HubSpot

The KRNL Secure Document Manager for HubSpot brings cryptographically verifiable document integrity and identity-bound watermarking directly into your HubSpot deal and contact workflows. It is a dedicated application that adds a layer of trust and accountability to document sharing with prospects, customers, and partners, without replacing your existing HubSpot infrastructure.

What It Does

Upload — Users upload documents directly from the HubSpot application. The system generates a unique cryptographic fingerprint and anchors it for tamper-evident verification.
Watermark — Every viewer receives a personalized watermark tied to their HubSpot identity. If a document is screenshotted, shared, or leaked, the watermark identifies the source.
Verify — The system can confirm at any time whether a document matches its original fingerprint, detecting alterations or substitutions.
Audit — All uploads, views, and verification checks are logged with immutable proofs, creating a complete compliance trail.

How It Works

The integration follows a simple four-step flow that runs behind the familiar HubSpot-connected interface:

1. Upload and Fingerprint

When a user uploads a document through the application:

The document is sent to a secure processing service
A cryptographic fingerprint (hash) is generated from the document content
The fingerprint is anchored via the KRNL Protocol, creating a permanent, verifiable record
The document is stored in secure storage; only the fingerprint is anchored, not the document itself

2. Identity Confirmation

When a user requests to view a document:

The system confirms the user's identity through HubSpot authentication
Access permissions are checked against the associated deal, contact, or company record
Unauthorized access attempts are denied and logged

3. Watermarked Delivery

For authorized viewers:

The original document is retrieved from secure storage
A personalized watermark is applied in real time, tied to the viewer's HubSpot user identity
A secure viewing session is created
The watermarked document is delivered to the user

4. Audit and Compliance

Every action is logged:

Who uploaded the document and when
Who viewed the document and when
Whether the document was verified against its original fingerprint
All events are stored with cryptographic proofs for independent audit

Architecture Overview

┌─────────────────────────────────────────────────────────────┐
│  HubSpot Platform                                           │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐  │
│  │ Deals       │  │ Contacts    │  │ Activity Timeline   │  │
│  │ (Records)   │──│ (Records)   │──│ (Event Log)         │  │
│  │             │  │             │  │                     │  │
│  └─────────────┘  └─────────────┘  └─────────────────────┘  │
└───────────────────────────┬─────────────────────────────────┘
                            │
┌───────────────────────────▼───────────────────────────────────┐
│  HubSpot Application                                        │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐   │
│  │ OAuth Login │  │ Document    │  │ Access Logs         │   │
│  │ (HubSpot    │──│ Upload/View │──│ (Audit Trail)       │   │
│  │  Identity)  │  │ Interface   │  │                     │   │
│  └─────────────┘  └──────┬──────┘  └─────────────────────┘   │
└──────────────────────────┬────────────────────────────────────┘
                           │
┌──────────────────────────▼────────────────────────────────────┐
│  Backend Integrated with KRNL                                 │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐    │
│  │ Fingerprint │  │ Anchor      │  │ Watermark Engine    │    │
│  │ Generation  │──│ Proof       │──│ (Identity-Bound)    │    │
│  │             │  │             │  │                     │    │
│  └─────────────┘  └─────────────┘  └─────────────────────┘    │
│                                                               │
│  ┌─────────────────────────────────────────────────────────┐  │
│  │ Attestor (Developer-Controlled)                         │  │
│  │ • Signs all fingerprints and access events              │  │
│  │ • Resolves secrets (API keys, storage credentials)      │  │
│  │ • Generates cryptographic proofs for every action       │  │
│  └─────────────────────────────────────────────────────────┘  │
└───────────────────────────────────────────────────────────────┘
                            │
┌───────────────────────────▼───────────────────────────────────┐
│  Infrastructure                                               │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐    │
│  │ Secure      │  │ Blockchain  │  │ Identity Provider   │    │
│  │ Storage     │  │ Anchor      │  │ (HubSpot Auth)      │    │
│  └─────────────┘  └─────────────┘  └─────────────────────┘    │
└───────────────────────────────────────────────────────────────┘

Key Capabilities

Capability

What It Means for Your Organization

Blockchain-anchored integrity

Every document receives an immutable fingerprint that cannot be altered. If the document changes, the fingerprint no longer matches.

HubSpot-native identity

Users authenticate with their existing HubSpot credentials. No separate accounts, no password fatigue.

Identity-bound watermarking

Every viewer's identity is embedded into the document they receive. Leaked documents are traceable to the individual who viewed them.

Leak prevention by design

Screenshots, recordings, and shared copies always contain traceable identifiers. There is no anonymous way to extract a clean document.

Authenticity enforcement

Any modification to a document invalidates its fingerprint. Verification fails if the document has been tampered with.

Full auditability

Admins can see who uploaded each document, who viewed it, when, and whether the document passed verification—all within the application.

Security Model

Data Handling

Document content never touches the blockchain. Only the cryptographic fingerprint is anchored. The document itself remains in your secure storage.
Watermarks are applied server-side. The client receives an already-watermarked image or PDF. There is no clean original delivered to the browser.
All access routes through the protected pipeline. There are no direct URLs to stored documents that could bypass identity checks.

Identity and Access

HubSpot authentication is the gate. The system relies on your existing HubSpot identity provider, teams, and permissions.
Access is record-scoped. A user must have access to the associated HubSpot deal, contact, or company to see documents attached to it.
Session-bound viewing. Each document view creates a time-limited session. Watermarks include session identifiers for additional traceability.

Cryptographic Assurance

Developer-controlled attestor. Your organization controls the attestation policy and signing keys. KRNL does not hold or operate your attestor.
Every action is signed. Uploads, views, and verifications each produce a cryptographic proof that can be independently verified.
Immutable audit trail. Event logs are structured and signed. They can be exported for external audit or compliance review.

Installation

The Secure Document Manager is deployed as a standalone web application with HubSpot OAuth integration. Installation requires:

HubSpot App configuration — Register your app in the HubSpot Developer Portal to obtain a Client ID and Secret
A publicly accessible application — Hosted backend and frontend for OAuth callbacks and user access
A KRNL attestor image — Configured with your organization's secrets (storage credentials, signing keys)
Permission setup — Configure HubSpot scopes for deals, contacts, and companies as needed

For detailed installation steps, OAuth configuration, and deployment guidance, refer to the repository below.

Repository and Resources

Table

Resource

Link

Source code and installation guide

github.com/KRNL-Labs/hubspot-krnl

OAuth setup

See repository README

Configuration documentation

See repository README

Common Questions

Does this replace our existing document storage?

No. The integration works with your existing storage. KRNL adds a verification and watermarking layer on top.

Can we use this with custom HubSpot objects?

Yes. The application can associate documents with any HubSpot object that supports API access, including custom objects.

Where are the documents actually stored?

Document storage is configurable. The default uses secure cloud storage; enterprise deployments can route to private storage or VPC-resident systems.

What happens if the KRNL service is unavailable?

Document uploads and views are queued gracefully. The application UI continues to function; verification and watermarking resume when connectivity is restored.

How do we prove compliance to auditors?

All events are logged with signed proofs. Export the audit log and provide the attestation hashes. Auditors can independently verify the proofs without KRNL's involvement.

Next Steps

Clone the repository and configure HubSpot OAuth in the Developer Portal
Set up your attestor with storage and API credentials
Deploy the application backend and frontend
Authenticate with HubSpot and upload your first document
Review the Building Custom Enterprise Connectors guide to extend this pattern to other platforms

PreviousSalesforce NextCustom Connectors

Last updated 1 month ago