Acceptable Use Policy
Last updated: April 29, 2026
Version 2026-04-29 · Effective April 29, 2026
This Acceptable Use Policy (“AUP”) governs all use of the Costa Platform by Customer and Customer’s authorized users and agents. By accessing or using Costa, you agree to comply with this policy.
Costa is an AI gateway and observability platform — an intermediary between your AI agents and third-party model providers. The responsibilities in this AUP reflect that role: Costa cannot control what you build or route, but we can and will act when use of the platform causes harm.
Part 1 · Universal Prohibitions
The following are prohibited for all customers, on all tiers, at all times. There are no exceptions.
1.1 Illegal Activity
Use Costa in violation of any applicable law or regulation, including but not limited to those of California, the United States, the European Union, the United Kingdom, or any jurisdiction in which Costa operates infrastructure — including export controls, sanctions, anti-money laundering, and data protection regulations.
1.2 Critical Infrastructure
Use Costa to attack, disrupt, or impair critical infrastructure, including power grids, water systems, telecommunications networks, financial systems, voting systems, medical devices, or healthcare databases.
1.3 Computer and Network Attacks
Use Costa to facilitate unauthorized access to systems or networks; deploy or distribute malware, ransomware, viruses, or botnets; conduct denial-of-service attacks; harvest credentials; or carry out prompt injection attacks targeting other users or systems.
1.4 Weapons
Use Costa to assist in the design, modification, production, or regulatory circumvention of weapons, including conventional weapons, biological, chemical, nuclear, or radiological weapons, or any technology with primary weapons applications.
1.5 Violence and Hateful Behavior
Use Costa to generate content that incites, facilitates, or glorifies violence, terrorism, or extremism; harasses or threatens individuals; or discriminates against individuals based on race, ethnicity, gender, religion, sexual orientation, disability, or other protected characteristics.
1.6 Privacy Violations
Use Costa to collect, process, or expose personal data unlawfully; collect biometric data without consent; conduct unauthorized surveillance; or facilitate identity theft or impersonation.
1.7 Child Safety
Use Costa to generate, distribute, or facilitate child sexual abuse material (CSAM), including synthetic CSAM; facilitate child trafficking, sextortion, or grooming; or produce any content that sexualizes minors.
1.8 Psychological Harm
Use Costa to generate content that glorifies self-harm or suicide; conduct predatory psychological manipulation; or facilitate coercive control.
1.9 Misinformation
Use Costa to generate deceptive health, legal, scientific, or financial content; attribute statements to real people without their consent; create fake personas for coordinated inauthentic behavior; or interfere with electoral processes.
1.10 Fraud and Deception
Use Costa to facilitate phishing, counterfeiting, fake reviews, impersonation scams, insurance fraud, or any scheme to deceive individuals or organizations for financial gain.
1.11 Explicit Sexual Content
Use Costa to generate non-consensual intimate imagery, explicit sexual content involving real individuals without consent, or fetish content targeting real or identifiable people.
1.12 Platform Abuse
Use Costa to scrape, distill, or replicate Costa’s models or security detection capabilities; circumvent bans or access restrictions; conduct coordinated malicious activity across multiple accounts; or attempt to reverse engineer Costa’s systems.
Part 2 · High-Risk Uses
The following uses are permitted on Costa but require you to implement human oversight and disclose AI use to affected individuals. Failure to do so is a violation of this AUP.
Human-in-the-loop and AI disclosure are required when using Costa for:
- Legal advice — drafting legal documents, providing legal guidance, or making legally consequential determinations
- Medical and mental health — clinical decision support, diagnosis assistance, or mental health intervention
- Financial decisions — lending, creditworthiness assessment, investment advice, or insurance underwriting
- Employment and housing — hiring, firing, housing allocation, or benefits eligibility decisions
- Education — academic admissions, grading, accreditation, or standardized testing
- Automated journalism — generating content presented as factual news without human editorial review
- Services involving minors — any use where the end users are or may be under 18 years of age
“Human-in-the-loop” means a qualified human reviews AI-generated outputs before they are acted upon. “AI disclosure” means informing affected individuals that AI was used in a decision or output that affects them.
Part 3 · Costa-Specific Prohibitions
In addition to the universal prohibitions above, the following are prohibited because of the specific nature of Costa as a proxy and security platform.
3.1 Upstream Provider Violations
Circumvent, bypass, violate, or facilitate violation of the terms of service, rate limits, or usage policies of any third-party AI model provider (including Anthropic, OpenAI, and Google). Violation of an upstream provider’s policy while routing through Costa is a violation of this AUP.
3.2 Building Competing Products
Use the Costa Platform to design, build, train, or operate a competing AI gateway, observability platform, or agent security product; or to distill, replicate, or extract Costa’s routing logic, security detection capabilities, or Tool Defender rules.
3.3 Reverse Engineering Tool Defender
Reverse engineer, decompile, disassemble, probe, or otherwise attempt to extract the logic, patterns, rules, or signatures used by Tool Defender or any Costa security feature. Tool Defender’s detection rules are Costa’s trade secrets. Authorized security research must be coordinated with security@costa.app in advance.
3.4 Identity Misrepresentation
Impersonate another user, agent, application, or organization when routing requests through Costa or interacting with upstream providers.
3.5 Credential Abuse
Use stolen, leaked, or unauthorized API keys or credentials with Costa; use Costa to exfiltrate, harvest, or compromise credentials or API tokens; or use Costa to generate excessive charges against another party’s provider account.
3.6 Excessive Load
Generate unreasonable load on Costa infrastructure through automated abuse, denial-of-service activity, or systematic resource exhaustion outside normal usage patterns.
3.7 Unauthorized Resale
Resell, sublicense, or provide third-party access to the Costa Platform outside your organization’s authorized users, except as explicitly permitted in an Order Form.
Part 4 · Agent Operator Responsibilities
When you route AI agents through Costa, you are responsible for those agents’ behavior. Costa tokens are identities — each token represents an accountable actor in the system.
- Monitor your agents. You are responsible for the actions of all agents operating under your Costa API tokens.
- Respect token boundaries. Each Costa API token is a separate identity. Do not share tokens in ways that obscure accountability or undermine observability.
- Review security alerts. Respond to Tool Defender alerts and security notifications promptly.
- Rotate credentials regularly. Rotate Costa API tokens and any third-party provider tokens stored with Costa on a regular schedule.
- Disclose AI use. Where required by law or this AUP, disclose to end users that AI was used.
Part 5 · Upstream Provider Compliance
When routing requests through Costa, you must comply with the acceptable use policies of every upstream AI model provider you route to:
Violation of an upstream provider’s usage policy through Costa is a violation of this AUP.
Part 6 · Enforcement
Costa may take any of the following actions in response to AUP violations:
| Action | Circumstances |
|---|---|
| Warning and request to cure | First-time or minor violations |
| Suspension of specific tokens or features | Ongoing or moderate violations |
| Immediate account suspension | Severe violations or security threats |
| Permanent account termination | Repeated violations or violations of §§1.7, 1.3, 3.2, 3.3 |
Costa is not obligated to provide notice or an opportunity to cure before taking action. Violations involving child safety (§1.7), computer attacks (§1.3), competing product builds (§3.2), or Tool Defender reverse engineering (§3.3) may result in immediate permanent termination without notice.
Part 7 · Reporting
To report an AUP violation: security@costa.app
Anonymous reports are accepted. Costa will investigate all good-faith reports.
Part 8 · Changes
Costa will provide at least 30 days notice before making material changes to this AUP. Continued use after the notice period constitutes acceptance of the revised AUP.
Changelog
| Version | Date | Summary |
|---|---|---|
| 2026-04-29 | April 29, 2026 | Major rewrite. Added universal prohibited use tier (Part 1), high-risk use tier (Part 2), competing product and Tool Defender reverse engineering prohibitions (Part 3). |
| 2026-03-17 | March 17, 2026 | Initial version. |