CRMs and ITAR Compliance: Which Software Do I Choose?


Several of today's popular CRMs offer a variety of services all within the cloud. Cloud computing can do wonders for efficiency, allowing for more data storage, faster data retrieval, and ultimately higher satisfaction for end users and customers. But, with more companies across all industries moving sensitive information into the cloud, data security is becoming a greater concern.

Get our free eBook: Success with Salesforce Implementation

In today's world there are less brick-and-mortar server rooms monitored with on-site security systems. Most people’s idea of the cloud is a vague notion of bits and bytes floating around like ice crystals in the stratosphere. Many wonder if those bits and bytes are truly secure enough for business and customer information. Additionally, concerns increase if you’re subject to special data handling rules, such as the International Trade in Arms Regulations (ITAR).

In this blog, we’ll help break these questions down piece by piece, focusing on two of the largest CRMs in the market today, Salesforce and HubSpot . If you're unsure where to start, you can give us a call and we'll run through the process with you.


Solving Modern-Day Pangaea: Sharing and Protecting Data

Billions of years ago, all the continents on earth were glommed together into one unbroken landmass that scientists call Pangaea. Today, countries, people, and governments are separated by mountains and oceans as well as by politics and law. Rules that apply in one country don’t always apply in another, but many companies must still find ways to operate together internationally. One of the great benefits of cloud computing is that it helps bring businesses together even across international borders, easing communication and collaboration. Many of the companies that offer cloud hosting have data storage facilities in multiple countries for exactly this reason, making sure that a sales rep in Tokyo can engage with a prospect in Junction City or Chicago. 

We begin to encounter specific problems with this setup when national security is involved. Because the cloud is like a modern-day Pangaea, it becomes necessary to ensure that sensitive data doesn’t cross borders or fall into the wrong hands. ITAR aims to control the flow of physical goods, such as weapons and weapon parts, as well as the flow of sensitive data relating to any such items, including customer order information.


Is my CRM ITAR-compliant?

It is ultimately your responsibility as a business owner to determine if your systems are ITAR-compliant. Compliance has to do with specific data usage and data movement, which is affected by your unique software configuration as well as the behavior of your users. Therefore, no software system can ever be said to be 100% ITAR-compliant in all cases. Most importantly, this blog post absolutely does not constitute legal advice—you should always direct specific questions on this matter to your legal counsel.

That said, it is possible to comfortably make a few firm statements regarding the Salesforce and HubSpot CRMs and ITAR compliance.


Is Salesforce or Hubspot better for ITAR compliance?

Salesforce offers myriad services to assist with security regulation compliance, including its Government Cloud offering which is specifically designed to deal with data relevant to national security. Salesforce also recently adopted Amazon Web Services (AWS) as its preferred public cloud infrastructure provider. AWS provides specifically ITAR-compliant services in its GovCloud offering. 

The Salesforce verdict? As with other CRMs, Salesforce is not ITAR-compliant right out of the box. The platform can be made ITAR-compliant for those who request it though. Depending on your unique use case, you may need to purchase additional services, such as Salesforce Government Cloud, to maintain ITAR compliance standards. Before implementing Salesforce as your CRM, contact them to discuss your needs and determine how they can adjust the capabilities of their platform to assist in maintaining ITAR compliance for your business.


HubSpot allows customers complete access to their legal documents to provide regulatory and compliance guidance. These documents don't specifically address ITAR or other regulatory systems, but their data processing agreement notes: It's best to disclose any legal requirements, such as a need to maintain ITAR compliance, prior to integrating HubSpot.

HubSpot uses both Amazon Web Services and Google Cloud Platform (GCP) for its cloud hosting services. As mentioned previously, AWS can be made ITAR-compliant. However, GCP specifically states that it “does not support use of [its] services with ITAR-controlled data.”

The HubSpot verdict? Do your homework. We do work with many companies that are subject to ITAR compliance rules and are using HubSpot as their CRM. There are opportunities to assess which features of the tool are needed for your process and which can be left unused for compliance reasons. For example, many customers may decide to log that a call was made or an email was sent on a record but not "formally" track the communication. Others may decide to track conversations in the early stage, but stop when specs or renderings become involved. Your use case may allow you to store your customer data, or a subset of it, within the HubSpot platform. As always, take caution with this decision, and direct specific questions to a lawyer experienced in dealing with these kinds of regulations.


Still working on selecting your CRM? We are a certified partner with HubSpot and Salesforce—Give us a call, or use our CRM Planner to build a clear planning process.

Download CRM Planner