We at HubSpot take the concerns of the security community seriously, and continuously work to improve our posture in this ever-changing field. We do have predefined roles in the application which allow our customers to segment users permissions based on their role. These horizontal permissions are quite common among SaaS vendors.
The export functionality mentioned does have existing auditing capability in the back end. For exports, we have full audit trails for the timestamp, link to the file, customer id, and user id for all requests. We have never exposed this audit data to our customers through the UI because there has never been a high demand for this functionality. This issue is now in queue with our Engineering team and we will be releasing it shortly.
