Built to be safe inside your CRM
OneSpot runs where your data already lives. It's designed so the safe choice and the easy choice are the same one — no extra warehouse, no leaked keys, no blind spots.
HubSpot stays the source of truth
Every tool that produces CRM data writes back to HubSpot natively. OneSpot keeps only what AI features need — transcript chunks, embeddings, and the audit log — and never sets up a competing warehouse you have to reconcile.
OAuth-only authorization
OneSpot connects through HubSpot OAuth, the sole authorization method. There is no API-key surface to leak, and write scopes are requested conditionally rather than demanded up front at install.
Bring-your-own-key, encrypted
Third-party credentials (Twilio, Hunter, Apollo, Google Ads, Stripe…) are sealed with envelope encryption (AES-256-GCM). They are decrypted only in worker memory for the call that needs them — never logged, never stored in plaintext.
A complete audit log
Every mutation across every tool is captured — who, what, when, and the before/after — in one exportable timeline. Stream it to your SIEM in JSON-Lines, CSV, or CEF, with optional PGP encryption.
Role-based permissions
Seeded role templates (Admin, Sales Manager, Sales Rep, CS Manager, Read-Only) plus per-tool allow/deny overrides and per-user exceptions cascade across the whole app — so access is deliberate, not accidental.
SOC 2 & GDPR groundwork built in
The compliance dashboard auto-collects evidence from the audit log per control and runs a quarterly review. GDPR data-subject requests run through a state machine with 30-day SLA bands and an audit on every step.
The safeguards that run on every request
Reliability and security primitives are part of the platform, not an afterthought bolted onto each tool — so they behave the same everywhere.
- Webhook signature verification on inbound HubSpot events
- HMAC-signed outbound webhooks with a dead-letter queue + retries
- Rate limiting that respects HubSpot’s portal caps with automatic backoff
- Internal endpoints protected by a server-side secret, never exposed publicly
- Per-tenant data isolation across every tool
- Structured logging and per-request tracing for fast incident response
Transparency you can verify
E-signed documents carry a tamper-evident SHA-256 hash chain embedded in the PDF — verifiable in Adobe Reader. A public status page reports component health and 90-day uptime. And the audit log gives compliance teams the evidence trail they need, on demand.
Safe by default. Native by design.
Install free in a couple of clicks, right inside HubSpot. 11 tools on day one — no credit card, no separate login.