DPAGDPRU.S. Privacy

FeatBit // data processing addendum

Data Processing Addendum

This DPA governs FeatBit's processing of personal data in Customer Data when providing FeatBit Cloud.

Effective date: July 17, 2026

How this DPA applies

This DPA forms part of the Cloud Services Agreement or other written agreement between Customer and FeatBit. It applies automatically where FeatBit processes Customer Personal Data as a processor or service provider. Order-specific signed copies are available from contact@featbit.co.

Scope and definitions

This Data Processing Addendum (DPA) is between Customer and the FeatBit entity that is party to the Agreement. Capitalized terms not defined here have the meaning in the Agreement.

  • Applicable Data Protection Law means privacy and data-protection law applicable to FeatBit's processing of Customer Personal Data under the Agreement.
  • Customer Personal Data means personal data contained in Customer Data that FeatBit processes on Customer's behalf.
  • Personal Data Breach means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by FeatBit.
  • Subprocessor means a third party FeatBit appoints to process Customer Personal Data on Customer's behalf.

The terms controller, processor, data subject, personal data, processing, sell, share, service provider, and contractor have the meanings given by applicable law. If this DPA conflicts with the Agreement on the processing of Customer Personal Data, this DPA controls.

Roles and documented instructions

Customer is a controller or processor of Customer Personal Data. FeatBit is Customer's processor or subprocessor, as applicable. Customer determines the purposes and essential means of processing, including which user keys, attributes, events, and configurations are submitted.

Customer-defined end-user data

An "end user" in FeatBit Cloud may represent a person, account, device, service, or another targeting context. Whether a submitted key or attribute is personal data depends on its content and the context in which Customer uses it. FeatBit treats the submitted values as Customer Data and, where they relate to an identified or identifiable person, as Customer Personal Data under this DPA.

Customer instructs FeatBit to process Customer Personal Data to provide, secure, maintain, troubleshoot, and support FeatBit Cloud; to prevent abuse; to comply with Customer's documented use of features and support requests; and as otherwise stated in the Agreement and this DPA. FeatBit will process Customer Personal Data only on those documented instructions unless applicable law requires otherwise. Where legally permitted, FeatBit will notify Customer before processing required by law.

If FeatBit reasonably believes an instruction violates Applicable Data Protection Law, it will inform Customer and may suspend the affected processing until the parties resolve the issue. Customer is responsible for the lawfulness, accuracy, quality, and collection of Customer Personal Data and for giving required notices and obtaining required permissions.

FeatBit does not independently verify the identity, accuracy, or business validity of an end user represented by Customer's submitted data. FeatBit processes the data as submitted and according to Customer's documented instructions.

Personnel and confidentiality

FeatBit will limit access to Customer Personal Data to personnel who need it to perform the Agreement. Authorized personnel are subject to confidentiality obligations and receive security and privacy guidance appropriate to their responsibilities. FeatBit remains responsible for personnel compliance with this DPA.

FeatBit will not sell Customer Personal Data, use it for advertising, or disclose it except to authorized personnel and Subprocessors that need it to provide or secure FeatBit Cloud, as Customer directs or authorizes, or as applicable law requires. Where legally permitted, FeatBit will notify Customer before a legally compelled disclosure.

Security measures

FeatBit will maintain technical and organizational measures designed to protect Customer Personal Data against a Personal Data Breach and to provide a level of security appropriate to the risk. Annex II and the Security Overview describe the current measures.

FeatBit may update safeguards as technology and risk change, provided an update does not materially reduce the overall protection of Customer Personal Data during a paid subscription. Customer is responsible for security controls it manages, including user access, roles, SSO configuration, SDK keys, integrations, targeting attributes, and application authorization.

Personal Data Breach notification

FeatBit will notify Customer without undue delay after becoming aware of a Personal Data Breach and, when reasonably practicable, within 72 hours. Notice does not constitute an admission of fault or liability. FeatBit may provide information in phases as its investigation develops.

To the extent known and applicable, notice will describe:

  • the nature of the incident and affected data or data-subject categories;
  • the likely consequences;
  • measures taken or proposed to contain, investigate, and remediate the incident; and
  • a contact for follow-up.

FeatBit will take reasonable steps to contain and remediate a breach and will reasonably cooperate with Customer's legally required notifications. Customer remains responsible for notifying regulators and data subjects unless law assigns that duty to FeatBit.

Subprocessors

Customer gives FeatBit general written authorization to use the subprocessors listed in the Subprocessor Register. FeatBit will impose written data-protection obligations materially equivalent to the relevant obligations in this DPA and remains responsible for a Subprocessor's performance of those obligations.

FeatBit will give affected Customer account administrators at least 30 days' advance notice by email of a new or replacement Subprocessor that will process Customer Personal Data. Customer may object within 15 days on reasonable data-protection grounds. The parties will work in good faith on a commercially reasonable solution. If none is available, Customer may terminate the affected Cloud service before the change takes effect and receive a refund of prepaid unused fees for the terminated portion.

Customer assistance

Taking into account the nature of processing and information available, FeatBit will reasonably assist Customer with:

  • requests to access, correct, delete, restrict, or export Customer Personal Data;
  • security-of-processing, breach-notification, impact-assessment, and regulator-consultation obligations;
  • information needed to demonstrate compliance with processor-contract requirements; and
  • regulator inquiries that concern FeatBit's processing under this DPA.

If a data subject contacts FeatBit directly about Customer Personal Data, FeatBit will ordinarily direct the person to Customer and will not independently respond unless Customer instructs it or law requires it. FeatBit may charge reasonable costs for unusually burdensome assistance not caused by FeatBit's breach.

Return and deletion

During the subscription, Customer may use available product export functions and may request reasonable export assistance. At Customer's choice following termination, FeatBit will return or delete Customer Personal Data, unless applicable law requires retention.

Unless an Order states otherwise, FeatBit will delete Customer Personal Data from active production systems within 30 days after termination or Customer's verified deletion request. Isolated backup copies may remain for up to 90 additional days and will not be restored except for disaster recovery, legal obligation, or security investigation; if restored, the deletion requirement will be re-applied.

Information and audits

On reasonable written request, FeatBit will provide information necessary to demonstrate compliance with this DPA, such as this DPA, the Security Overview, architecture or data-flow documentation, the Subprocessor Register, a completed reasonable security questionnaire, and an internally conducted security-testing summary under appropriate confidentiality terms.

Processor accountability

Where the GDPR applies, these information and audit commitments support Customer's review of FeatBit as a processor under Article 28. Customer remains responsible for its own legal and risk assessment.

Customer may conduct one audit per 12-month period, and an additional audit after a material Personal Data Breach or when required by a regulator. Audits will begin with document review. On-site inspection is available only where documentation is reasonably insufficient, during normal business hours, on at least 30 days' notice unless urgent, without access to other customers' data, and subject to confidentiality and security requirements. Customer bears its audit costs unless the audit identifies a material FeatBit breach.

International data transfers

Customer authorizes FeatBit and its approved Subprocessors to process Customer Personal Data in the locations described in the Subprocessor Register, subject to this DPA and any transfer mechanism required by Applicable Data Protection Law.

For a transfer of Customer Personal Data subject to the EEA GDPR that requires appropriate safeguards, the European Commission's 2021 Standard Contractual Clauses are incorporated by reference as follows: Module Two applies where Customer is a controller and FeatBit is a processor; Module Three applies where Customer is a processor and FeatBit is a subprocessor; Clause 7 applies; Clause 9 uses Option 2 with a 30-day notice period; the optional language in Clause 11 does not apply; Clause 17 uses Option 1 and the law of Ireland; and the courts of Ireland apply under Clause 18(b). Annexes I and II of this DPA supply the corresponding SCC annex information, and the Subprocessor Register supplies Annex III.

If another mandatory transfer instrument applies, including a United Kingdom transfer addendum, the parties will reasonably cooperate to complete it. If a transfer mechanism changes or is invalidated, the parties will work in good faith to implement a lawful replacement.

U.S. state privacy terms

Where U.S. state privacy law applies to Customer Personal Data, FeatBit acts as Customer's service provider, contractor, or processor. The specific and limited business purposes are hosting, transmitting, evaluating, securing, troubleshooting, supporting, and maintaining Customer's feature-management and experimentation data as instructed by Customer.

  • FeatBit will not sell or share Customer Personal Data.
  • FeatBit will not retain, use, or disclose it outside the specified purposes or direct business relationship.
  • FeatBit will not combine it with personal data received from another person except as law permits.
  • FeatBit will provide the same level of privacy protection required of Customer for the delegated processing.
  • FeatBit will notify Customer if it can no longer meet these obligations and allow reasonable remediation steps.

FeatBit certifies that it understands the restrictions and obligations in this section and will comply with them. Customer may take reasonable and appropriate steps to verify and stop or remediate unauthorized use as described in the audit provisions of this DPA.

Processing details

Subject matterProviding, securing, maintaining, and supporting FeatBit Cloud.
DurationThe subscription term plus the deletion periods in this DPA.
Nature and purposeHosting, storage, retrieval, organization, transmission, flag evaluation, analytics, support, security, backup, and deletion as instructed by Customer.
FrequencyContinuous or as initiated by Customer and its connected SDKs during the subscription.
Data subjectsDepending on Customer's submitted values and context: Customer personnel and authorized users; Customer's end users or account users; and support contacts. Keys may also represent devices, services, or other non-person targeting contexts.
Personal-data categoriesDepending on what Customer submits: names, business contact details, account identifiers, user keys, IP and device or connection data, custom user attributes, flag evaluation records, experiment events, audit records, and support content.
Sensitive dataNot intended. Customer must not submit special-category data, payment-card data, PHI, government identifiers, or similarly regulated data without a written agreement.
Customer instructionsThe Agreement, this DPA, Orders, product configuration, SDK/API submissions, and documented support requests.
Data exporterCustomer, using the name, address, contact, role, and signature or electronic acceptance in the Agreement or Order.
Data importerThe FeatBit contracting entity identified in the Agreement or Order; privacy contact: contact@featbit.co; role: processor or subprocessor.

Technical and organizational measures

  • Access control: individual accounts, role-based access, least-privilege production access, periodic review, and prompt access removal.
  • Authentication and secrets: protected credentials and service secrets; multi-factor authentication for privileged systems where supported; no complete payment-card storage by FeatBit.
  • Encryption: TLS for public service traffic and provider-supported encryption at rest for in-scope production storage.
  • Isolation: logical separation by workspace, organization, project, and environment, with authorization checks at service boundaries.
  • Confidentiality and purpose limitation: need-based access, confidentiality obligations, restricted disclosure, and no sale or advertising use of Customer Personal Data.
  • Secure development: source control, peer review for material changes, dependency and vulnerability review, testing, and controlled deployment.
  • Vulnerability management: risk-based triage, patching, internal application security and penetration testing, and a security-reporting channel.
  • Logging and monitoring: operational logs, error monitoring, audit records for product changes, alerting, and incident investigation.
  • Resilience: backups, service-health monitoring, recovery procedures, and use of cloud-provider availability controls appropriate to the service.
  • Incident management: documented escalation, containment, investigation, remediation, and customer-notification processes.
  • Data minimization and deletion: documented data categories, customer configuration controls, export functions, and deletion workflows.
  • Supplier management: documented provider purposes, contractual safeguards, restricted access, and advance notice for new core Subprocessors.

General terms and regulatory references

The Agreement's limitation-of-liability, governing-law, and dispute provisions apply to this DPA unless Applicable Data Protection Law or the SCCs require otherwise. This DPA ends when FeatBit no longer processes Customer Personal Data, except provisions that must survive to protect retained data.

This DPA is designed around the processor-contract requirements in GDPR Articles 28 and 32 and the European Commission's Standard Contractual Clauses, and the California Privacy Protection Agency's CCPA regulations. It should be reviewed against Customer's jurisdiction and processing before signature.