EU-US Data Privacy Framework
Last updated: April 2026
The EU-US Data Privacy Framework (DPF) — along with the UK Extension and Swiss-US DPF — provides a legal mechanism for transferring personal data from the EU, UK, and Switzerland to the United States. This page describes FeatureSignals' DPF compliance and what it means for our customers.
Infrastructure Location: EU-Based
FeatureSignals' infrastructure is hosted in Falkenstein, Germany (Hetzner data centers). For cloud customers, data remains within the EU. The DPF is relevant for specific scenarios such as US-based support access, US-based sub-processors, and US customers whose data originates in the EU.
What is the Data Privacy Framework?
The EU-US Data Privacy Framework (DPF) was adopted by the European Commission on July 10, 2023, as the successor to the invalidated Privacy Shield. It establishes a legal basis for transatlantic data flows by requiring US companies to adhere to a set of data protection principles and providing enforceable redress mechanisms for EU individuals.
The framework consists of three parts:
- EU-US DPF: For personal data transferred from the European Union
- UK Extension: For personal data transferred from the United Kingdom (effective October 12, 2023)
- Swiss-US DPF: For personal data transferred from Switzerland (effective July 17, 2024)
DPF Principles & Our Implementation
The DPF requires participating organizations to adhere to seven core principles. Here's how FeatureSignals implements each:
Notice
Organizations must inform individuals about data collection, processing purposes, third-party disclosures, and their rights. FeatureSignals provides transparent privacy notices at the point of data collection, in our Privacy Policy, and in this documentation.
Choice
Individuals must be able to opt out of data disclosure to third parties or use for materially different purposes. FeatureSignals does not sell or share personal data and provides clear opt-out mechanisms for any data processing beyond the core service.
Accountability for Onward Transfer
Organizations transferring data to third parties must ensure equivalent protection. FeatureSignals enters into Data Processing Agreements (DPAs) with all sub-processors, conducts security assessments, and maintains a public sub-processor list.
Security
Reasonable and appropriate security measures must protect personal data. FeatureSignals implements defense-in-depth: TLS 1.3, AES-256 at rest, bcrypt password hashing, SHA-256 integrity, WAF, rate limiting, and continuous vulnerability scanning.
Data Integrity & Purpose Limitation
Data must be relevant to its processing purpose and accurate. FeatureSignals processes only the minimum data needed for feature flag management, maintains data accuracy through self-service correction tools, and enforces purpose limitation through access controls.
Access
Individuals must be able to access their personal data and correct, amend, or delete it. FeatureSignals provides self-service profile management, API-based data export, and GDPR-compliant erasure with 30-day grace period.
Recourse, Enforcement & Liability
Organizations must provide independent recourse mechanisms and be subject to enforcement. FeatureSignals participates in DPF dispute resolution, cooperates with EU DPAs, and is subject to FTC enforcement jurisdiction for DPF compliance.
Redress Mechanisms
The DPF provides multiple layers of redress for EU individuals who believe their data protection rights have been violated:
| Mechanism | Description | How to Access |
|---|---|---|
| Direct complaint to FeatureSignals | First point of contact for any DPF concern | dpo@featuresignals.com |
| Independent dispute resolution | Free of charge to individuals, provided by an approved ADR provider | Available through our DPF registration |
| EU Data Protection Authority (DPA) | Individuals can lodge complaints with their local DPA | DPA will coordinate with US authorities |
| Binding arbitration | Final recourse mechanism under the DPF Arbitration Panel | Available for residual claims after other mechanisms exhausted |
| FTC enforcement | US Federal Trade Commission enforces DPF commitments | Through FTC complaint process |
Onward Transfers & Sub-processors
Under the DPF's Accountability for Onward Transfer principle, FeatureSignals ensures all sub-processors provide equivalent data protection:
- All sub-processors are vetted for security and privacy compliance
- DPAs are in place with Standard Contractual Clauses (SCCs) where applicable
- Sub-processor list is publicly available and updated within 14 days of changes
- Customers are notified before new sub-processors are engaged
Self-Hosting: Eliminate Cross-Border Transfers
For organizations that prefer to eliminate cross-border data transfers entirely, self-hosting FeatureSignals provides the simplest solution:
- Deploy within your own EU infrastructure — data never leaves your environment
- No reliance on DPF or any other transfer mechanism
- Full control over data residency and processing locations
- Air-gapped deployment available for the most stringent requirements
DPF Contact & Inquiries
For questions about our DPF participation, to exercise your DPF rights, or to escalate a privacy concern: dpo@featuresignals.com