Security
Last Updated: March 7, 2026
At Third Space, LLC, the security of your HubSpot CRM data is our top priority. This page describes the technical and organizational measures we implement to protect your data when using Safe Merge.
Architecture Overview
To restore your records after a merge, Safe Merge keeps point-in-time snapshots of your CRM data in its own database. The snapshot captures the state of a record before a merge so it can be rebuilt later. Your live CRM remains the system of record, and the data we hold is limited to what restore requires.
What stays in HubSpot
- Your live contact, company, and deal records
- HubSpot's own native merge history on each record
What is stored on our infrastructure
- Point-in-time CRM snapshots used to restore records after a merge, stored in our PostgreSQL database
- OAuth access and refresh tokens (encrypted at rest)
- HubSpot Portal ID and billing status
- Usage metrics (snapshot counts, unmerge operation counts)
- Async job status records for unmerge operations
- Stripe Customer ID and subscription status
Snapshots are retained only for your plan's retention window and are deleted when you uninstall Safe Merge.
What is transiently processed (Emergency Unmerge only)
- CRM record data sent to Anthropic's Claude API for reconstruction analysis
- This data is encrypted in transit, not used for model training, and deleted within 30 days by Anthropic
- This processing occurs only when a user explicitly initiates an Emergency Unmerge
Encryption
In Transit
- All API communications use TLS 1.2 or higher
- HTTPS enforced across all endpoints
- HTTP Strict Transport Security (HSTS) headers with minimum 1-year
max-age
- All communication with HubSpot APIs, Anthropic APIs, and Stripe APIs is encrypted
At Rest
- OAuth tokens encrypted with Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256 for integrity verification)
- Encryption keys stored as environment variables, separate from the database
- Database hosted on Render.com with disk-level encryption provided by the infrastructure
Authentication and Access Control
OAuth 2.0
- Authentication handled exclusively via HubSpot's OAuth 2.0 authorization flow
- Safe Merge never sees or stores user passwords
- OAuth tokens are encrypted at rest and refreshed automatically
- Users can revoke Safe Merge's access at any time through HubSpot Settings → Connected Apps
- CSRF protection via the OAuth
state parameter
- Exact redirect URI matching enforced
API Security
- API key authentication for backend service endpoints
- Rate limiting to prevent abuse
- Input validation and sanitization on all endpoints
Session Management
- Session cookies set with
Secure, HttpOnly, and SameSite=Lax attributes
- Only strictly necessary session cookies used (no analytics or tracking cookies)
- Server-side session destruction on logout
Infrastructure
| Component |
Provider |
Location |
Certifications |
| Application hosting |
Render.com |
Oregon, US |
SOC 2 Type II |
| PostgreSQL database |
Render.com |
Oregon, US |
SOC 2 Type II |
| Payment processing |
Stripe |
United States |
PCI DSS Level 1, SOC 2 |
| Reconstruction processing |
Anthropic |
United States |
SOC 2 Type II |
| Error monitoring |
Sentry |
United States |
SOC 2 Type II |
- Database access restricted to application service only - no public database endpoints
- Environment variables used for all secrets and configuration (never hardcoded)
- Regular dependency updates and security patching
Data Privacy Practices
Data Minimization
We collect and store only the minimum data necessary to provide the Service. The CRM snapshots that enable restore are stored in our PostgreSQL database, retained only for your plan's retention window, and deleted when you uninstall Safe Merge.
Reconstruction Data Handling
- CRM data sent to Anthropic for Emergency Unmerge is not used to train models (per Anthropic's Commercial Terms)
- Anthropic deletes prompts and outputs within 30 days
- Reconstruction processing is initiated only by explicit user action
- All reconstruction outputs require human review and approval before execution
GDPR Privacy Deletion
Safe Merge implements HubSpot's contact.privacyDeletion webhook. When a GDPR deletion request is processed through HubSpot, we automatically and permanently delete all data associated with that contact from our systems.
Error Monitoring
We use Sentry for error monitoring with send_default_pii=False configured. This means personally identifiable information is not included in error reports.
Incident Response
- Detection: Application monitoring, error tracking, and infrastructure alerts
- Response: Immediate investigation upon detection of a potential security incident
- Notification: Customers notified within 72 hours of confirmed breach (per GDPR Article 33)
- Remediation: Root cause analysis, patching, and preventive measures documented
- Encryption mitigation: OAuth tokens are encrypted at the application layer with Fernet. Where data is encrypted and the encryption key is not compromised, that encrypted data generally does not trigger breach notification requirements under most US state laws. This mitigation applies only to the data that is encrypted at the application layer (currently OAuth tokens); it does not extend to data that is not application-layer encrypted, and our breach assessment treats such data accordingly
Compliance Framework
| Regulation / Standard |
Status |
| GDPR (EU) |
Compliant: DPA with SCCs available |
| UK GDPR |
Compliant: UK IDTA/Addendum incorporated |
| CCPA/CPRA (California) |
Compliant: Service Provider designation |
| EU AI Act (Regulation) |
Limited Risk classification: transparency obligations met |
| HubSpot Developer Policy |
Compliant: OAuth, privacy webhook, data disclosures |
| PCI DSS |
Payment processing delegated to Stripe (PCI DSS Level 1) |
| SOC 2 |
Infrastructure providers certified; formal certification planned |
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly to joshua@thirdspaced.com. We appreciate security researchers who help us keep our users safe.
- We will acknowledge receipt within 48 hours
- We will provide an initial assessment within 5 business days
- We will not take legal action against researchers acting in good faith
Questions
For security questions or to request a security questionnaire response, contact us at joshua@thirdspaced.com.
Third Space, LLC
Email: joshua@thirdspaced.com
Website: https://safemerge.app