By Amber Kemmis

On this page

    The release of the HubSpot Deep Research Connector for ChatGPT has opened a new chapter in automation and research powered by your CRM. You can now use natural language to surface, summarize, and act on HubSpot CRM data—all within ChatGPT’s interface.

    But, with this great power comes great responsibility.

    Because CRM systems hold customer data, private conversations, financial records, and operational insights, it’s essential that your ChatGPT integration is securely packaged, properly governed, and protected from data leakage or model drift.

    This guide will walk you through how to securely deploy, manage, and scale ChatGPT with HubSpot—without compromising your data, customers, or compliance standards.

    What Is the HubSpot Deep Research Connector?

    HubSpot’s connector allows ChatGPT to access CRM data via authenticated APIs. You can ask natural language queries like:

    • "Summarize the highest converting landing pages”
    • "List all contacts in the health tech sector that haven’t been touched in 30 days."
    • "What are the Q2 pipeline trends by deal stage?"

    The ChatGPT implementation should be carefully rolled out, and when done so, it doesn't pose risks to your data.

    Use the Right ChatGPT Tier

    Not all ChatGPT deployments are created equal. For secure CRM access, ChatGPT Team or Enterprise is strongly recommended because of their advanced permissioning and data customization. That said, HubSpot will only allow connection with Enterprise, Team, Pro, Plus, or Edu within the United States. EU users will need to use a ChatGPT Team, Enterprise, or Edu plan. So, by default, HubSpot has prevented risk of data sharing and exposure by only allowing paid subscriptions to connect. 

    Beyond selecting the right tier, you should also turn off the Improve the model for everyone setting in ChatGPT.

    With the right ChatGPT tier and settings, data can safely be pulled into ChatGPT without risk of exposure to the world, even if it contains data such as PII.

    But, there are a few more things you can do for safe keeping.

    HubSpot Permissions + Data Control

    By default, the ChatGPT Connector in HubSpot can only access data available to the user and is not controlled by OAuth APIs at the account level. So, for example, a sales user with access to only their deal records would only be able to query their deal data. However, a Super Admin with access to all data would be able to access any data in the portal. 

    With this in mind, you will want to review the following to ensure data pulled into ChatGPT fits the use case and data compliance you intend:

    • Update user permissions and permission sets to only include data you'd want the individual to connect to ChatGPT. 
    • Ensure users who may need to conduct account or department-wide research have less granular permissions, but also have been prepped on how to use this data safely
    • If PII or any type of Sensitive Data appears in your account, use HubSpot's Sensitive Data features (requires Enterprise)

    Align with HubSpot’s Sensitive Data & GDPR Features

    Sensitive Data

    HubSpot enables admins to designate individual CRM properties as "sensitive", which affects visibility in UI, reports, and APIs.

    Use this to:

    • Hide sensitive fields (e.g., Social Security Numbers, medical info, financial details) from API responses by default.
    • Apply user role-based visibility rules to further reduce surface area.
    • HubSpot will not allow the query of Sensitive Data fields, as outlined in their documentation.

    Regardless of access level, the following should never be used in ChatGPT prompts unless required and securely masked via Sensitive Data features:

    Type

    Examples

    PII

    SSNs, full addresses, personal phone numbers

    Financial

    Billing data, credit card info, payment terms

    Private CRM Notes

    Call logs, internal comments, legal disclaimers

    Unstructured Content

    Email or ticket content unless scrubbed/redacted

    Resources:

    GDPR Data

    HubSpot contact records often contain personal data as defined by GDPR, including:

    • Names, email addresses, phone numbers
    • IP addresses, locations, cookies (via forms/tracking)
    • Interaction history, behavior scores
    • Subscription status, legal basis for processing

    Because the connector pulls this data into a ChatGPT session, it must be treated as a data processing activity—subject to auditability, purpose limitation, and deletion rights. By default, users subject to GDPR can only connect HubSpot to ChatGPT Team, Enterprise, or Edu plan. 

    • Use GDPR Features Proactively: HubSpot has built-in GDPR properties and features like Legal basis for processing contact’s data and Consent to communicate. Leverage these to ensure users only have access to those who have provided consent.
    • Purpose Limitation: Use the connector only for explicit business needs (e.g., sales context generation, support summaries). Avoid exploratory queries like “show me all contacts in France.”
    • Audit & DSAR Readiness: Maintain logs of CRM access via the connector. Be prepared to generate prompt history if a contact issues a Data Subject Access Request (DSAR) or Right to Erasure request.

    Resources:

    Model Learning & Prompt Engineering

    OpenAI’s models do not retain prompt or response data when used under paid plans. However, for safety:

    • Train users on use cases they can and cannot use the ChatGPT connector for
    • Create structured prompt templates that fit within these use case exposures.
    • Take an extra step to create custom ChatGPTs for the common use cases your team might encounter. This will allow you to have more control over context and prompts. Use system prompts in custom GPTs to define what's off-limits, like: “Never surface contact notes, deal amounts, or internal comments in any response.”
    • For GDPR, Integrate Consent Flags Into Prompts:
      Non-compliant: “Summarize all activity for EU contacts last month.”
      Compliant: “Summarize lifecycle events for contacts with GDPR consent marked ‘Granted’ who visited our pricing page this month.

    Logging, Monitoring, and Audit Trails

    Ensure full traceability of ChatGPT usage:

    • Maintain logs of all CRM data access triggered via ChatGPT.
    • Set up admin alerts for abnormal usage or unusually large prompts.
    • Conduct regular reviews of HubSpot's security health and integration logs.

    If using ChatGPT Enterprise, enforce SSO, role-based access, and data use policies in your org.

    Setup Checklist

    Step

    Description

    🔒 HubSpot Permissions

    Modify HubSpot permissions 

    🧠 Model Tier

    Use the proper ChatGPT tier

    📊 Prompt Design

    Create pre-templated prompts or custom GPTs for use

    🛡️ Monitoring

    Audit prompt usage, flag risky access

    📁 Logs

    Retain secure activity logs for compliance

    Final Thoughts

    AI and HubSpot CRM together are a force multiplier—but only when deployed securely. By understanding the packaging and learning behavior of ChatGPT, and by applying data-level and model-level safeguards, your business can enjoy the benefits of conversational AI without introducing risk.

    If you’re planning a secure rollout of HubSpot + ChatGPT, consider drafting internal AI Acceptable Use Policies (AUPs), red-teaming your prompts, and providing role-specific guidance to your team.