with a dedicated encryption key

6.2 Access control

  • Role-based access control (RBAC): Owner > Admin > Member, with enforced permission boundaries
  • No shared credentials: each user authenticates individually via HubSpot OAuth
  • Service keys (database, API) stored exclusively in Vercel environment variables — never on disk or in code
  • Admin endpoints protected by a separate API key

6.3 Input validation and abuse prevention

  • Enum whitelist validation on all user inputs (strategies, object types, roles)
  • Rate limiting on all endpoints: authentication (5/min), API (30/min), webhooks (100/min)
  • HubSpot webhook signature verification (HMAC-SHA256 v3, timing-safe comparison)
  • CSRF protection via OAuth state parameter

6.4 Infrastructure security

  • Security headers: HSTS, CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff
  • Atomic database operations with row-level locking (FOR UPDATE) to prevent race conditions
  • Error masking: generic error messages to clients, detailed logs server-side only

7. Data breach notification

In the event of a personal data breach affecting Customer Data, we will:

  • Notify you without undue delay and in any case within 48 hours of becoming aware of the breach
  • Provide all information reasonably necessary for you to fulfill your notification obligations under Articles 33 and 34 GDPR, including:
    • Nature and scope of the breach
    • Categories and approximate number of affected data subjects and records
    • Likely consequences
    • Measures taken or proposed to mitigate the breach
  • Cooperate with you and take reasonable steps to assist in the investigation and mitigation of the breach

8. Audits

Upon reasonable written request (no more than once per year), we will make available information necessary to demonstrate compliance with this DPA. You may:

  • Request a copy of our latest security audit report or SOC 2 attestation (where available from our sub-processors)
  • Submit a written questionnaire that we will respond to within 30 days
  • Conduct or mandate a third-party audit, subject to reasonable advance notice (at least 30 days), scope limitations, confidentiality agreements, and at your expense

9. International data transfers

All primary data storage and processing occurs in the European Union (Paris, France). Where sub-processors are US-based entities operating EU infrastructure, data remains within the EU.

For any processing that may involve transfers outside the EU/EEA, we ensure adequate safeguards through:

  • Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914
  • EU-US Data Privacy Framework certification of the sub-processor (where applicable)
  • Supplementary technical measures (encryption in transit and at rest)

10. Data return and deletion

Upon termination of the Service:

  • HubSpot OAuth tokens are deleted immediately upon uninstallation
  • Account data and configurations are retained for 30 days (to allow re-connection), then permanently deleted
  • Assignment logs are purged within 90 days
  • Upon written request, we will provide a data export (JSON format) of your account configurations before deletion
  • We will provide written confirmation of deletion upon request

11. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.

12. Governing law

This DPA is governed by French law. Disputes shall be submitted to the competent courts of [PLACEHOLDER — ville], France.

13. Contact

For any questions about this DPA or to exercise data subject rights:

  • Data Protection contact: [PLACEHOLDER — nom + email, ex : dpo@routeanything.com]
  • Postal address: CRM MANAGER IO — [PLACEHOLDER — adresse]