Data Transfer Impact Assessment (DTIA)
Last updated: 27th December, 2023
1. Introduction
We (featureOS) are committed to protecting and respecting your privacy. Every feature we build starts with user privacy, data security, and transparency in mind. featureOS complies with the European Union and United Kingdom’s laws regarding data protection and privacy, including the General Data Protection Regulation (GDPR).
This page is designed to provide you with information about key issues for transfers made to featureOS in the US, and support our customers conducting data transfer impact assessments. Covered topics include the Schrems II decision, our adoption of the EU standard contractual clauses, and our certification to the EU-US Data Privacy Framework.
Important links for customers:
- featureOS Privacy Policy
- featureOS Terms of Service
- featureOS GDPR Compliance
- featureOS Security
- featureOS Subprocessors
2. Service that featureOS provides
featureOS provides subscriptions to our “software as a service” (SaaS) platform to collect, organize, and analyze customer feedback as part of the featureOS platform (“featureOS Services”).
3. What data do we collect and process?
In order to provide the featureOS Services to our customers, we collect and process the data that is mentioned in our updated Privacy Policy. This includes personal data that our customers provide to us, and personal data that we collect from our customers’ end users. We also collect and process data that is necessary for the operation of our featureOS Services, such as data about the devices and browsers that end users use to access our customers’ websites and applications.
We process data in accordance with our Data Processing Addendum (DPA), which is incorporated into our Terms of Service. You can request a copy of our DPA by emailing [email protected].
4. Where do we store and otherwise process data?
featureOS is a US-based company, and our primary data centers are located in the United States of America, hosted by Amazon Web Services, Microsoft Azure, and Google Cloud Platform. We also use a number of subprocessors to support our featureOS Services, and these subprocessors also comply with the EU-US Privacy Shield Framework. You can find a list of our subprocessors here.
5. What controls do we have in place with subprocessors?
We also make onward transfers to subprocessors and take steps to agree to appropriate transfer safeguards, such as relevant standard contractual clauses, signing a DPA, and analyzing their security practices carefully with each subprocessor. We take measures to evaluate the privacy and security practices of our subprocessors, including:
- Each subprocessor is required to agree to a data processing agreement with us.
- We evaluate the data privacy and security practices of each subprocessor prior to engaging and onboarding such subprocessor.
- We conduct periodic audits of key subprocessors throughout the terms of our respective agreements with them.
You can find information about our subprocessors here.
6. How long is data retained?
We retain data for as long as necessary to provide the featureOS Services to our customers, and as described in our Privacy Policy. We also retain data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
For accounts that are inactive, we will delete the data after the timeframe speficied in our Inactive Account Policy.
7. How does featureOS manage requests from data subjects to exercise their GDPR rights?
We have processes to receive, analyze, and respond to data subject requests from our employees, customers, and marketing prospects. Additionally, our customers may delete and export data from their featureOS Services account as described here.
8. What measures does featureOS take to protect personal data?
featureOS undertakes technical and organizational measures to secure customer data as described in Schedule 1 of featureOS’s Data Processing Addendum, as well as security measures, including encryption, which are further described here.
featureOS’s contractual measures are set out in our Data Processing Addendum which incorporates featureOS’s certification to the DPF and our adoption of SCCs (available on request). These include:
-
Technical measures: featureOS is obligated to have in place appropriate technical and organizational measures to safeguard personal data.
-
Transparency: featureOS is obligated to notify our customers in the event we are made subject to a request for government access to customer personal data from a government authority. In the event featureOS is legally prohibited from making such a disclosure, we will use reasonable efforts to obtain the right to waive the prohibition to communicate as much information to you as possible.
-
Actions to challenge access: featureOS is obligated to review the legality of government authority access requests and challenge such requests where they are considered to be unlawful.
featureOS will review and, if necessary, reconsider the risks involved and the measures it has implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.