Seamless Data Localization: Enhancing HubSpot with Skyflow

Data residency is a common requirement of many modern data protection laws, governing where sensitive data can be stored or processed in the cloud or in an on-prem server. So, how can companies honor data residency requirements when using CRM tools like HubSpot to store the sensitive data of customers and prospective customers?

The location of sensitive data has significant implications for regulatory compliance, as countries and regions pass a variety of data protection laws and regulations.

More and more countries, including Singapore, Australia, Brazil, and even states and provinces like Quebec are introducing data residency requirements to protect their residents’ personal data. This makes it increasingly difficult for global companies to navigate the requirements of these laws and remain compliant.

In this post, we’ll look at how to support data residency requirements in the context of HubSpot. While HubSpot can be hosted either within the US or Germany, it doesn’t currently support hosting in other regions, posing a challenge for data residency compliance in other countries. To solve this problem, you can use a simple, architectural approach to control the location of sensitive data with a data privacy vault.

Before we jump into describing the solution, let’s begin with a deep dive into data residency and how it relates to compliance.

The Implications of Data Residency on Compliance

When you work with personally identifiable information (PII), where you store and process this data has a direct impact on your legal requirements. Some jurisdictions have regulations that govern the protection and privacy of PII that is used by businesses.

For example:

• In the European Union, personal data cannot be transferred outside the EU without appropriate safeguards, and the adequacy of common safeguards are undergoing judicial review.
• In Australia, sensitive healthcare data cannot be transferred outside of the country.
• In Brazil, sensitive data can only be transferred to countries that provide an equivalent level of data protection to what is provided by Brazil’s LGPD.

The laws of each jurisdiction impact how you transmit, manage, store, and process data in that jurisdiction. Because data residency requirements dictate the geographic location where   data is stored in the cloud, data residency compliance becomes a challenge for global businesses that run their infrastructure in the cloud.

Fortunately, you can use a data privacy vault to simplify data residency compliance.

What is a Data Privacy Vault?

A data privacy vault isolates, protects, and governs access to sensitive customer data. Sensitive data is stored in the vault, while non-exploitable tokens that serve as references to that sensitive data can be stored in traditional cloud storage or used in data warehouses. A token is an obfuscated string that represents other, more sensitive data. You can think of tokens as “stand-ins” for the actual, plaintext sensitive data, such as a social security number or a passport number, which is stored in the vault. 

A data privacy vault tightly controls access to sensitive data, while other systems, applications, and users only have access to tokenized data. This approach to sensitive data isolation minimizes the risk of unauthorized access or data breaches by providing an additional layer of security for sensitive data for any data storage and management process.

You can see how a data privacy vault replaces a sensitive data record like a phone number (555-1212) with a non-sensitive token (ABC123) shortly after that number is collected by the front end application in the following illustration:

Ideally, sensitive data is tokenized (and therefore de-identified) as early in the data lifecycle as possible, preventing its replication (or sprawl) across servers, databases, data warehouses, logs, etc. 

The plaintext phone number, and any other PII, is stored securely in the vault, which is isolated outside of the existing infrastructure. The existing downstream services store only a tokenized representation of the sensitive data. 

Because all downstream systems and services only store tokenized data and other non-sensitive data, they are removed from the scope of data residency compliance.

Now that we’ve looked at how this works in this example architecture, let’s see how to integrate a data privacy vault like Skyflow with HubSpot. 

Integrating Skyflow Data Privacy Vault with HubSpot

Above I showed how a data privacy vault can be used to keep PII out of existing downstream systems like databases or data warehouses. You can use the same approach to keep certain types of sensitive data out of HubSpot. 

For example, if you need to collect customer contact information, but you also need to collect sensitive data like a picture of a customers’ driver’s license or their social security number, you wouldn’t want to store those types of sensitive data directly within HubSpot.

To solve this problem, you can use Skyflow Data Privacy Vault. Skyflow provides a data privacy vault as a service and can be integrated into an existing application or HubSpot using SDKs and APIs. 

Skyflow lets you choose where your vault is located, so you can keep the sensitive data that’s subject to data residency requirements where you need it. And, you can host one or more vaults anywhere in the world, allowing you to meet multiple residency requirements. 

Collecting Sensitive Data with Skyflow and HubSpot

In your application front end where you’re collecting sensitive data, any information that you want to keep out of HubSpot is immediately sent directly to your Skyflow vault via a Skyflow SDK. The vault stores sensitive data (i.e., a social security number or a driver’s license photo), and returns a reference in the form of one or more tokens.

These tokens can be safely stored within HubSpot as part of the contact properties and used later to retrieve the original value.

After receiving tokenized data back from Skyflow, you can store these tokens as part of the contact data you’re storing in HubSpot with the HubSpot Contact API. 

Alternatively, you could use a HubSpot form that contains hidden fields representing the contact properties that can store tokenized data. With this approach, you’d update the hidden input fields with tokenized data before submitting the form.

Retrieving Sensitive Data from within HubSpot

To make data stored in your vault viewable within HubSpot, you can use a custom card to extend the default HubSpot UI. The HubSpot custom card feature lets you call Skyflow APIs via a serverless function to detokenize data, or embed an iFrame into the HubSpot UI where you can retrieve the sensitive data that’s stored in the vault.

You can control what data is viewable and in what format (redacted, partially redacted, or plain text) with the Skyflow data governance engine. This lets you restrict access by user account with context-aware authorization so that only authorized users can access a given contact’s sensitive data. And you can use partial redaction to prevent users from seeing (for example) a complete social security number if they only need to see the last four digits.

In the example architecture shown below, an iFrame is used to retrieve, host, and display sensitive data. The iFrame URL is a URL that you control. The iFrame page uses the Skyflow JavaScript SDK to exchange the contact’s stored tokens with the original sensitive data values.

Satisfying Data Residency Requirements with a Data Privacy Vault

To support data residency across multiple jurisdictions, you simply have to extend the integration described above to route data to multiple regionalized vaults. Those vaults are located in those countries where you have customers whose data is subject to data residency requirements. 

With Skyflow, you have a comprehensive data residency solution because you can host your data privacy vaults near your customers, and you can route sensitive data to a vault in a specific region for storage.

For example, the architecture shown below includes a vault that’s located in the US and a vault that’s located in Australia. Any sensitive data for customers located in the US is sent to the vault located in the US. Similarly, Australian customer data is sent to the vault in Australia, as shown below:

The vaults send de-identified data back to HubSpot in the form of tokens. And all non-sensitive data, including these tokens, can safely be stored in HubSpot as a contact.

To display sensitive data, as discussed above, you can use a HubSpot custom card with an iFrame. The iFrame will use the Skyflow JavaScript SDK to securely exchange the tokens stored with the HubSpot contact for the original sensitive data values, as shown below:

Final Thoughts

By leveraging multiple vaults in various regions worldwide, Skyflow helps you to efficiently handle your sensitive data, easing compliance with data residency requirements across jurisdictions.

Using Skyflow Data Privacy Vault in your architecture significantly simplifies the complexities associated with data residency and compliance with other data protection requirements. By relieving HubSpot from the compliance burden of data residency, Skyflow enables seamless global marketing operations within a unified HubSpot instance. 

This streamlined approach optimizes data management and analysis while upholding compliance standards and protecting your sensitive customer data.