Our team is implementing client-side data enrichment for contact management in HubSpot 2023, and I’m looking for guidance on best practices. We want to enrich contact records with data from third-party services (company information, social profiles, etc.) when users view contact pages.
The main concerns are API key security, GDPR compliance, and whether to use direct client-side calls or a serverless proxy. Direct calls are simpler but expose API keys. A proxy adds complexity but provides better security and lets us implement rate limiting and logging.
How are others handling client-side enrichment while maintaining security and compliance? What architecture have you found works best?
Don’t forget about performance implications. If you’re enriching data on every contact page load, you’re adding latency. We implemented a caching layer where enriched data is stored in HubSpot custom properties after the first enrichment. Subsequent views load instantly from cache. We also show a loading skeleton while enrichment is in progress so users know data is being fetched. The UX improvement was significant compared to blocking page load.
We built our enrichment proxy using AWS Lambda with API Gateway. The architecture is: HubSpot client → API Gateway → Lambda → Third-party API. Lambda handles authentication, rate limiting, and caching. It also sanitizes the enriched data before returning it to the client. This setup costs us about $20/month for thousands of enrichments and gives us complete control over security, logging, and compliance. The initial setup took about a week but it’s been rock solid.
From a GDPR perspective, client-side enrichment raises several red flags. You need explicit consent before enriching contact data with third-party information, and you must document what data is being collected and from where. If enrichment happens automatically when viewing a contact, that might not meet consent requirements. Consider making enrichment an opt-in action that users trigger manually, and log every enrichment event with timestamp, data source, and user who initiated it for audit purposes.