Skip to content
English
  • There are no suggestions because the search field is empty.

Is my data safe with SurroundR?

Short answer: yes. Here's why, in plain English.

TL;DR

  • We don't copy your CRM data — your contacts, companies, and deals stay in HubSpot.
  • We never see your HubSpot password. You log in directly with HubSpot.
  • We only ask for the permissions we actually need.
  • Everything is encrypted, both when stored and when sent.
  • If you delete a contact in HubSpot, our related records disappear automatically (GDPR-compliant).
  • All of this is on by default. There's nothing for you to configure.

If that's all you needed, you're done. Keep reading if you want the details.

We don't copy your CRM data

Your CRM (HubSpot) is your address book. SurroundR doesn't copy it.

We don't pull your contacts, companies, or deals onto our side. When you click "Sync," information flows into your CRM — not out of it. We're a one-way street pushing data into HubSpot, never the other way around.

What we do store is tiny: a few ID numbers (so we know which LinkedIn profile matches which CRM contact) and your personal settings. That's it.

Logging in works like a wristband at a concert

When you sign in, SurroundR gives you a special token — basically a digital wristband. Every time you do something, we check the wristband. If it's missing, expired, or wrong, you get bounced.

The moment you change your password (or an admin revokes your access), every old wristband stops working immediately.

We never see your HubSpot password

When you connect HubSpot, you log in directly with HubSpot — not with us. HubSpot then hands SurroundR a permission slip that says: "this person is okay with SurroundR doing X and Y."

We can't do anything outside what's on the slip. And we only ask for two things on it: reading and updating your contacts and companies. We don't ask to see your email, your calendar, your deals, or anything else.

That permission slip is kept in a digital safe

The permission slip from HubSpot is valuable — anyone who steals it could pretend to be you. So we lock it up using AES-256 encryption. That's the same kind of lock used by banks. Even powerful computers can't crack it in any reasonable amount of time.

We only unlock the slip the exact moment we need to use it, and we never write it down anywhere else.

LinkedIn URLs are never stored in plain text

When SurroundR remembers "this LinkedIn profile belongs to this CRM contact," we don't save the actual LinkedIn URL. We save a scrambled version of it (called a hash).

It's like saving someone in your phone as "MomCell" instead of writing out their full name and number — useful for matching, useless to a stranger who finds your phone.

Everything travels through a locked tunnel

Every time your browser talks to SurroundR, or SurroundR talks to HubSpot, the conversation goes through HTTPS — a private tunnel nobody on the outside can listen in on.

We check the mailman's badge

Sometimes HubSpot sends us notifications — for example, "this contact was deleted, please clean up." Before we act on any message, we verify it's really from HubSpot using a cryptographic signature. Fake messages get thrown out.

When a contact is deleted, our records disappear too

If you delete a contact in HubSpot, that automatically triggers a cleanup on our side. Anything related to that contact gets scrubbed from SurroundR. This is part of staying GDPR-compliant.

The boring-but-important stuff

  • Our database is hosted on a managed, encrypted platform with automatic backups.
  • Our services run in isolated containers — we don't share space with other companies' apps.
  • Every login and important action is logged for audit purposes.
  • Sensitive data is automatically filtered out of error logs.

If you're filling out a security questionnaire for your IT team, or want a deeper technical conversation, email support@surroundr.io and we'll walk you through it.

Or check out the exact technical architecture through this article
How does SurroundR handle security and data privacy?