Legal / DPA

Data Processing Addendum status

The current page documents the intended processing boundary. It is not an executable DPA and does not identify a contracting legal entity.

Last reviewed July 15, 2026 · Early-access documentation

Intended roles

The customer generally acts as controller or business for CRM data and instructs TerritoryLogic to process that data as a processor or service provider to operate territory decisions. Each party remains responsible for determining its legal role under applicable law. Support, security, website, and installation-administration information may be processed for TerritoryLogic's own operational purposes as described in the Privacy Notice.

Processing schedule

Subject matterProviding a portal-scoped HubSpot company ZIP territory management service.
DurationWhile the installation is active, plus applicable audit/security retention and provider-backup expiry.
NatureCollect, normalize, store, compare, evaluate, display, audit, and—only when separately authorized—write or roll back company owner values.
Business purposeDeterministic territory ownership, preview, exception handling, governance, and recovery.
Data subjectsHubSpot users/owners and people represented in customer support/administrative communications. The current public routing program does not use contact records.
Personal dataUser/owner identifiers and display information, roles, support contact details, network metadata, and customer-configured company evidence that may relate to a person.
Sensitive dataNot intended or authorized. Sensitive/highly sensitive HubSpot scopes are excluded.

Commitments intended for the commercial DPA

  • Process customer data only on documented instructions needed to provide and secure the service.
  • Bind personnel with access to appropriate confidentiality obligations.
  • Maintain the technical and organizational controls described in a final security schedule.
  • Use listed subprocessors under data-protection obligations and provide a defined change-notice/objection process.
  • Assist reasonably with data-subject requests, security incidents, impact assessments, and regulator inquiries.
  • Delete or return customer data at termination, subject to documented backup expiry and legal retention.
  • Provide reasonable audit evidence and define limits for customer audits.
  • Address international transfers through applicable transfer mechanisms and regional schedules.

Current technical measures

Current measures include HubSpot OAuth, scope minimization, encrypted token envelopes, portal-bound sessions and roles, forced tenant row-level security, separate maintenance access, privacy-minimized ZIP snapshots, signed request validation, CSRF/idempotency controls, immutable decision/write evidence, fail-closed owner-write gates, and guarded rollback. No certification or independent audit is claimed. Read Security for limitations.

Requesting future commercial terms

Send a request to support@territorylogic.com with your organization name, country, and required legal framework. Do not attach CRM exports or credentials. The response may confirm that the service is not yet ready rather than offering an unsigned or incomplete agreement.