Intended roles
The customer generally acts as controller or business for CRM data and instructs TerritoryLogic to process that data as a processor or service provider to operate territory decisions. Each party remains responsible for determining its legal role under applicable law. Support, security, website, and installation-administration information may be processed for TerritoryLogic's own operational purposes as described in the Privacy Notice.
Processing schedule
| Subject matter | Providing a portal-scoped HubSpot company ZIP territory management service. |
|---|---|
| Duration | While the installation is active, plus applicable audit/security retention and provider-backup expiry. |
| Nature | Collect, normalize, store, compare, evaluate, display, audit, and—only when separately authorized—write or roll back company owner values. |
| Business purpose | Deterministic territory ownership, preview, exception handling, governance, and recovery. |
| Data subjects | HubSpot users/owners and people represented in customer support/administrative communications. The current public routing program does not use contact records. |
| Personal data | User/owner identifiers and display information, roles, support contact details, network metadata, and customer-configured company evidence that may relate to a person. |
| Sensitive data | Not intended or authorized. Sensitive/highly sensitive HubSpot scopes are excluded. |
Commitments intended for the commercial DPA
- Process customer data only on documented instructions needed to provide and secure the service.
- Bind personnel with access to appropriate confidentiality obligations.
- Maintain the technical and organizational controls described in a final security schedule.
- Use listed subprocessors under data-protection obligations and provide a defined change-notice/objection process.
- Assist reasonably with data-subject requests, security incidents, impact assessments, and regulator inquiries.
- Delete or return customer data at termination, subject to documented backup expiry and legal retention.
- Provide reasonable audit evidence and define limits for customer audits.
- Address international transfers through applicable transfer mechanisms and regional schedules.
Current technical measures
Current measures include HubSpot OAuth, scope minimization, encrypted token envelopes, portal-bound sessions and roles, forced tenant row-level security, separate maintenance access, privacy-minimized ZIP snapshots, signed request validation, CSRF/idempotency controls, immutable decision/write evidence, fail-closed owner-write gates, and guarded rollback. No certification or independent audit is claimed. Read Security for limitations.
Requesting future commercial terms
Send a request to support@territorylogic.com with your organization name, country, and required legal framework. Do not attach CRM exports or credentials. The response may confirm that the service is not yet ready rather than offering an unsigned or incomplete agreement.