Data Processing Agreement

This Data Processing Agreement (DPA) governs the processing of personal data by FeatureSignals on behalf of our customers. It incorporates the EU Standard Contractual Clauses (SCCs), defines the scope of processing, lists our subprocessors, and describes the technical and organizational measures we maintain to protect your data.

How to Execute

Enterprise customers receive a pre-signed DPA during onboarding. If you need to execute a DPA before starting a trial, email legal@featuresignals.comand we'll return a countersigned copy within 2 business days.

Data Processing Scope

FeatureSignals acts as a data processor. You, the customer, are the data controller. The DPA covers all personal data processed through the FeatureSignals service, which falls into these categories:

Category	Examples	Purpose
Account data	Email, name, organization	User authentication and account management
Configuration data	Flag keys, targeting rules, segment definitions	Providing the feature flag service
Evaluation context	User keys, custom targeting attributes	Flag evaluation and targeting
Audit data	Action logs, timestamps, actor IDs	Security, compliance, and debugging
Support data	Support tickets, debug logs	Customer support and troubleshooting

Processing Details

Subject matter: Provision of feature flag management, evaluation, and related services as described in the Master Services Agreement.
Duration: For the term of the Master Services Agreement plus any post-termination retention period (maximum 30 days, unless otherwise agreed).
Nature and purpose: Hosting, storing, and processing feature flag configurations, evaluation requests, and audit logs to deliver the service.
Data subjects: Your authorized users (employees, contractors) and end-users whose data is used in evaluation context (user keys, targeting attributes).
Personal data categories: Identification data (email, name, user key), professional data (organization, role), and technical data (IP address, evaluation context attributes you configure).

Technical & Organizational Measures

FeatureSignals implements the following technical and organizational measures to protect personal data, as required by Article 32 of the GDPR:

Encryption

AES-256 encryption at rest for all databases, backups, and object storage. TLS 1.3 for all data in transit. HSTS enforced with 1-year max-age.

Access Control

RBAC with fine-grained permissions. SAML SSO with MFA enforcement. IP allowlisting. All access logged in immutable audit trail. No standing production access for engineers.

Infrastructure Security

Infrastructure as Code with immutable deployments. Host-based firewalls. Automatic security patching. Regular vulnerability scanning. Intrusion detection on all production systems.

Organizational Measures

Background checks for all employees. Annual security awareness training. Incident response plan tested quarterly. Dedicated Data Protection Officer. SOC 2 Type II audited annually.

Subprocessors

FeatureSignals engages the following categories of subprocessors. A complete list of subprocessors is maintained on our Subprocessors page:

Cloud infrastructure providers — AWS, GCP, Azure, Hetzner (for hosting, compute, storage, and networking).
Monitoring and observability — SigNoz (for metrics, traces, and alerting).
Email and communication — Email delivery provider (for transactional emails and notifications).
Payment processing — Stripe, Razorpay, Paddle (for billing and subscription management).
AI/LLM providers — For the AI Janitor feature (optional; Enterprise customers can disable this).

Info

We notify customers of new subprocessors at least 30 days before they begin processing data. Enterprise customers subscribed to subprocessor notifications receive email alerts. You may object to new subprocessors within 15 days of notification.

Data Subject Rights & Cooperation

FeatureSignals will:

Assist you in fulfilling data subject access requests (DSARs) within the timeframes required by applicable law.
Notify you without undue delay upon becoming aware of a personal data breach.
Cooperate with supervisory authorities and provide reasonable assistance for data protection impact assessments (DPIAs).
Make available all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.

International Data Transfers

For customers in the EU/EEA, UK, or Switzerland, the DPA incorporates the applicable Standard Contractual Clauses (SCCs) to ensure adequate safeguards for international data transfers:

EU/EEA: EU Standard Contractual Clauses (2021/914), Module 2 (Controller-to-Processor).
UK: UK International Data Transfer Addendum to the EU SCCs.
Switzerland: Swiss Addendum to the EU SCCs.
Data residency: Customers may select their primary data region (EU, US, or APAC). Data does not leave the selected region except as described in the subprocessor list.