Trust Center

Last updated: March 18, 2026

1. Overview

At FeatureBoard, security is foundational to how we design, build, and operate our platform. We implement defense-in-depth across every layer of our stack — from infrastructure to application logic — to protect your data and maintain your trust.

This page describes our current security posture, the technical controls in place, and how we handle your data. All claims on this page reflect features that are implemented and actively enforced in our production environment.

2. Infrastructure & Hosting

Vercel — Our application is deployed on Vercel's edge network, which maintains SOC 2 Type II compliance. All traffic is served over HTTPS with TLS 1.2+ enforced.
Neon PostgreSQL — Our database is hosted on Neon, a SOC 2 Type II compliant managed PostgreSQL provider. All data is encrypted at rest and in transit.
Data residency — Application hosting and database infrastructure are located in US regions.

3. Encryption

Data in Transit

All connections to FeatureBoard are encrypted using TLS 1.2 or higher. This applies to browser connections, API requests, and all communication between our services and third-party providers.

Data at Rest

Database — All data stored in Neon PostgreSQL is encrypted at rest using AES-256.
Secrets — Sensitive values such as webhook secrets and OAuth tokens are encrypted at the application level using AES-256-GCM before being stored in the database. In production, a missing encryption key causes an immediate startup failure — there is no silent fallback.
API keys — API keys are hashed using SHA-256 before storage. The original key is never stored in plaintext and cannot be recovered — only verified.

4. Authentication & Authorization

Clerk authentication — User authentication is managed by Clerk, a SOC 2 Type II compliant identity provider. Sessions use httpOnly, secure cookies.
Organization-scoped access — All data access is scoped to the authenticated user's organization. Our middleware resolves the user's organization on every request and enforces tenant isolation at the query level.
API key authentication — Programmatic access uses API keys that are company-scoped. Keys support rotation with a 24-hour grace period, allowing both old and new keys to work during the transition.
Role-based access — Users have roles (engineering, PM, GTM, CS, leadership) that determine their view of feature data. Admin actions require elevated privileges.

5. Application Security

SSRF protection — Webhook delivery URLs are validated against private IP ranges and DNS rebinding attacks. IPv6 addresses are blocked entirely. DNS resolution is performed before delivery to catch rebinding attempts.
Rate limiting — API endpoints are rate limited to prevent abuse. Webhook delivery implements exponential backoff for failed attempts.
Input validation — All user input is validated using Zod schemas at API boundaries. Invalid input is rejected before reaching business logic.
XSS prevention — React's built-in output escaping is used throughout the application. Error messages are sanitized before being sent to clients to prevent information leakage.
Export safety — CSV and JSON exports include formula injection prevention to protect users who open exports in spreadsheet applications.
AI prompt injection mitigation — User-controlled data passed to AI models is wrapped in XML delimiters to reduce the risk of prompt injection attacks.

6. Audit & Monitoring

Security event logging — Key lifecycle events (API key creation, rotation, revocation) are recorded in a dedicated security event log with actor, action, and timestamp.
Admin audit log — Administrative actions are logged with actor identity, affected resource, action type, and severity level.
Structured logging — Application logs use Pino structured logging with automatic redaction of sensitive fields (passwords, tokens, API keys).
Error monitoring — Sentry captures application errors and performance data for rapid incident response. Error reports do not intentionally include personal data.

7. Data Handling

GDPR compliance — We provide data deletion capabilities to support your right to erasure under GDPR Article 17. Company administrators can request full data deletion with a 30-day grace period for accidental requests.
Data export — Feature data can be exported in CSV and JSON formats for portability.
Data retention — Webhook delivery logs are automatically pruned after 30 days. Analytics data follows Google Analytics' standard retention policies (14 months).
IP address handling — IP addresses collected during waitlist signup are stored as one-way hashes, never in plaintext.
Payment processing — Paddle acts as our Merchant of Record, handling payment processing, invoicing, sales tax compliance, and subscription management. Payment credentials are processed entirely by Paddle and never touch our servers.
Credential isolation — Third-party integration credentials (OAuth tokens, API keys) are managed through Nango and never stored directly in our database.

8. Compliance

FeatureBoard is committed to meeting the compliance requirements of our customers. We provide the following resources:

Privacy Policy — How we collect, use, and protect your data.
Terms of Service — The agreement governing your use of FeatureBoard.
Data Processing Agreement (DPA) — Our standard DPA for organizations that require one.

GDPR

We support the rights of data subjects under the General Data Protection Regulation, including the right to access, rectification, erasure, portability, restriction of processing, and objection. See our Privacy Policy for details on exercising these rights.

CCPA

California residents have additional rights under the California Consumer Privacy Act. We do not sell personal information. See our Privacy Policy for details.

9. Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue in FeatureBoard, we ask that you report it responsibly:

Email your findings to security@featureboard.io.
Include a description of the vulnerability, steps to reproduce, and the potential impact.
Allow us reasonable time to investigate and address the issue before public disclosure.
Do not access, modify, or delete data belonging to other users during your research.

We will acknowledge receipt within 48 hours and aim to provide an initial assessment within 5 business days. We appreciate your help in keeping FeatureBoard secure.

10. Frequently Asked Questions

Where is my data stored?

Your data is stored in Neon PostgreSQL databases hosted in US regions. All data is encrypted at rest and in transit.

Can I delete all my company's data?

Yes. Company administrators can request full data deletion from the application settings. There is a 30-day grace period during which the deletion can be cancelled. After the grace period, all data is permanently removed, including from third-party services (authentication, billing, integrations).

Do you have a Data Processing Agreement (DPA)?

Yes. Our standard DPA is available at featureboard.io/security/dpa. If you need a custom DPA, contact us at legal@featureboard.io.

How are third-party integration credentials handled?

Integration credentials (OAuth tokens, API keys for connected services) are managed through Nango, a dedicated integration proxy. Credentials never pass through or are stored in our database. Our application enforces a denylist pattern that rejects any attempt to store credential-like values in configuration fields.

How do you handle AI-related data?

FeatureBoard uses OpenAI for vector embeddings (natural language search) and Anthropic Claude for AI feature summaries and intent classification. Feature data sent to these providers is used solely for processing your request and is not used to train models. We apply prompt injection mitigations (XML delimiters) when passing user-controlled data to AI models.

How can I report a security vulnerability?

Please email security@featureboard.io with details of the vulnerability. See our Responsible Disclosure section for guidelines.