Data Processing Addendum
Our commitments when processing personal data on your behalf.
This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer") and Feedforward and governs the processing of personal data we carry out on your behalf when you use the Service. Where this DPA conflicts with the Terms of Service regarding personal-data processing, this DPA controls. Last updated June 21, 2026.
Roles of the parties
For survey responses and other end-user personal data you collect through the Service, you act as the data controller and Feedforward acts as a data processor, processing such data only on your documented instructions. For account, billing, and security data relating to your use of the Service, Feedforward acts as an independent controller as described in our Privacy Policy.
Scope and purpose of processing
- Subject matter: provision of the feedback-collection and analytics Service.
- Duration: for the term of the agreement and any post-termination retention period.
- Nature and purpose: hosting, storage, automated theme/sentiment extraction, and display of feedback you collect.
- Data subjects: your end users who submit feedback and your authorized account users.
- Categories of data: survey responses (including free text), and limited technical metadata stored in hashed form (for example, IP addresses retained only as a SHA-256 hash).
Subprocessors
You authorize Feedforward to engage subprocessors to provide the Service. We impose data-protection obligations on each subprocessor that are no less protective than this DPA and remain responsible for their performance. Current subprocessors include managed cloud database and cache providers (Neon Postgres, managed Redis), our identity provider, our payment processor, LLM providers used for theme and sentiment extraction, and hosting, email, and monitoring providers. We will give reasonable notice of new subprocessors so you may object on legitimate grounds.
Security measures
Feedforward maintains technical and organizational measures appropriate to the risk, including encryption in transit and at rest, per-organization tenant isolation, HMAC-signed widget embed tokens, least-privilege access controls, and audit logging. Details are described on our Security page, which is incorporated by reference.
Data subject requests
Taking into account the nature of the processing, Feedforward will provide reasonable assistance to help you respond to requests from data subjects to exercise their rights of access, correction, deletion, restriction, portability, and objection. Where a data subject contacts us directly about data you control, we will refer them to you and assist as required.
International transfers
Where processing involves transferring personal data across borders, Feedforward relies on lawful transfer mechanisms, including the European Commission's Standard Contractual Clauses (SCCs) and equivalent safeguards, together with supplementary measures where appropriate.
Breach notification
Feedforward will notify you without undue delay after becoming aware of a personal-data breach affecting your data, and will provide information reasonably available to help you meet your own notification obligations and to support investigation and remediation.
Term and deletion
This DPA remains in effect for as long as Feedforward processes personal data on your behalf. Upon termination of the Service, and at your choice, Feedforward will delete or return Customer Data and delete existing copies, except where retention is required by applicable law. To request a signed copy of this DPA, contact us through our contact page.