Skip to main content
by Nomadyr
DE Join the Beta
Menu
Security & data protection

We only access what we functionally need.

Your data is stored in the EU (Frankfurt), encrypted at rest and in transit, isolated from every other customer.

Our approach

QuoteXelerator identifies which deal to attach line items to, reads owners for recipe assignment, and reads or writes line items. That is the complete extent of our HubSpot access. Because our OAuth scope is limited to exactly that, we cannot access contacts, companies, emails, tickets, conversations, or any other HubSpot data. Your quote data is processed in real time and not retained beyond what compliance logging requires. The data we do hold is encrypted with per-portal derived keys and is never stored in plaintext.

Infrastructure

Platform
  • EU-only serverless + managed DB
  • AWS-based (eu-central-1, Frankfurt)
  • SOC 2 Type 2 certified providers
  • Region: Frankfurt
Encryption
  • TLS in transit
  • AES-256 at rest
  • Per-portal key derivation for selected fields
Data Residency
  • Application data we control stored in EU (Frankfurt)
  • Line items live in your HubSpot portal — HubSpot data flow, not specific to us
  • Email delivery via Resend (EU servers in Ireland)
Credential Security
  • No readable tokens stored
  • No plaintext credentials
  • Complete tenant isolation

Data flow

Your application data stays in the EU. A defined set of metadata transits providers outside the EU, each under EU Standard Contractual Clauses and documented in our DPA.

Stays in the EU
Your HubSpot portal
QuoteXelerator backendVercel functions on AWS, Frankfurt
Supabase on AWS, Frankfurtrecipes, quote snapshots, compliance log, OAuth tokens, FX config
Two encryption layers at rest: AES-256 on disk, plus AES-256-GCM with portal-specific derived keys on selected fields (financial & FX values, snapshots, compliance details, approval notes, OAuth tokens, personal identifiers).
Leaves the EU (metadata only)
Vercel edgeIP, headers for DDoS / WAF (US)
Resendemail metadata (US)
Anthropicredacted error metadata (US)

HubSpot permissions

During installation, we only request the permissions that are functionally required for the app to operate. Authentication is handled via OAuth 2.0 with the following minimum scopes. Expand any scope to see the exact fields we touch.

crm.objects.deals.read
Identify which deal to attach generated line items to
Exactly four deal fields: dealname (labels an FX reservation), amount (detects margin shifts), hubspot_owner_id (attributes an action to the acting person), and deal_currency_code (calculation currency). A pure existence check reads only the record ID (hs_object_id). We never follow links to contacts or companies.
crm.objects.line_items.write
Create and update deal line items from processed quotes
Operations: create line items, batch-create, update, delete, and batch-archive. When creating a line item we write name, quantity, price, hs_sku, description, hs_product_id, hs_line_item_currency_code, and where applicable discount and hs_discount_percentage. This is the core function: writing the generated quote line items into your deal.
crm.objects.line_items.read
Read existing line items for change detection and compliance logging
Four line-item fields: name, quantity, price, amount. We read them for the before-image of change detection, before we re-write line items.
crm.schemas.line_items.read
Read line item property definitions for field mapping
Reads the property definitions for the line-item object (names, types, labels) so the recipe field mapping aligns with your portal. Schema metadata only, no customer record values.
crm.objects.owners.read
Identify deal owners for recipe assignment
We read owner records via /crm/v3/owners (list), /crm/v3/owners/{id}, and search by email. Fields read: id, userId, email, firstName, lastName, and the team assignment (id, name, primary). This resolves the acting person for the compliance trail and display. No write access.
These are HubSpot's own OAuth scopes, and they set a hard boundary around everything QuoteXelerator can reach. Inside that boundary we see who owns and created a deal, the deal's own attributes (its name, amount, currency, and any custom properties), and the line items we generate with their quantities and prices. Nothing more. HubSpot's permission model blocks us from the rest of your CRM by design: we cannot read your contacts, companies, customer records, emails, tickets, or conversations. So even in a worst case, the only data within our reach is deal metadata and the line items you set out to quote.

Data handling

Processing: Quote data is processed in real time.
Compliance logs: Retained with your subscription for compliance purposes.
Data isolation: Your data is completely isolated at the database level. Access tokens and snapshots are encrypted at the application layer with portal-scoped key derivation.
Cancellation: On explicit termination, all customer data is deleted within 90 days.
No data resale: We never sell your data, and we never use it for purposes beyond delivering the service you subscribed to. The subprocessors below only access what they need to operate.

Compliance

DSGVO / GDPR
Fully compliant with the EU General Data Protection Regulation. Data subject rights (Art. 15–22) supported. Technical and organizational measures per Art. 32 GDPR are documented in our TOM.
AVV / DPA
Read the full Data Processing Agreement (DPA) or the German Auftragsverarbeitungsvertrag (AVV) per Art. 28 GDPR. For further questions, reach out at legal@quotexelerator.com.
SOC 2 Infrastructure
QuoteXelerator runs on SOC 2 Type 2 certified infrastructure, and every subprocessor holds its own SOC 2 Type 2 attestation. Several (Supabase, Vercel, HubSpot, Anthropic, Atlassian) add ISO 27001, and Stripe holds PCI DSS Level 1. Our measures are documented in the TOM and verifiable through the immutable compliance trail.
EU Data Residency
Application data we control is stored in the EU (Frankfurt). Line items live in your HubSpot portal — that is HubSpot's standard data flow for every HubSpot app, not specific to us.
AWS Infrastructure
Our database (Supabase) and serverless functions (Vercel) run on Amazon Web Services in the Frankfurt region (eu-central-1). AWS maintains ISO 27001, SOC 2 Type 2, and BSI C5 (the German cloud-security catalogue) certifications.

Subprocessors

We notify customers at least 30 days before adding a new subprocessor.

Service · Purpose Location
Supabase
Database & auth
Frankfurt, EU
Vercel
Hosting & functions
Frankfurt, EU (US edge metadata)
HubSpot
CRM integration
US (EU SCCs)
Resend
Transactional email
US (EU servers in Ireland)
Anthropic
AI incident investigation (redacted metadata)
US (SCCs)
Atlassian
Support portal & knowledge base
US / global (DPF + SCCs)
Stripe
Payment processing (independent controller)
Dublin, IE

Interested in learning more?
Join the beta to stay informed on product updates and the latest features.

Join the Beta »

Read the full Data Processing Agreement or the Technical and Organizational Measures (TOM). For further questions, reach out at legal@quotexelerator.com.