Security

Last Updated: March 7, 2026

At Third Space, LLC, the security of your HubSpot CRM data is our top priority. This page describes the technical and organizational measures we implement to protect your data when using Safe Merge.

Architecture Overview

Safe Merge is designed with a data-minimization architecture. The vast majority of your CRM data never leaves HubSpot:

What stays in HubSpot

CRM snapshot data (stored as compressed JSON in HubSpot custom properties on your records)
All contact, company, and deal record data
Merge audit history

What is stored on our infrastructure

OAuth access and refresh tokens (encrypted at rest)
HubSpot Portal ID and billing status
Usage metrics (snapshot counts, unmerge operation counts)
Async job status records for unmerge operations
Stripe Customer ID and subscription status

What is transiently processed (Emergency Unmerge only)

CRM record data sent to Anthropic's Claude API for reconstruction analysis
This data is encrypted in transit, not used for model training, and deleted within 30 days by Anthropic
This processing occurs only when a user explicitly initiates an Emergency Unmerge

Encryption

In Transit

All API communications use TLS 1.2 or higher
HTTPS enforced across all endpoints
HTTP Strict Transport Security (HSTS) headers with minimum 1-year max-age
All communication with HubSpot APIs, Anthropic APIs, and Stripe APIs is encrypted

At Rest

OAuth tokens encrypted with Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256 for integrity verification)
Encryption keys stored as environment variables, separate from the database
Database hosted on Render.com with disk-level encryption provided by the infrastructure

Authentication and Access Control

OAuth 2.0

Authentication handled exclusively via HubSpot's OAuth 2.0 authorization flow
Safe Merge never sees or stores user passwords
OAuth tokens are encrypted at rest and refreshed automatically
Users can revoke Safe Merge's access at any time through HubSpot Settings → Connected Apps
CSRF protection via the OAuth state parameter
Exact redirect URI matching enforced

API Security

API key authentication for backend service endpoints
Rate limiting to prevent abuse
Input validation and sanitization on all endpoints

Session Management

Session cookies set with Secure, HttpOnly, and SameSite=Lax attributes
Only strictly necessary session cookies used (no analytics or tracking cookies)
Server-side session destruction on logout

Infrastructure

Component	Provider	Location	Certifications
Application hosting	Render.com	Oregon, US	SOC 2 Type II
PostgreSQL database	Render.com	Oregon, US	SOC 2 Type II
Payment processing	Stripe	United States	PCI DSS Level 1, SOC 2
Reconstruction processing	Anthropic	United States	SOC 2 Type II
Error monitoring	Sentry	United States	SOC 2 Type II

Database access restricted to application service only - no public database endpoints
Environment variables used for all secrets and configuration (never hardcoded)
Regular dependency updates and security patching

Data Privacy Practices

Data Minimization

We collect and store only the minimum data necessary to provide the Service. CRM snapshot data is stored directly in HubSpot custom properties on your records, meaning the bulk of your data never leaves HubSpot's infrastructure.

Reconstruction Data Handling

CRM data sent to Anthropic for Emergency Unmerge is not used to train models (per Anthropic's Commercial Terms)
Anthropic deletes prompts and outputs within 30 days
Reconstruction processing is initiated only by explicit user action
All reconstruction outputs require human review and approval before execution

GDPR Privacy Deletion

Safe Merge implements HubSpot's contact.privacyDeletion webhook. When a GDPR deletion request is processed through HubSpot, we automatically and permanently delete all data associated with that contact from our systems.

Error Monitoring

We use Sentry for error monitoring with send_default_pii=False configured. This means personally identifiable information is not included in error reports.

Incident Response

Detection: Application monitoring, error tracking, and infrastructure alerts
Response: Immediate investigation upon detection of a potential security incident
Notification: Customers notified within 72 hours of confirmed breach (per GDPR Article 33)
Remediation: Root cause analysis, patching, and preventive measures documented
Encryption mitigation: OAuth tokens encrypted with Fernet - encrypted data generally does not trigger breach notification requirements under most US state laws if the encryption key is not compromised

Compliance Framework

Regulation / Standard	Status
GDPR (EU)	Compliant: DPA with SCCs available
UK GDPR	Compliant: UK IDTA/Addendum incorporated
CCPA/CPRA (California)	Compliant: Service Provider designation
EU AI Act (Regulation)	Limited Risk classification: transparency obligations met
HubSpot Developer Policy	Compliant: OAuth, privacy webhook, data disclosures
PCI DSS	Payment processing delegated to Stripe (PCI DSS Level 1)
SOC 2	Infrastructure providers certified; formal certification planned

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly to joshua@thirdspaced.com. We appreciate security researchers who help us keep our users safe.

We will acknowledge receipt within 48 hours
We will provide an initial assessment within 5 business days
We will not take legal action against researchers acting in good faith

Questions

For security questions or to request a security questionnaire response, contact us at joshua@thirdspaced.com.

Third Space, LLC
Email: joshua@thirdspaced.com
Website: https://safemerge.app