Skip to main content

ISO 27701 — Privacy Information Management System

Last updated: April 2026

ISO 27701 extends ISO 27001 with privacy-specific controls to establish a Privacy Information Management System (PIMS). This document describes FeatureSignals' alignment with ISO 27701 requirements.

Scope

FeatureSignals operates as both:

  • PII Controller (for customer account data, billing data)
  • PII Processor (for evaluation context data passed by customers)

Key Controls Mapping

Clause 6 — PIMS-specific Requirements related to ISO 27001

Sub-clauseRequirementImplementation
6.2Privacy risk assessmentIncluded in risk register; privacy impact assessed for all new features
6.3Internal auditQuarterly privacy controls review
6.4Management reviewPrivacy metrics in quarterly security review

Clause 7 — Additional ISO 27002 Guidance for PII Controllers

ControlDescriptionImplementation
7.2.1Purpose identificationDocumented in privacy policy; limited to service delivery
7.2.2Lawful basisLegitimate interest and contract performance identified
7.2.5Privacy impact assessmentCompleted for evaluation engine, audit system, SSO
7.2.6Contracts with PII processorsDPA template available; signed with all sub-processors
7.2.8Records of PII processingMaintained in audit logs with integrity hashing
7.3.1PII Controller obligations to PII principalsRights documented in GDPR rights guide and CCPA notice
7.3.2Determining information for PII principalsPrivacy policy publicly available
7.3.6Access to PIIData export API (GET /v1/users/me/data)
7.3.9PII de-identification and deletionAccount deletion with anonymization of audit logs
7.4.5PII de-identification and deletion at end of processingData retention policy enforced; automated purge
7.5.1International transferEU Standard Contractual Clauses, Data Privacy Framework

Clause 8 — Additional ISO 27002 Guidance for PII Processors

ControlDescriptionImplementation
8.2.1Customer agreementDPA template covers processor obligations
8.2.2Organization's purposesProcessing only per customer instructions
8.2.4Instruction documentationAudit log records all data processing activities
8.2.6Temporary filesNo temporary files containing PII; all processing in-memory or database
8.3.1Obligations to PII principalsRedirect to customer (controller) for rights requests
8.4.1Transfer to third partiesSub-processor list maintained; customer notified of changes
8.5.1Notification of breach72-hour notification commitment in DPA
8.5.2Breach responseIncident response plan with privacy breach procedures

Privacy by Design

FeatureSignals incorporates privacy by design principles:

  1. Data minimization: Evaluation context is processed in-memory; only flag configurations are stored
  2. Purpose limitation: Personal data used only for stated purposes
  3. Storage limitation: Configurable data retention with automated purge
  4. Integrity and confidentiality: Encryption in transit and at rest
  5. Accountability: Comprehensive audit trail with integrity hashing

Records of Processing Activities (ROPA)

ActivityData CategoriesLegal BasisRetentionRecipients
Account managementName, emailContractAccount lifetime + 30 daysInternal
AuthenticationEmail, password hash, MFA seedContractAccount lifetimeInternal
BillingBilling contact, planContract7 years (tax)Payment processor
Audit loggingUser ID, IP, actionLegitimate interestPer plan (90d–2yr)Internal, customer export
Flag evaluationTargeting attributesContract (processor)Not stored (in-memory)None
SupportEmail, issue descriptionContract3 yearsSupport tools

Gap Analysis and Roadmap

AreaStatusTarget
Privacy policyImplementedOngoing review
DPA templateImplementedLegal review quarterly
Data subject rightsImplemented (GDPR + CCPA)Extend as needed
Privacy impact assessmentProcess definedPer-feature assessment
Sub-processor managementList publishedNotification workflow
International transferSCCs + DPF documentedUpdate per regulatory changes
ISO 27701 certificationControls mappedAudit when ISO 27001 certified