1. Definitions
- "Controller" — the entity that determines the purposes and means of processing personal data (you, the customer).
- "Processor" — the entity that processes personal data on behalf of the Controller (FeatureBoard).
- "Data Subject" — an identified or identifiable natural person whose personal data is processed.
- "Personal Data" — any information relating to a Data Subject.
- "Processing" — any operation performed on personal data, including collection, storage, use, and deletion.
- "Sub-processor" — a third party engaged by the Processor to process personal data on behalf of the Controller.
2. Scope & Purpose
This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller") and FeatureBoard ("Processor") for the provision of the FeatureBoard platform services. It governs the processing of personal data by FeatureBoard on your behalf.
FeatureBoard processes personal data solely for the purpose of providing the product feature tracking platform, including user authentication, feature management, team collaboration, analytics, and notifications as described in our Terms of Service.
3. Data Processing Details
Categories of Data Subjects
- End users of the Controller's FeatureBoard workspace
- Workspace administrators
Types of Personal Data
- Name and email address
- Organization membership and role
- IP address (stored as one-way hash only)
- Authentication session data
- Feature and product data created by users
- Activity logs (comments, updates, status changes)
Processing Purposes
- User authentication and session management
- Feature tracking and team collaboration
- Analytics and reporting
- Email notifications and digests
- AI-powered feature summaries and natural language search
- Billing and subscription management
Duration
Personal data is processed for the duration of the active subscription. Upon termination, data is retained for 30 days to allow for account reactivation, after which it is permanently deleted.
4. Processor Obligations
As a Processor, FeatureBoard commits to the following obligations:
- Documented instructions — Process personal data only on the Controller's documented instructions, unless required by law to do otherwise.
- Confidentiality — Ensure that persons authorized to process personal data are bound by confidentiality obligations.
- Security measures — Implement appropriate technical and organizational security measures as described in our Trust Center, including AES-256-GCM encryption, SHA-256 API key hashing, SSRF protection, rate limiting, and input validation.
- Sub-processor management — Engage sub-processors only with prior notice to the Controller (see Section 5) and ensure equivalent data protection obligations are imposed.
- Assistance — Assist the Controller in responding to data subject requests, security incidents, and data protection impact assessments.
- Deletion — Upon termination, delete or return all personal data to the Controller, and delete existing copies unless required by law to retain them.
5. Sub-processors
FeatureBoard uses the following sub-processors to provide the platform. We will notify you of any changes to this list at least 30 days before engaging a new sub-processor.
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Clerk | Authentication and user management | Name, email, session data, organization membership | United States |
| Neon | Database hosting | All application data (features, users, organizations) | United States |
| Vercel | Application hosting and CDN | HTTP request data, application logs | United States (edge network global) |
| Sentry | Error monitoring and performance | Error reports, performance traces, browser metadata | United States |
| Resend | Transactional and marketing email delivery | Email addresses, email content | United States |
| Inngest | Background job processing | Job metadata, event payloads | United States |
| OpenAI | Vector embeddings for natural language search | Feature text content (for embedding generation) | United States |
| Anthropic | AI feature summaries and intent classification | Feature text content (for summary generation) | United States |
| Paddle | Payment processing, invoicing, tax compliance (Merchant of Record) | Transaction data, billing information | Ireland (EU) |
| Stripe | Legacy payment processing | Billing information, subscription data | United States |
| Nango | Third-party integration proxy | Integration credentials, connection metadata | United States |
6. Data Subject Rights
FeatureBoard will assist the Controller in fulfilling data subject requests, including:
- Right of access — Data can be exported from the application in CSV and JSON formats.
- Right to rectification — Users can update their profile information through the application.
- Right to erasure — Company administrators can request full data deletion through the application settings, which includes cleanup from all sub-processors.
- Right to data portability — Feature data can be exported in structured, machine-readable formats (CSV, JSON).
For data subject requests, contact privacy@featureboard.io.
7. Data Breach Notification
In the event of a personal data breach, FeatureBoard will:
- Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach.
- Provide the following information: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address and mitigate the breach.
- Cooperate with the Controller in investigating the breach and fulfilling any regulatory notification obligations.
8. International Data Transfers
FeatureBoard processes data primarily in the United States. For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission for Controller-to-Processor transfers.
- Sub-processor agreements that include equivalent data transfer safeguards.
We will provide copies of the applicable SCCs upon request.
9. Audit Rights
The Controller has the right to verify FeatureBoard's compliance with this DPA. FeatureBoard will:
- Make available all information necessary to demonstrate compliance with data processing obligations.
- Allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.
- Provide an annual summary of security measures and any relevant third-party audit reports (e.g., SOC 2 reports from infrastructure providers) upon request.
10. Term & Termination
This DPA is effective for the duration of the Controller's use of FeatureBoard services. Upon termination of the service agreement:
- FeatureBoard will retain data for 30 days following termination to allow for data export and account reactivation.
- After the 30-day retention period, all personal data will be permanently deleted from our systems and all sub-processors, unless retention is required by applicable law.
- The Controller may request immediate deletion at any time through the data deletion feature in application settings (subject to the 30-day grace period for safety).
11. Contact
For questions about this DPA or to request a signed copy, contact us at:
- Data protection inquiries: privacy@featureboard.io
- Legal inquiries: legal@featureboard.io