FeatureSignalsSecurity & Trust
FeatureSignals is built with security at every layer. Your feature flags are critical infrastructure — we treat them that way.
Enterprise-Grade Security Controls
Every security control is built into the core product, not bolted on as an afterthought.
Encryption Everywhere
TLS 1.3 for data in transit. AES-256 encryption at rest. API keys stored as SHA-256 hashes — never in plaintext.
Role-Based Access Control
Four built-in roles (Owner, Admin, Developer, Viewer) with per-environment permissions for fine-grained control over who can toggle flags and edit rules.
Multi-Factor Authentication
TOTP-based MFA for all users. SSO enforcement via SAML 2.0 and OIDC for Enterprise customers. Brute-force protection on all auth endpoints.
Complete Audit Trail
Every action is logged with actor, IP, user agent, before/after state, and tamper-evident SHA-256 chain hashing. Exportable in JSON and CSV.
Infrastructure Security
IP allowlisting for management API. Rate limiting on all endpoints. Security headers (CSP, HSTS, X-Frame-Options). Container image scanning.
Self-Hosted Option
Deploy on your own infrastructure for complete data sovereignty. Docker, Kubernetes (Helm), and Terraform deployment options available.
Compliance Posture
We implement the technical controls required by major security and privacy frameworks. Formal certifications are on our roadmap as we scale.
GDPR
Privacy-by-design architecture, tenant isolation, audit trail, encryption, and Data Processing Agreement template. Data subject rights APIs on our roadmap.
SOC 2 Type II
Technical controls mapped to Trust Service Criteria including access control, audit logging with integrity hashing, and change management.
CCPA / CPRA
No sale or sharing of personal information. Privacy notice with required disclosures. Data deletion capabilities.
ISO 27001
Security controls aligned with Annex A requirements. Formal ISMS certification on our roadmap.
HIPAA
Technical safeguards including access controls, audit logging, and encryption. BAA template and formal compliance on our roadmap.
CSA STAR
Cloud Controls Matrix alignment for cloud-native security assurance. Formal self-assessment on our roadmap.
"Controls Implemented" means the technical controls are built into the product. "Controls Mapped" means we have documented how our controls align to the framework. "Roadmap" items are planned for formal certification as we grow. For details, see our security documentation.
Security Built Into the Product
These are the concrete security capabilities implemented in FeatureSignals today — not aspirational, not planned, but shipping in every deployment.
Tamper-Evident Audit
Every action logged with SHA-256 chain hashing. Exportable in JSON and CSV. Integrity verifiable end-to-end.
SSO (SAML & OIDC)
SAML 2.0 and OIDC support for Okta, Azure AD, OneLogin, and any compliant identity provider.
SCIM Provisioning
Automated user provisioning and deprovisioning synced with your identity provider.
MFA (TOTP)
Time-based one-time passwords compatible with Google Authenticator, Authy, and any RFC 6238 app.
IP Allowlisting
Restrict management API access to specific CIDR ranges. Evaluation API remains open for SDK connectivity.
Webhook HMAC Signing
All outbound webhooks signed with HMAC-SHA256. Verify authenticity of every event delivery.
Approval Workflows
Require explicit approval before production flag changes take effect. Full audit trail on every review.
OpenFeature
All 8 SDKs ship with OpenFeature providers. Zero vendor lock-in — switch providers without code changes.
Responsible Disclosure
Found a vulnerability? We respond within 48 hours. Report to security@featuresignals.com. Do not open a public GitHub issue.
Include in your report
- - Description of the vulnerability
- - Steps to reproduce
- - Potential impact assessment