If your organization handles sensitive client data — whether that's protected health information (PHI), financial account details, or insurance policy records — you already know that who can access your CRM isn't enough. Regulators and auditors increasingly want to know where that access happens.
A wealth advisor logging into your CRM from an unrecognized country at 2 AM? A healthcare administrator's credentials being used from a region where your organization doesn't operate? These are exactly the scenarios that keep compliance officers up at night.
HubSpot's location-based login restrictions directly address this gap. Alongside the platform's existing IP whitelisting capabilities, this feature gives administrators granular control over the geographic regions from which users can access your HubSpot portal — adding a powerful compliance layer that's particularly relevant for financial services, healthcare, and insurance organizations.
In this guide, we'll cover exactly how the feature works, which compliance frameworks it supports, how it compares to Salesforce and other CRMs, and best practices for implementation.
HubSpot's location-based login restrictions allow Super Admins to approve specific countries and states from which users can access the platform. Any login attempt from an unapproved location is automatically blocked — even if the user enters valid credentials.
Here's how it works:
HubSpot offers two complementary access control mechanisms, and understanding the difference is essential for building a layered security strategy:
| Feature | Location-Based Restrictions | IP Whitelisting |
|---|---|---|
| Controls by | Geographic country/state | Specific IP addresses or ranges |
| Best for | Blocking access from entire regions | Restricting to known office networks |
| Granularity | Country and state level | Individual IP or CIDR range |
| VPN blocking | Depends on VPN exit location | Can explicitly block VPN IPs |
| Mobile users | Allowed if in approved location | Blocked unless on approved network |
| Use case | Prevent international unauthorized access | Lock down to corporate networks |
Pro tip: Use both together. IP whitelisting ensures access only from your corporate network, while location-based restrictions add a geographic safety net that catches credential theft from foreign locations.
No major regulatory framework explicitly mandates location-based login restrictions by name. However, several frameworks require the types of access controls that location-based restrictions help satisfy:
SOC 2's Trust Services Criteria require logical access controls and regular access reviews. Geographic restrictions demonstrate proactive access management and provide auditable evidence that your organization limits system access to authorized contexts. Auditors view location-based controls favorably as part of a defense-in-depth strategy.
The HIPAA Security Rule mandates technical safeguards for electronic PHI, including access controls (§ 164.312(a)(1)) and audit controls (§ 164.312(b)). Location-based restrictions help healthcare organizations ensure that patient data in HubSpot is only accessible from approved facilities and regions — a control that directly supports your risk analysis and management requirements.
FINRA Rule 3110 and SEC Regulation S-P require financial firms to implement cybersecurity controls and supervise access to client information. Geographic login restrictions help wealth management firms, RIAs, and broker-dealers demonstrate that they're actively monitoring and controlling where client data can be accessed — a point of emphasis in recent SEC cybersecurity examination priorities.
For organizations processing payment data in HubSpot, PCI-DSS Requirement 7 mandates restricting access by business need-to-know. Geographic restrictions complement this by ensuring access is limited not just by role, but by physical location.
Article 32 of the GDPR requires "appropriate technical and organizational measures" to protect personal data. For EU-based organizations or those handling EU resident data, location-based restrictions demonstrate compliance with data protection principles by preventing access from regions outside your operational footprint.
Setting up location-based restrictions takes less than 30 minutes. Here's the step-by-step process:
Navigate to Settings → Account Management → Security → Login tab.
Users attempting to log in from an unapproved location see the error message: "There was a problem logging you in." They will need to either:
Understanding how major CRM platforms handle geographic access controls helps you make informed decisions — especially if you run a multi-platform environment.
Salesforce offers Login IP Ranges at the profile level and Network Access policies at the organization level. These restrict access by specific IP addresses or CIDR ranges rather than geographic location. While powerful for locking down to corporate networks, Salesforce doesn't offer native country/state-level geographic restrictions — admins must map IP ranges to locations manually or use third-party identity providers.
Salesforce also provides Event Monitoring (available with Shield add-on) to detect suspicious login locations and trigger automated responses, but this is a reactive rather than preventive control.
Dynamics 365 relies on Microsoft Entra ID (formerly Azure AD) Conditional Access policies for location-based restrictions. Admins define "named locations" based on IP ranges or countries, then create policies that block or require MFA for access from other locations. This approach is powerful but requires Microsoft Entra ID Premium licensing and is managed outside the CRM interface.
| Capability | HubSpot | Salesforce | Dynamics 365 |
|---|---|---|---|
| Native geo-restrictions | ✅ Country/state level | ❌ IP-based only | ✅ Via Entra ID |
| Setup location | In-platform | In-platform (IP only) | External (Entra ID) |
| Intelligent suggestions | ✅ Based on login history | ❌ Manual configuration | ❌ Manual configuration |
| State-level control (US) | ✅ | ❌ | ✅ Via named locations |
| User exemptions | ✅ Built-in | ❌ Profile-level only | ✅ Via group exclusions |
| Additional cost | Included (Starter+) | Shield add-on for monitoring | Entra ID Premium required |
HubSpot's advantage: Native, in-platform geographic restrictions with intelligent suggestions and per-user exemptions — no additional licensing or external identity provider required.
Before enabling restrictions, review the suggested locations and user login data HubSpot provides. Identify all legitimate access locations, including:
Location-based restrictions are most effective as part of a multi-layered security strategy:
Rather than approving every country where someone might travel, keep your approved locations tight and use the exemption feature for specific users who need flexibility. Document why each exemption exists for your compliance records.
Maintain a record of:
Maximize your security posture by also enabling:
Enable restrictions during off-hours and verify that all team members in approved locations can still access the platform. Have a Super Admin available to quickly add missed locations or exemptions.
Location-based login restrictions are available on Starter, Professional, and Enterprise plans across all HubSpot hubs. Only users with Super Admin permissions can configure the settings.
Yes. When adding United States as an approved country, HubSpot allows you to select individual states. This is particularly useful for firms that only operate in specific states or need to comply with state-level regulations.
Location-based login restrictions apply to user logins (browser and mobile app). API access using private app tokens or OAuth operates independently and is not affected by geographic restrictions. Organizations should implement separate API access controls as part of their security strategy.
Absolutely — and it's recommended. IP whitelisting restricts access to specific network addresses, while location-based restrictions add a geographic layer. Together, they create a defense-in-depth approach that's stronger than either control alone.
Users blocked from logging in see an error message. A Super Admin can either add the travel location to the approved list or exempt the specific user from location restrictions. For organizations with frequent travelers, consider maintaining a small list of pre-approved travel locations.
HubSpot infers the user's geographic location from their IP address at the time of login. This is standard geolocation technology used across the industry. Note that VPN usage may affect the detected location, as the exit node determines the apparent geography.
Location-based login restrictions are a significant step forward for HubSpot security — but they're just one piece of a comprehensive compliance strategy. For regulated industries, the real challenge is building an integrated security framework that spans your entire technology stack.
At Vantage Point, we specialize in helping regulated organizations — from wealth management firms and RIAs to healthcare systems and insurance companies — implement CRM platforms with compliance built in from the ground up. Whether you're running HubSpot, Salesforce, or both, our team ensures your security controls, data governance, and access management meet the standards your regulators expect.
Ready to strengthen your CRM security posture? Contact Vantage Point to discuss how we can help your organization implement best-in-class access controls and compliance frameworks.
About Vantage Point: Vantage Point is a CRM implementation and strategy firm serving regulated industries including financial services, healthcare, and insurance. We specialize in HubSpot, Salesforce, MuleSoft, Data Cloud, and AI-driven personalization — delivering technology solutions that meet the rigorous compliance requirements of our clients. Learn more at vantagepoint.io.