Identity and access
- HubSpot OAuth is the only public installation and sign-in identity path; there is no TerritoryLogic password database.
- Hosted sessions are opaque, secure, HttpOnly, portal-bound, and time-limited. HubSpot launch codes are single-use and short-lived.
- Account Owner, Admin/Publisher, Editor, Viewer, and Card-only roles are scoped to one HubSpot portal.
- Mutating console requests require the portal session, role authorization, CSRF protection, and operation-specific concurrency or idempotency evidence.
Tenant and secret isolation
- The HubSpot portal ID is the tenant key. PostgreSQL row-level security is forced under the application database role.
- OAuth access and refresh tokens are stored as encrypted envelopes and accessed through a private token-vault boundary.
- Public and destructive maintenance database access use separate least-privilege roles and separate Cloudflare Hyperdrive connections.
- Uninstall work is generation-bound so a stale event cannot intentionally target a later installation.
Data minimization
- The current public program reads HubSpot companies, schemas, and owners only.
- Routing snapshots retain normalized U.S. country/ZIP5, current owner, opaque record identity, bounded source/validity evidence, and only configured allowlisted facts.
- Raw street addresses and malformed ZIP input are not retained for current routing. The service does not geocode addresses.
- Privacy webhook subjects are replaced with tenant-scoped cryptographic fingerprints before maintenance persistence or queue delivery.
Write safety
- Simulation is bound to an immutable draft and company snapshot and never writes HubSpot.
- Production owner writes require a runtime mode, exact portal allowlist, current write scope, publisher authorization, and a current publication preview.
- HubSpot is re-read before a possible write. Changed, locked, invalid, plan-limited, outside-territory, or otherwise unsafe records are preserved.
- Guarded rollback restores only TerritoryLogic's still-current latest successful value; later human or integration changes are skipped.
Infrastructure
The current service runs on Cloudflare Workers and related Cloudflare services, with PostgreSQL 17/PostGIS hosted by Neon. HubSpot remains the connected CRM. See Subprocessors for the current and inactive vendor list.
Outstanding assurance work
- Independent security assessment and complete public vulnerability-disclosure process.
- Contractual backup-retention maximum, recovery objectives, and service-level commitments.
- Full production alerting/status automation and large-portal chaos/load evidence.
- Real-portal validation of all Journal, privacy, uninstall, and recovery races across multiple unaffiliated portals.
Report a security concern
Use the support path and put “Security” in the subject. Include the affected URL, approximate time/time zone, and a minimal reproduction. Do not send tokens, credentials, exploit customer data, or access data beyond what is necessary to describe the issue.