Cloud SecurityShared ResponsibilityCurrent Controls

FeatBit // security overview

FeatBit Cloud Security

A plain-language description of the safeguards and shared responsibilities that apply to FeatBit's hosted Cloud service.

Effective date: July 17, 2026

Security documentation

This page describes the current controls for FeatBit Cloud. Contractual data-processing commitments are in the Data Processing Addendum, and customer-specific service levels apply only when included in an Order.

Security documentation and scope

This overview covers FeatBit Cloud and the FeatBit personnel and systems used to operate it. It is intended to support customer due diligence and supplements the Data Processing Addendum. It is not a warranty, service-level agreement, or substitute for an Order.

  • FeatBit maintains an internal security-testing program and tracks remediation based on risk.
  • A redacted internal testing summary may be provided under NDA after scope and recipient review.
  • FeatBit can complete a reasonable customer security questionnaire.
  • The DPA, Subprocessor Register, and this overview document the applicable privacy and security controls.

Platform, hosting, and data boundaries

FeatBit Cloud runs on Microsoft Azure infrastructure. Customer environments are separated logically through workspace, organization, project, and environment identifiers, with authorization enforced by application services. FeatBit does not use one customer's Customer Data to target or serve another customer.

FeatBit does not sell Customer Data or use it for advertising. Customer Data is disclosed only to authorized personnel and subprocessors that need it to provide or secure the service, as Customer directs or authorizes, or as required by law.

  • Production and backup data use provider-managed storage in the configured hosting region.
  • Cloud providers and operational services are listed in the Subprocessor Register.
  • Customer Data is retained and deleted under the DPA and any Order-specific commitment.
  • Dedicated regions or environments apply only when expressly included in an Order.

Identity and access controls

  • Production access is restricted to authorized personnel with a business need.
  • Privileged access is granted using individual identities and reviewed when roles change.
  • Multi-factor authentication is used for privileged systems where the platform supports it.
  • FeatBit Cloud provides role-based permissions and product audit records; available controls depend on the selected plan.
  • Enterprise single sign-on is available only when included in the applicable subscription or Order.

FeatBit personnel may access Customer Data only as needed to provide support, protect the service, investigate an incident, comply with law, or otherwise follow documented Customer instructions.

Encryption, credentials, and secrets

  • Public Cloud service traffic is protected in transit with HTTPS/TLS.
  • In-scope production storage uses encryption-at-rest capabilities supplied by the cloud provider.
  • Service credentials and production secrets are restricted to the systems and personnel that require them.
  • FeatBit does not store complete payment-card numbers; card handling is delegated to Stripe.
  • SDK keys and API credentials are treated as secrets, but Customer controls their distribution and rotation.

Secure development and vulnerability management

FeatBit uses source control, change review, automated checks, testing, and controlled deployment practices for material service changes. Security issues are triaged by severity and exploitability, assigned to an owner, remediated on a risk basis, and retested when appropriate.

  • Dependencies and application code are reviewed for known or reported vulnerabilities.
  • Material changes are reviewed before production deployment.
  • Internal application security and penetration testing covers selected high-risk service paths.
  • Secrets must not be committed to source code; exposed credentials are revoked and replaced.

Logging, monitoring, and incident response

FeatBit collects operational, security, and error logs needed to monitor service health, investigate suspicious activity, troubleshoot failures, and maintain product audit history. Access to logs is restricted and their contents are minimized where practicable.

The incident process covers reporting, triage, containment, investigation, recovery, remediation, and retrospective review. For a confirmed Personal Data Breach, FeatBit notifies affected customers without undue delay and, when reasonably practicable, within 72 hours, as described in the DPA.

Availability, backup, and recovery

  • Production service health is monitored and operational failures are investigated.
  • Backups and cloud-provider resilience controls support recovery from infrastructure or data failures.
  • Recovery procedures are maintained and exercised as the service changes.
  • Backup copies are isolated from normal product access and age out under the DPA deletion schedule.

No public SLA

FeatBit does not make a public uptime percentage, recovery-time objective, or recovery-point objective commitment on this page. A binding SLA or recovery objective applies only when it is expressly included in a signed Order.

Customer security responsibilities

FeatBit secures the Cloud platform; Customer remains responsible for how it configures and uses the service.

  • Use unique accounts, strong authentication, least-privilege roles, and SSO where available.
  • Protect, scope, and rotate SDK keys, API credentials, webhooks, and integration secrets.
  • Use opaque user keys and send only attributes needed for feature targeting or experimentation.
  • Do not submit special-category data, payment-card data, PHI, government identifiers, or production secrets unless a written agreement expressly permits it.
  • Review audit records, remove inactive users, and promptly report suspected compromise.
  • Secure Customer applications, SDK configuration, endpoints, integrations, and exported data.

Reporting issues and requesting documentation

Report a suspected vulnerability to contact@featbit.co. Include the affected endpoint or component, reproduction steps, likely impact, and a safe contact method. Do not access another customer's data, degrade production, use social engineering, or test FeatBit systems without written authorization.

Procurement teams may use the same address to request a security questionnaire, architecture or data-flow information, or the redacted internal testing summary under NDA.