Data Processing Agreement

Written By Bruno from Featurebase

Last updated 4 months ago

This Data Processing Agreement (“DPA”) is incorporated into and forms part of the agreement (including any order form or online terms) between CORDNET OÜ, d/b/a Featurebase, Harju maakond, Viimsi vald, Haabneeme alevik, Kaluri tee 4-32, 74001, Estonia [registry code: 14748498] (“Featurebase”) and the customer that signs an order, clicks to accept online terms, or uses the Services (“Customer”) (together, the “Agreement”). By signing an order, clicking to accept the online terms, or using the Services as permitted under the Agreement, Customer agrees to this DPA. Capitalized terms not defined here have the meanings in the Agreement. Roles of the parties are as set out in Section 2. In the event of a conflict between this DPA and the Agreement, this DPA controls for the Processing of Personal Data; if there is a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses control for the relevant transfers.

If there is any conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA prevails. If there is any conflict between this DPA and the EU Standard Contractual Clauses (“SCCs”) incorporated herein, the SCCs prevail for the relevant transfers.

1. Definitions

“Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under this DPA, including the EU GDPR, the UK GDPR, the Swiss FADP, and U.S. State Privacy Laws.
“Customer Personal Data” means Personal Data Processed by Featurebase on behalf of Customer in the course of providing the Services (e.g., feedback, messages, attachments, end‑user identifiers, usage within Customer’s Featurebase workspace).
“Services” means the Featurebase platform and related services as described in the Agreement (support/feedback forums, in‑app widgets, support inbox & messenger, surveys, knowledge base, changelog, analytics, integrations, and associated APIs).
“Service Data” means account, billing, admin, and product telemetry/diagnostic data that Featurebase determines the purposes and means of Processing for its legitimate business operations (e.g., service delivery, security, billing, fraud prevention, product improvement), independent of Customer instructions.
“Controller,” “Processor,” “Personal Data,” “Personal Data Breach,” “Processing,” etc., have the meanings given in Applicable Data Protection Laws.
“Subprocessor” means any Processor engaged by Featurebase to Process Customer Personal Data.
“U.S. State Privacy Laws” means, to the extent applicable, the CCPA/CPRA and the state privacy laws of Virginia, Colorado, Connecticut, Utah, and any similar U.S. state privacy laws in effect during the Term.
“De‑identified Data” means data that cannot reasonably be linked to an identified or identifiable person, provided that Featurebase commits not to attempt to reidentify such data.

2. Roles; Scope; Instructions

2.1 Roles. For Customer Personal Data, Customer is the Controller (or Processor on behalf of a third‑party Controller) and Featurebase is the Processor. For Service Data, each party acts as an independent Controller.

2.2 Instructions. Featurebase shall Process Customer Personal Data only on documented instructions from Customer, including as necessary to provide and secure the Services, to manage accounts, to comply with law, and as otherwise permitted under this DPA. Customer instructs Featurebase to Process Customer Personal Data to provide the Services, to transfer Customer Personal Data to Subprocessors per Annex C, and to make international transfers as set out in Section 8 and Annex D–F.

2.3 Customer Responsibilities. Customer is responsible for: (a) ensuring it has a lawful basis and appropriate notices for the Processing and the data it submits to the Services; (b) its configuration and use of the Services; (c) not uploading special categories of data or children’s data unless the Services expressly support it and Customer has obtained Featurebase’s prior written approval.

3. Compliance; Confidentiality; Personnel

3.1 Compliance. Featurebase shall comply with Applicable Data Protection Laws in its role as Processor and shall ensure a level of security appropriate to the risk, as described in Annex B (TOMs).

3.2 Confidentiality. Featurebase shall ensure persons authorized to Process Customer Personal Data are bound by confidentiality obligations and receive appropriate data protection and security training.

4. Security; Audits; Certifications

4.1 Security Measures. Featurebase maintains technical and organizational measures as set out in Annex B, including encryption in transit and at rest, access controls, vulnerability management, logging/monitoring, business continuity & disaster recovery (target RTO < 4 hours; target RPO < 1 hour), and secure SDLC.

4.2 SOC 2. Featurebase maintains a SOC 2 Type II information security program. Upon written request no more than once per 12‑month period, Featurebase will provide a current SOC 2 Type II report (or executive summary).

4.3 Customer Audits. If Reports‑First materials do not reasonably satisfy Customer’s obligations, Customer may conduct (or appoint an independent auditor to conduct) a security audit of Featurebase’s relevant facilities and systems that Process Customer Personal Data no more than once per 12 months, on 30 days’ prior written notice, during business hours, under Featurebase’s site rules, and without disrupting operations. Audits are at the Customer’s expense. For clarity, audits under the SCCs and this DPA are satisfied first by the Reports‑First approach.

5. Assistance; Data Subject Requests; DPIA; Records

5.1 Requests. Taking into account the nature of Processing, Featurebase shall assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to data subject requests under Applicable Data Protection Laws. Featurebase will promptly forward any request it receives directly to Customer without responding to the requester unless instructed by Customer.

5.2 DPIA & Prior Consultation. Featurebase shall provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, considering the nature of Processing and information available to Featurebase.

5.3 Costs. Assistance beyond two (2) person‑hours per request may be subject to Featurebase’s reasonable professional services fees.

5.4 Records. Featurebase shall maintain records of Processing activities required by Applicable Data Protection Laws for at least three (3) years.

6. Security Incidents

6.1 Notice. Featurebase shall notify Customer without undue delay and, where feasible, not later than 72 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data.

6.2 Content. The notice will describe, to the extent known: the nature of the incident, categories/approximate number of data subjects and records concerned, likely consequences, measures taken or proposed to address the breach, and a point of contact.

6.3 Remediation & RCA. Featurebase will take appropriate steps to contain, investigate, and remediate the incident and will provide a written root‑cause analysis within 30 days of containment (or as otherwise agreed), followed by corrective actions.

6.4 No Admissions. Notification shall not be construed as an admission of fault or liability.

7. Deletion, Return & Retention

7.1 During Term. Customer may export Customer Personal Data from the Services at any time via product capabilities or by written request.

7.2 Termination. Upon termination or expiry of the Agreement, Customer may instruct Featurebase to return or delete Customer Personal Data. Featurebase will: (a) complete return/export within 30 days of request; (b) delete Customer Personal Data from active systems within 90 days after termination; and (c) delete from backups within 365 days, subject to Section 7.3.

7.3 Legal Holds. Featurebase may retain Customer Personal Data as required by law or to establish, exercise, or defend legal claims; Processing will be limited to such purposes.

7.4 Category‑Based Retention (clarity).

  • Customer Content (feedback, messages, attachments, forum posts/votes): retained for Agreement term; deleted within 90 days after termination unless otherwise instructed or legally required.

  • Operational Logs & Telemetry (e.g., access logs, API logs, performance metrics unrelated to content): retained up to 12 months for security/operational integrity, then deleted or irreversibly anonymized.

  • Encrypted Backups: rolling retention; overwritten within 365 days after source deletion.

8. International Transfers; Data Location

8.1 Data Location. Featurebase primarily hosts Customer Personal Data in the European Economic Area (EEA). Content delivery, DNS, email, support, or other ancillary services may involve limited Processing outside the EEA by authorized Subprocessors.

8.2 Transfers. Where Customer Personal Data is transferred to a country that does not ensure an adequate level of protection, such transfers shall be governed by: (a) the SCCs (incorporated by reference in Annex D, with Modules 1–4 as applicable); (b) the UK Addendum (Annex E) for UK transfers; and (c) the Swiss Addendum (Annex F) for Swiss transfers.

8.3 Supplementary Measures. Featurebase implements organizational, technical, and contractual supplementary measures (e.g., encryption in transit/at rest, access controls, strict government request review policy) to protect transferred data.

9. Subprocessors

9.1 Authorization. Customer provides a general authorization for Featurebase to engage Subprocessors listed at https://help.featurebase.app/articles/2733677-subprocessors (the “Subprocessor Page”).

9.2 Onward Transfer Requirements. Featurebase shall impose data protection terms on Subprocessors that are at least as protective as those in this DPA, including U.S. State Privacy flow‑downs.

9.3 Changes; Notice; Objection. Featurebase will give at least 15 calendar days’ prior notice of additions or replacements of Subprocessors by updating the Subprocessor Page and via email to subscribed contacts. Customer may object on reasonable, data‑protection grounds within 10 calendar days of notice. If the parties cannot resolve the objection in good faith, Customer may suspend the affected Services or terminate the Agreement for convenience with a pro‑rated refund of prepaid, unused fees for the terminated portion.

9.4 Subscription. Customer may subscribe to Subprocessor change notifications by emailing support@featurebase.app.

9.5 Mapping. The Subprocessor Page will map each Subprocessor to the categories of Customer Personal Data and purposes (e.g., infrastructure hosting, email delivery, support, AI inference, analytics) and identify processing locations.

10. U.S. State Privacy Laws (Service Provider / Processor)

For Personal Information subject to U.S. State Privacy Laws, Featurebase acts as a service provider/processor/contractor to Customer and shall:

(a) Not sell or share Personal Information;
(b) Not retain, use, or disclose Personal Information for any purpose other than providing and securing the Services, or as permitted by the Agreement and law;
(c) Not combine Personal Information with Personal Information Featurebase receives from another source except as permitted by law and necessary to provide the Services;
(d) Flow down these restrictions to Subprocessors;
(e) Provide assistance to enable Customer to honor consumer privacy rights requests; and
(f) Upon request, provide a written certification of compliance with this Section.

11. AI Processing & Third‑Party AI Services

11.1 Default Posture. Featurebase will not use Customer Personal Data to train third‑party or Featurebase foundation models.

11.2 Vendors & Tiers. If Featurebase uses third‑party AI services in the provision of AI features, it will do so only via enterprise/API services (not consumer endpoints) configured such that prompts/outputs containing Customer Personal Data are not used to train or improve third‑party models.

11.3 Enablement. Featurebase will not submit Customer Content to third‑party AI services unless such AI features are enabled by Customer or are necessary to deliver a specific Customer‑requested function. Customer can disable AI features at any time (if configurable) and may request confirmation of current AI vendor usage related to its workspace.

11.4 Retention & Access. Featurebase shall contractually require AI vendors to limit retention of prompts/outputs to what is necessary for abuse monitoring, safety, or legal compliance, and to restrict access to authorized personnel only.

11.5 Documentation. Featurebase will identify any AI vendors engaged as Subprocessors on the Subprocessor Page with their purpose and processing locations.

12. Government Requests

Featurebase shall: (a) promptly notify Customer of any legally binding government request for disclosure of Customer Personal Data unless legally prohibited; (b) challenge overbroad or unlawful requests; and (c) disclose only the minimum amount of information necessary to comply with the request.

13. Aggregated & De‑identified Data

Featurebase may Process Aggregated and De‑identified Data derived from Customer’s use of the Services for lawful business purposes (e.g., analytics, service improvement), provided that such data does not identify or re‑identify Customer or data subjects and is processed in compliance with Applicable Data Protection Laws.

14. Liability; Indemnity; Order of Precedence

14.1 Liability. Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. In the event the Agreement does not include a liability cap, the total aggregate liability of either party arising out of or related to this DPA shall not exceed the amounts paid or payable by Customer to Featurebase under the Agreement in the twelve (12) months preceding the event giving rise to the claim.

14.2 Mutual Indemnity (Narrow). Each party will indemnify the other against third‑party claims to the extent arising from the indemnifying party’s material violation of Applicable Data Protection Laws or material breach of the SCCs/UK/Swiss Addenda with respect to Customer Personal Data, in each case resulting from the indemnifying party’s Processing, provided that: (a) the indemnified party gives prompt written notice; (b) the indemnifying party controls the defense and settlement; and (c) the indemnified party reasonably cooperates. This Section is subject to Section 14.1.

15. Miscellaneous

15.1 Duration. This DPA remains in effect for as long as Featurebase Processes Customer Personal Data under the Agreement.

15.2 Transfers Mechanism Precedence. The SCCs (Annex D), UK Addendum (Annex E), and Swiss Addendum (Annex F) are incorporated by reference and take precedence for their respective transfers.

15.3 Governing Law. This DPA is governed by the governing law specified in the Agreement, except that the SCCs are governed as specified in Annex D.

15.4 Contact. Data protection inquiries: [privacy email] | Attn: Data Protection Officer, CORDNET OÜ, [postal address].

15.5 Vulnerability Disclosure. Security researchers may report vulnerabilities via https://[security‑url]/vulnerability‑disclosure. Featurebase will maintain a coordinated vulnerability disclosure process.

Annex A — Description of Processing

A. Parties & Roles

  • Data Exporter: Customer (Controller or Processor).

  • Data Importer: Featurebase (Processor for Customer Personal Data; Controller for Service Data).

B. Data Subjects
Customer end‑users (e.g., customers, visitors, community members), Customer personnel and contractors, and any individuals whose data is submitted to the Services by or on behalf of Customer.

C. Categories of Personal Data
Identifiers (name, email, username, IP address, device identifiers), profile info, support/feedback content (including attachments), usage metadata, and any other Personal Data Customer chooses to submit.
Special categories are not intended to be Processed.

D. Processing Operations & Purposes
Hosting, storage, transmission, display, indexing, search, analytics, customer communications, service configuration, support, incident response, abuse/fraud prevention, business continuity, and security.

E. Nature & Duration
Continuous Processing for the Term of the Agreement plus retention described in Section 7.

F. Frequency of Transfers
Continuous as needed to provide the Services.

G. Data Location
Primarily EEA; international transfers per Section 8 and Annex D–F.

Annex B — Technical and Organizational Measures (TOMs)

1. Organizational Security

  • Information Security Program aligned to SOC 2 Type II; executive oversight; risk management; vendor risk reviews.

  • Employee background checks where permitted; confidentiality agreements; mandatory security & privacy training at onboarding and annually.

  • Access provisioning via least privilege and role‑based access control; MFA required for privileged access.

2. Physical & Environmental Security

  • Use of reputable data centers with industry certifications; physical access controls, CCTV, visitor logs; redundant power/network.

3. Logical Security & Access Control

  • Unique user IDs; strong authentication; MFA; session controls; periodic access reviews; segregation of duties; secure secrets management.

4. Data Protection

  • Encryption in transit: TLS 1.2+ (target TLS 1.3).

  • Encryption at rest: AES‑256 (or stronger) for storage, backups, and portable media.

  • Key management with restricted access; rotation policies.

5. Application & SDLC Security

  • Secure coding standards; peer review; dependency scanning; SAST/DAST; change management; CI/CD with signed artifacts; separation of environments.

  • Security testing including annual third‑party penetration testing; remediation tracked with defined SLAs.

6. Monitoring & Logging

  • Centralized logging of security events (authentication, authorization changes, admin actions, data access anomalies); alerting and on‑call rotation; log integrity protection; log retention up to 12 months.

7. Business Continuity & Disaster Recovery

  • Documented BC/DR plans; geographically separated redundancy; tested at least annually; target RTO < 4 hours; target RPO < 1 hour.

8. Data Minimization & Retention

  • Collection limited to what is necessary; retention schedules per Section 7; deletion/overwriting of backups within 365 days.

9. Vulnerability & Patch Management

  • Vulnerability scanning of infrastructure and applications; severity‑based remediation timelines; emergency patching for critical issues.

10. Incident Response

  • Documented IR plan; detection, triage, containment, eradication, and recovery procedures; 72‑hour customer notification after becoming aware; post‑incident RCA.

11. Privacy by Design & Default

  • Privacy impact screening during design; data segregation by workspace; default configurations aimed at least privilege and minimal disclosure.

12. Subprocessor Oversight

  • Written contracts; security due diligence; ongoing monitoring; alignment with this Annex.

Annex C — Subprocessors & Change Management

1. Current Subprocessors. Listed at https://help.featurebase.app/articles/2733677-subprocessors with name, purpose, processing location(s), and categories of Customer Personal Data processed.

2. Notice of Changes. At least 15 days’ advance notice by updating the Subprocessor Page and emailing subscribed contacts.

3. Objections. Customer may object within 10 days of notice. The parties will discuss in good faith appropriate measures. If unresolved, Customer may suspend the affected Services or terminate the Agreement in accordance with Section 9.3.

Annex D — EU Standard Contractual Clauses (Incorporation Details)

The SCCs adopted by Commission Implementing Decision (EU) 2021/914 are incorporated by reference and apply as follows:

Module Selection

  • Module 1 (Controller → Controller): Applies to transfers of Service Data where Customer (as Controller) discloses Personal Data to Featurebase (as independent Controller).

  • Module 2 (Controller → Processor): Applies to transfers of Customer Personal Data from Customer (Controller) to Featurebase (Processor).

  • Module 3 (Processor → Sub‑processor): Applies to onward transfers from Featurebase (Processor) to its Subprocessors.

  • Module 4 (Processor → Controller): Applies where Customer acts as a Processor and transfers Personal Data to Featurebase acting as an independent Controller (e.g., for account administration or fraud/security operations).

Docking Clause: Clause 7 is enabled.
Subprocessor Authorization: Clause 9, Option General Authorization, notice period 15 days.
Governing Law & Forum: Clause 17 — Estonian law; Clause 18 — courts of Estonia.
Supervisory Authority: The competent supervisory authority shall be the authority of the EEA Member State of Customer’s establishment or, if Customer is not established in the EEA, the Estonian supervisory authority.
Annex I.A (Parties): As stated in Annex A.
Annex I.B (Description): As stated in Annex A.
Annex I.C (SA): As above.
Annex II (TOMs): As stated in Annex B.
Annex III (Subprocessors): As stated in Annex C.

Annex E — UK Addendum to the EU SCCs

The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner (version B.1.0, or subsequent version automatically replacing it) is incorporated by reference.

Table 1 (Parties): As in Annex A (Exporter: Customer; Importer: Featurebase).
Table 2 (Selected SCCs): As described in Annex D (Modules 1–4, general authorization; Estonian law for Clause 17; courts of Estonia for Clause 18).
Table 3 (Appendix Information): As in Annex A (description), Annex B (TOMs), Annex C (Subprocessors).
Table 4 (Ending this Addendum): Neither party opts out of the ICO’s mandatory versions update mechanism.

For UK transfers, where the Addendum references “the laws and courts governing the SCCs,” the laws and courts of England and Wales shall apply solely for UK data subject claims where required by UK law; otherwise, Annex D selections apply.

Annex F — Swiss Addendum

For transfers subject to the Swiss Federal Act on Data Protection (FADP), the SCCs apply with the following modifications: references to “Member State” are replaced with “Switzerland,” references to the “EU GDPR” are replaced with the FADP where appropriate, and the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC). Clause 17 governing law and Clause 18 forum follow Annex D unless Swiss law requires otherwise.

Annex G — Jurisdiction‑Specific Terms (Non‑EU/UK/CH)

California (CPRA/CCPA) and Similar U.S. State Laws. Featurebase acts as service provider/processor; no sale or sharing; limited and specified purpose; assistance for consumer rights; flow‑downs to Subprocessors; certification available upon request.

Signatures

This DPA is pre‑signed by Featurebase and becomes legally binding upon execution of the Agreement or any order incorporating this DPA, or Customer’s electronic acceptance.

Featurebase (CORDNET OÜ)
By:

Name: Bruno Hiis
Title: Co-founder
Date: 17.09.2025

Customer
By: ____________________________
Name: ____________________________
Title: ____________________________
Date: ____________________________

Download PDF version:

Featurebase Data Processing Agreement Latest.pdf

205.4 KB Document