# HubSpot
The KRNL Secure Document Manager for HubSpot brings cryptographically verifiable document integrity and identity-bound watermarking directly into your HubSpot deal and contact workflows. It is a dedicated application that adds a layer of trust and accountability to document sharing with prospects, customers, and partners, without replacing your existing HubSpot infrastructure.
### What It Does
* **Upload** — Users upload documents directly from the HubSpot application. The system generates a unique cryptographic fingerprint and anchors it for tamper-evident verification.
* **Watermark** — Every viewer receives a personalized watermark tied to their HubSpot identity. If a document is screenshotted, shared, or leaked, the watermark identifies the source.
* **Verify** — The system can confirm at any time whether a document matches its original fingerprint, detecting alterations or substitutions.
* **Audit** — All uploads, views, and verification checks are logged with immutable proofs, creating a complete compliance trail.
### How It Works
The integration follows a simple four-step flow that runs behind the familiar HubSpot-connected interface:
#### 1. Upload and Fingerprint
When a user uploads a document through the application:
* The document is sent to a secure processing service
* A cryptographic fingerprint (hash) is generated from the document content
* The fingerprint is anchored via the KRNL Protocol, creating a permanent, verifiable record
* The document is stored in secure storage; only the fingerprint is anchored, not the document itself
#### 2. Identity Confirmation
When a user requests to view a document:
* The system confirms the user's identity through HubSpot authentication
* Access permissions are checked against the associated deal, contact, or company record
* Unauthorized access attempts are denied and logged
#### 3. Watermarked Delivery
For authorized viewers:
* The original document is retrieved from secure storage
* A personalized watermark is applied in real time, tied to the viewer's HubSpot user identity
* A secure viewing session is created
* The watermarked document is delivered to the user
#### 4. Audit and Compliance
Every action is logged:
* Who uploaded the document and when
* Who viewed the document and when
* Whether the document was verified against its original fingerprint
* All events are stored with cryptographic proofs for independent audit
### Architecture Overview
```
┌─────────────────────────────────────────────────────────────┐
│ HubSpot Platform │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │ Deals │ │ Contacts │ │ Activity Timeline │ │
│ │ (Records) │──│ (Records) │──│ (Event Log) │ │
│ │ │ │ │ │ │ │
│ └─────────────┘ └─────────────┘ └─────────────────────┘ │
└───────────────────────────┬─────────────────────────────────┘
│
┌───────────────────────────▼───────────────────────────────────┐
│ HubSpot Application │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │ OAuth Login │ │ Document │ │ Access Logs │ │
│ │ (HubSpot │──│ Upload/View │──│ (Audit Trail) │ │
│ │ Identity) │ │ Interface │ │ │ │
│ └─────────────┘ └──────┬──────┘ └─────────────────────┘ │
└──────────────────────────┬────────────────────────────────────┘
│
┌──────────────────────────▼────────────────────────────────────┐
│ Backend Integrated with KRNL │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │ Fingerprint │ │ Anchor │ │ Watermark Engine │ │
│ │ Generation │──│ Proof │──│ (Identity-Bound) │ │
│ │ │ │ │ │ │ │
│ └─────────────┘ └─────────────┘ └─────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Attestor (Developer-Controlled) │ │
│ │ • Signs all fingerprints and access events │ │
│ │ • Resolves secrets (API keys, storage credentials) │ │
│ │ • Generates cryptographic proofs for every action │ │
│ └─────────────────────────────────────────────────────────┘ │
└───────────────────────────────────────────────────────────────┘
│
┌───────────────────────────▼───────────────────────────────────┐
│ Infrastructure │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │ Secure │ │ Blockchain │ │ Identity Provider │ │
│ │ Storage │ │ Anchor │ │ (HubSpot Auth) │ │
│ └─────────────┘ └─────────────┘ └─────────────────────┘ │
└───────────────────────────────────────────────────────────────┘
```
### Key Capabilities
| Capability | What It Means for Your Organization |
| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- |
| **Blockchain-anchored integrity** | Every document receives an immutable fingerprint that cannot be altered. If the document changes, the fingerprint no longer matches. |
| **HubSpot-native identity** | Users authenticate with their existing HubSpot credentials. No separate accounts, no password fatigue. |
| **Identity-bound watermarking** | Every viewer's identity is embedded into the document they receive. Leaked documents are traceable to the individual who viewed them. |
| **Leak prevention by design** | Screenshots, recordings, and shared copies always contain traceable identifiers. There is no anonymous way to extract a clean document. |
| **Authenticity enforcement** | Any modification to a document invalidates its fingerprint. Verification fails if the document has been tampered with. |
| **Full auditability** | Admins can see who uploaded each document, who viewed it, when, and whether the document passed verification—all within the application. |
### Security Model
#### Data Handling
* **Document content never touches the blockchain.** Only the cryptographic fingerprint is anchored. The document itself remains in your secure storage.
* **Watermarks are applied server-side.** The client receives an already-watermarked image or PDF. There is no clean original delivered to the browser.
* **All access routes through the protected pipeline.** There are no direct URLs to stored documents that could bypass identity checks.
#### Identity and Access
* **HubSpot authentication is the gate.** The system relies on your existing HubSpot identity provider, teams, and permissions.
* **Access is record-scoped.** A user must have access to the associated HubSpot deal, contact, or company to see documents attached to it.
* **Session-bound viewing.** Each document view creates a time-limited session. Watermarks include session identifiers for additional traceability.
#### Cryptographic Assurance
* **Developer-controlled attestor.** Your organization controls the attestation policy and signing keys. KRNL does not hold or operate your attestor.
* **Every action is signed.** Uploads, views, and verifications each produce a cryptographic proof that can be independently verified.
* **Immutable audit trail.** Event logs are structured and signed. They can be exported for external audit or compliance review.
### Installation
The Secure Document Manager is deployed as a standalone web application with HubSpot OAuth integration. Installation requires:
1. **HubSpot App configuration** — Register your app in the HubSpot Developer Portal to obtain a Client ID and Secret
2. **A publicly accessible application** — Hosted backend and frontend for OAuth callbacks and user access
3. **A KRNL attestor image** — Configured with your organization's secrets (storage credentials, signing keys)
4. **Permission setup** — Configure HubSpot scopes for deals, contacts, and companies as needed
For detailed installation steps, OAuth configuration, and deployment guidance, refer to the repository below.
### Repository and Resources
Table
| Resource | Link |
| ---------------------------------- | ------------------------------------------------------------------------------ |
| Source code and installation guide | [github.com/KRNL-Labs/hubspot-krnl](https://github.com/KRNL-Labs/hubspot-krnl) |
| OAuth setup | See repository README |
| Configuration documentation | See repository README |
### Common Questions
Does this replace our existing document storage?
No. The integration works with your existing storage. KRNL adds a verification and watermarking layer on top.
Can we use this with custom HubSpot objects?
Yes. The application can associate documents with any HubSpot object that supports API access, including custom objects.
Where are the documents actually stored?
Document storage is configurable. The default uses secure cloud storage; enterprise deployments can route to private storage or VPC-resident systems.
What happens if the KRNL service is unavailable?
Document uploads and views are queued gracefully. The application UI continues to function; verification and watermarking resume when connectivity is restored.
How do we prove compliance to auditors?
All events are logged with signed proofs. Export the audit log and provide the attestation hashes. Auditors can independently verify the proofs without KRNL's involvement.
### Next Steps
* Clone the repository and configure HubSpot OAuth in the Developer Portal
* Set up your attestor with storage and API credentials
* Deploy the application backend and frontend
* Authenticate with HubSpot and upload your first document
* Review the [Building Custom Enterprise Connectors](https://www.kimi.com/chat/19e1549c-9682-8edf-8000-0932619ab22b?chat_enter_method=history#) guide to extend this pattern to other platforms
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.krnl.xyz/enterprise-integration/hubspot.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.