Key Takeaways (TL;DR)
- What is it? HubSpot now lets admins restrict portal access based on geographic location and IP address — blocking logins from unapproved countries, states, or networks even when credentials are valid
- Key Benefit: Adds a critical compliance layer for regulated industries by ensuring CRM data is only accessible from approved geographic regions
- Availability: Starter, Professional, and Enterprise HubSpot plans — Super Admin permissions required to configure
- Best For: Financial services firms (RIAs, banks, insurance), healthcare organizations, and any business operating under SOC 2, HIPAA, FINRA, or SEC compliance requirements
- Setup Time: Under 30 minutes — HubSpot auto-suggests locations based on login history
- Bottom Line: Combines with IP whitelisting, MFA, and SSO to create defense-in-depth security that auditors and regulators want to see
Why Location-Based Access Controls Matter for Regulated Industries
If your organization handles sensitive client data — whether that's protected health information (PHI), financial account details, or insurance policy records — you already know that who can access your CRM isn't enough. Regulators and auditors increasingly want to know where that access happens.
A wealth advisor logging into your CRM from an unrecognized country at 2 AM? A healthcare administrator's credentials being used from a region where your organization doesn't operate? These are exactly the scenarios that keep compliance officers up at night.
HubSpot's location-based login restrictions directly address this gap. Alongside the platform's existing IP whitelisting capabilities, this feature gives administrators granular control over the geographic regions from which users can access your HubSpot portal — adding a powerful compliance layer that's particularly relevant for financial services, healthcare, and insurance organizations.
In this guide, we'll cover exactly how the feature works, which compliance frameworks it supports, how it compares to Salesforce and other CRMs, and best practices for implementation.
What Are HubSpot's Location-Based Login Restrictions?
HubSpot's location-based login restrictions allow Super Admins to approve specific countries and states from which users can access the platform. Any login attempt from an unapproved location is automatically blocked — even if the user enters valid credentials.
Here's how it works:
- Intelligent suggestions: HubSpot analyzes your account's historical login patterns and suggests locations where your team has previously logged in
- Granular control: Admins can approve entire countries or, for the United States, drill down to individual states
- User visibility: Before enabling restrictions, admins can see exactly which users are logging in from each location and when they last accessed the platform
- Flexible exemptions: Specific users (such as traveling executives or remote consultants) can be exempted from location restrictions
- Immediate enforcement: Once saved, login attempts from unapproved locations are blocked instantly with a clear error message
How Does This Differ from IP Whitelisting?
HubSpot offers two complementary access control mechanisms, and understanding the difference is essential for building a layered security strategy:
| Feature | Location-Based Restrictions | IP Whitelisting |
|---|---|---|
| Controls by | Geographic country/state | Specific IP addresses or ranges |
| Best for | Blocking access from entire regions | Restricting to known office networks |
| Granularity | Country and state level | Individual IP or CIDR range |
| VPN blocking | Depends on VPN exit location | Can explicitly block VPN IPs |
| Mobile users | Allowed if in approved location | Blocked unless on approved network |
| Use case | Prevent international unauthorized access | Lock down to corporate networks |
Pro tip: Use both together. IP whitelisting ensures access only from your corporate network, while location-based restrictions add a geographic safety net that catches credential theft from foreign locations.
Which Compliance Frameworks Require Geographic Access Controls?
No major regulatory framework explicitly mandates location-based login restrictions by name. However, several frameworks require the types of access controls that location-based restrictions help satisfy:
SOC 2
SOC 2's Trust Services Criteria require logical access controls and regular access reviews. Geographic restrictions demonstrate proactive access management and provide auditable evidence that your organization limits system access to authorized contexts. Auditors view location-based controls favorably as part of a defense-in-depth strategy.
HIPAA
The HIPAA Security Rule mandates technical safeguards for electronic PHI, including access controls (§ 164.312(a)(1)) and audit controls (§ 164.312(b)). Location-based restrictions help healthcare organizations ensure that patient data in HubSpot is only accessible from approved facilities and regions — a control that directly supports your risk analysis and management requirements.
FINRA and SEC
FINRA Rule 3110 and SEC Regulation S-P require financial firms to implement cybersecurity controls and supervise access to client information. Geographic login restrictions help wealth management firms, RIAs, and broker-dealers demonstrate that they're actively monitoring and controlling where client data can be accessed — a point of emphasis in recent SEC cybersecurity examination priorities.
PCI-DSS
For organizations processing payment data in HubSpot, PCI-DSS Requirement 7 mandates restricting access by business need-to-know. Geographic restrictions complement this by ensuring access is limited not just by role, but by physical location.
GDPR
Article 32 of the GDPR requires "appropriate technical and organizational measures" to protect personal data. For EU-based organizations or those handling EU resident data, location-based restrictions demonstrate compliance with data protection principles by preventing access from regions outside your operational footprint.
How to Set Up Location-Based Login Restrictions in HubSpot
Setting up location-based restrictions takes less than 30 minutes. Here's the step-by-step process:
Step 1: Access Security Settings
Navigate to Settings → Account Management → Security → Login tab.
Step 2: Configure Allowed Locations
- In the Allowed login locations section, click Configure
- Review HubSpot's suggested locations based on your login history
- Click on the user count next to each location to see which team members log in from there
Step 3: Add Approved Locations
- Click Add locations
- Select approved countries from the Country dropdown
- For United States locations, select individual states from the State dropdown
- Click Add locations to confirm
Step 4: Set User Exemptions
- Use the Exempt users dropdown to select users who need access from any location
- Common exemptions include traveling executives, field consultants, and remote IT staff
Step 5: Save and Communicate
- Click Save changes
- Important: Notify your team before enabling restrictions so no one gets locked out unexpectedly
What Happens When Someone Is Blocked?
Users attempting to log in from an unapproved location see the error message: "There was a problem logging you in." They will need to either:
- Connect from an approved location
- Contact a Super Admin to add their location or grant an exemption
How Does HubSpot Compare to Salesforce and Other CRMs?
Understanding how major CRM platforms handle geographic access controls helps you make informed decisions — especially if you run a multi-platform environment.
Salesforce
Salesforce offers Login IP Ranges at the profile level and Network Access policies at the organization level. These restrict access by specific IP addresses or CIDR ranges rather than geographic location. While powerful for locking down to corporate networks, Salesforce doesn't offer native country/state-level geographic restrictions — admins must map IP ranges to locations manually or use third-party identity providers.
Salesforce also provides Event Monitoring (available with Shield add-on) to detect suspicious login locations and trigger automated responses, but this is a reactive rather than preventive control.
Microsoft Dynamics 365
Dynamics 365 relies on Microsoft Entra ID (formerly Azure AD) Conditional Access policies for location-based restrictions. Admins define "named locations" based on IP ranges or countries, then create policies that block or require MFA for access from other locations. This approach is powerful but requires Microsoft Entra ID Premium licensing and is managed outside the CRM interface.
Comparison Summary
| Capability | HubSpot | Salesforce | Dynamics 365 |
|---|---|---|---|
| Native geo-restrictions | ✅ Country/state level | ❌ IP-based only | ✅ Via Entra ID |
| Setup location | In-platform | In-platform (IP only) | External (Entra ID) |
| Intelligent suggestions | ✅ Based on login history | ❌ Manual configuration | ❌ Manual configuration |
| State-level control (US) | ✅ | ❌ | ✅ Via named locations |
| User exemptions | ✅ Built-in | ❌ Profile-level only | ✅ Via group exclusions |
| Additional cost | Included (Starter+) | Shield add-on for monitoring | Entra ID Premium required |
HubSpot's advantage: Native, in-platform geographic restrictions with intelligent suggestions and per-user exemptions — no additional licensing or external identity provider required.
Best Practices for Implementing Location-Based Login Restrictions
1. Audit Before You Restrict
Before enabling restrictions, review the suggested locations and user login data HubSpot provides. Identify all legitimate access locations, including:
- Office locations (headquarters, branch offices, satellite offices)
- Remote employee locations (home states/countries)
- Partner or consultant locations
- Conference or travel destinations for key users
2. Layer Your Security Controls
Location-based restrictions are most effective as part of a multi-layered security strategy:
- Layer 1: Strong passwords and two-factor authentication (2FA)
- Layer 2: Single sign-on (SSO) with your identity provider
- Layer 3: IP whitelisting for corporate network restriction
- Layer 4: Location-based restrictions for geographic control
- Layer 5: Session management and activity logging
3. Use Exemptions Strategically
Rather than approving every country where someone might travel, keep your approved locations tight and use the exemption feature for specific users who need flexibility. Document why each exemption exists for your compliance records.
4. Document Everything for Auditors
Maintain a record of:
- Which locations are approved and why
- Which users are exempted and the business justification
- When restrictions were enabled and any changes made
- Regular review cadence (quarterly recommended)
5. Combine with HubSpot's Other Security Features
Maximize your security posture by also enabling:
- Two-factor authentication (2FA) enforcement for all users
- Login method restrictions (e.g., requiring SSO)
- Single-account restriction to prevent users from being added to other HubSpot portals
- Session timeout settings for automatic logout
6. Test Before Full Deployment
Enable restrictions during off-hours and verify that all team members in approved locations can still access the platform. Have a Super Admin available to quickly add missed locations or exemptions.
FAQ: HubSpot Location-Based Login Restrictions
Which HubSpot plans include location-based login restrictions?
Location-based login restrictions are available on Starter, Professional, and Enterprise plans across all HubSpot hubs. Only users with Super Admin permissions can configure the settings.
Can I restrict access by state within the United States?
Yes. When adding United States as an approved country, HubSpot allows you to select individual states. This is particularly useful for firms that only operate in specific states or need to comply with state-level regulations.
Do location-based restrictions affect API access?
Location-based login restrictions apply to user logins (browser and mobile app). API access using private app tokens or OAuth operates independently and is not affected by geographic restrictions. Organizations should implement separate API access controls as part of their security strategy.
Can I use location-based restrictions and IP whitelisting together?
Absolutely — and it's recommended. IP whitelisting restricts access to specific network addresses, while location-based restrictions add a geographic layer. Together, they create a defense-in-depth approach that's stronger than either control alone.
What happens if a user is traveling and gets blocked?
Users blocked from logging in see an error message. A Super Admin can either add the travel location to the approved list or exempt the specific user from location restrictions. For organizations with frequent travelers, consider maintaining a small list of pre-approved travel locations.
How does HubSpot determine a user's location?
HubSpot infers the user's geographic location from their IP address at the time of login. This is standard geolocation technology used across the industry. Note that VPN usage may affect the detected location, as the exit node determines the apparent geography.
Strengthen Your CRM Security with Vantage Point
Location-based login restrictions are a significant step forward for HubSpot security — but they're just one piece of a comprehensive compliance strategy. For regulated industries, the real challenge is building an integrated security framework that spans your entire technology stack.
At Vantage Point, we specialize in helping regulated organizations — from wealth management firms and RIAs to healthcare systems and insurance companies — implement CRM platforms with compliance built in from the ground up. Whether you're running HubSpot, Salesforce, or both, our team ensures your security controls, data governance, and access management meet the standards your regulators expect.
Ready to strengthen your CRM security posture? Contact Vantage Point to discuss how we can help your organization implement best-in-class access controls and compliance frameworks.
About Vantage Point: Vantage Point is a CRM implementation and strategy firm serving regulated industries including financial services, healthcare, and insurance. We specialize in HubSpot, Salesforce, MuleSoft, Data Cloud, and AI-driven personalization — delivering technology solutions that meet the rigorous compliance requirements of our clients. Learn more at vantagepoint.io.
