Cloud Service Agreement

Last updated: April 29, 2026

Version 2026-04-29 · Effective April 29, 2026

This Cover Page incorporates by reference:

Standard Terms are incorporated by reference and have not been modified except as expressly stated in the Other Changes section of this Cover Page.


Our Commitments to You

Before the legal language, here is what we commit to in plain English. These are not marketing claims — they are backed by specific provisions in this agreement.

# Commitment Legal backing
1 Your data is your data. If you generate it, you own it. AI Addendum Variables; Additional Term 3
2 We will never train on your data. Not on the free tier. Not on Enterprise. Not ever. AI Addendum Variables; Other Changes §1
3 We may use your data to surface insights for you. Summaries and analytics are built for your benefit, not ours. AI Addendum Variables
4 We may build things unique to your business — custom models, RAGs — but we do not claim ownership of those. AI Addendum Variables
5 We own the harnesses. The infrastructure and tooling we use to build those artifacts is Costa’s IP. AI Addendum Variables
6 You can move your data off our platform. 30-day export window on termination, machine-readable format, no barriers. Additional Terms 3, 10

Order Form

Provider: Costa Security Inc. Provider Address: 3790 El Camino Real #1090, Palo Alto, CA 94306 Provider Notice Email: legal@costa.app

Customer: As identified in the applicable Order Form or account registration. Customer Notice Address: As provided in Customer’s account or Order Form.

Effective Date: The date Customer accepts this Agreement or first accesses the Cloud Service, whichever is earlier.

Cloud Service: The Costa Platform — a managed AI gateway providing an observability, security, and control layer between Customer’s AI coding agents and third-party AI model providers. Includes all related APIs, dashboard, CLI, TUI, documentation, and updates. Costa is an intermediary — it does not generate AI content, train AI models, or operate as an AI model provider. Under Article 3 of the EU AI Act (Regulation 2024/1689), Costa operates as an intermediary, not an AI Provider or Deployer.

Subscription Period: One (1) year from the Effective Date, automatically renewing for successive one (1) year periods unless either party provides written notice of non-renewal at least thirty (30) days before the end of the then-current Subscription Period.

Fees: As set forth in the applicable Order Form or published at costa.app/pricing.

Payment:

Technical Support:

Channel Availability
Email (support@costa.app) Mon–Fri, 9 AM – 6 PM US Pacific (excl. US federal holidays)
Enterprise Priority support per Order Form

Use Limitations: In addition to Standard Terms §2, Customer must not:

(a) Circumvent, bypass, or violate the terms of service, rate limits, or usage policies of any third-party AI model provider.

(b) Facilitate attacks on, or unauthorized access to, any third-party systems, networks, or AI model providers.

(c) Resell, sublicense, or provide access to the Costa Platform to third parties except through Customer’s authorized agents and users.

(d) Reverse engineer, decompile, disassemble, or attempt to extract source code, algorithms, security detection rules, or Tool Defender scanning patterns.

(e) Design, build, train, or operate a competing AI gateway, agent observability platform, or agent security product; or distill, replicate, or extract Costa’s routing logic or security detection capabilities.

(f) Violate the Costa Acceptable Use Policy at costa.app/legal/aup, incorporated by reference.

Prohibited Data: None authorized unless specified in an Order Form. Pass-through traffic (prompts and responses routed between Customer’s agents and model providers) is transient data processed only as necessary to provide the Cloud Service, and is not considered “submitted to” the Cloud Service per Standard Terms §3.2, except where retained per Additional Term 3.


Key Terms

Governing Law / Venue:

Customer Location Governing Law Venue
EEA, Switzerland, or UK Laws of Ireland Dublin, Ireland
All others Laws of California, USA Santa Clara County, CA

General Cap: Total Fees paid or payable by Customer in the 12 months preceding the event giving rise to liability.

Increased Cap (2× General Cap):

Unlimited Claims:

Provider Covered Claims: Third-party claims that the Costa Platform itself (excluding third-party model provider services, outputs, or APIs; excluding Customer Content; excluding combinations with non-Costa technology) infringes or misappropriates intellectual property rights. Costa does not pass through or assume any model output IP indemnity — Customer should rely on upstream provider indemnities for output IP claims.

Customer Covered Claims: Third-party claims arising from: (a) Customer Content; (b) use in violation of this Agreement, the AUP, or applicable law; (c) violation of any third-party model provider’s terms of service; (d) any Customer application, agent, or end-user product integrating with Costa.

Additional Warranties: Provider maintains:

Logo Rights: Provider may identify Customer as a Costa user in marketing materials. Customer may opt out at any time via written notice to legal@costa.app.


AI Addendum Variables

Training Data: None. Provider may not use Customer’s Inputs or Outputs to Train any Model.

Training Purposes: Not applicable.

Training Restrictions: Provider will not use any Customer Content — including Inputs, Outputs, prompts, responses, tool calls, thread content, or interaction metadata — to develop, train, fine-tune, or improve any AI/ML model, whether owned by Provider or any third party. This restriction applies to all subscription tiers including the free tier.

Improvement Restrictions: Provider may use aggregated, de-identified Usage Data (token counts, latency metrics, error rates, feature usage patterns) to maintain and improve the Costa Platform. Provider may NOT use prompt, response, or thread content for any purpose unless aggregated and de-identified so it cannot reasonably identify Customer or any User.

High-Risk Use Restrictions: Customer must comply with Part 2 of the Costa Acceptable Use Policy (High-Risk Uses) at costa.app/legal/aup.


Service Level Agreement Variables

SLA Availability: Pro tier and above. Free tier has no uptime commitment.

Target Uptime:

Uptime Credit:

Monthly Uptime Achieved Credit
≥99.0% and <99.9% 10% of monthly Cloud Service Fees
≥95.0% and <99.0% 25% of monthly Cloud Service Fees
<95.0% 50% of monthly Cloud Service Fees

Maximum credits per month: 50% of monthly Cloud Service Fees for the affected service. Per Standard Terms SLA §3.3, credits will not accumulate within a Subscription Period to more than 8% of Cloud Service Fees for that period.

Target Response Time: 1 business day (Pro); 4 business hours (Enterprise, or as specified in Order Form).

Response Time Credit: 10% of monthly Cloud Service Fees per incident where Provider fails to meet Target Response Time.

Excluded Minutes: Unavailability caused by: (a) third-party AI model provider outages or performance degradation; (b) Customer’s misconfiguration, actions, or failure to follow documentation; (c) Beta Services or features designated as preview or early access; (d) Scheduled Downtime; (e) events beyond Provider’s reasonable control (Force Majeure per Standard Terms §11.10).

Scheduled Downtime: Provider will give at least 7 days advance notice for planned maintenance windows. Scheduled Downtime does not count toward uptime calculations.


Other Changes to Standard Terms

1. Section 1.6 (Machine Learning) — deleted and replaced:

Delete Standard Terms Section 1.6 in its entirety and replace with:

“No AI Training. Provider may not use Customer Content or Usage Data to train any artificial intelligence, machine learning, large language models, or other similar networks, algorithms, or systems.”

2. Section 11.7 and 11.8 (Dispute Resolution) — deleted and replaced:

Delete Standard Terms Sections 11.7 and 11.8 in their entirety and replace with:

“Dispute Resolution. Before initiating formal proceedings, the parties will attempt to resolve any dispute informally for 60 days following written notice. Disputes not resolved informally will be submitted to binding arbitration before a sole arbitrator under the rules and at the venue specified below. All disputes will be resolved on an individual basis — neither party may participate in a class, consolidated, or representative action. Either party may seek relief in small claims court or seek injunctive relief to protect intellectual property, trade secrets, or prevent unauthorized use of the Cloud Service.

Customer Location Rules Venue  
EEA, Switzerland, or UK UNCITRAL Dublin, Ireland  
All others JAMS Comprehensive Santa Clara County, CA

Additional Terms

Additional Term 1 · Proxy Service; Conduit Role

Costa operates as an intermediary proxy gateway. In Pass-Through Mode (where Customer’s own API key is forwarded to the model provider), Provider acts solely as a technical conduit. Provider does not generate, select, or modify AI content from third-party providers. Provider is not the provider of any AI output.

Additional Term 2 · Third-Party Model Provider Compliance

Customer is solely responsible for: (a) maintaining valid provider accounts and API keys; (b) complying with all provider terms, usage policies, and acceptable use policies; (c) the consequences of any provider’s outputs, downtime, pricing changes, or policy changes. Provider makes no representations or warranties regarding the availability, accuracy, reliability, or performance of any third-party provider or its outputs.

Additional Term 3 · Data Handling and Retention

(a) Interaction Metadata (timestamps, token counts, model IDs, tool call names, latency, agent IDs, app labels): collected for observability, security, analytics, and billing. Default retention: Subscription Period plus 60 days. Enterprise customers may configure custom retention per Order Form.

(b) Thread Content (prompts and responses): collected for thread viewing and security analysis. Default retention: 30 days. Configurable in Costa settings. Enterprise customers may configure custom retention per Order Form.

(c) Billing Data: retained 6 years for tax and audit purposes.

(d) Post-Termination: Customer has a 30-day export window. Provider will delete Customer data within 30 days after the export window closes, except for billing data and legally required retention. Data is available in machine-readable format (JSON) upon request.

Additional Term 4 · Security Scanning Disclaimer

Tool Defender and other security features use pattern matching and AST-based analysis on a best-effort basis. Provider does not warrant complete detection of all security threats or malicious activity. Customer is responsible for implementing additional security measures appropriate to its use case.

Additional Term 5 · Token Identity

Each Costa API token constitutes a separate identity with its own thread history and usage tracking. Customer is responsible for token lifecycle management including creation, rotation, and revocation.

Additional Term 6 · Provider Token Handling

When Customer provides third-party API keys (“Provider Tokens”): (a) stored encrypted at rest (AES-256); (b) used only to route requests on Customer’s behalf; (c) Customer warrants that storage does not violate the applicable provider’s terms; (d) Customer is responsible for security, rotation, and revocation of all Provider Tokens.

Provider disclaims all liability arising from the storage, use, compromise, or unauthorized access of Provider Tokens. Customer assumes all risk, including losses from token compromise, revocation, or misuse by third parties.

Additional Term 7 · Reseller and End-User Obligations

If Customer’s product is used by Customer’s own end users, Customer must: (a) have all necessary rights to do so; (b) publish its own privacy policy and terms covering AI use; (c) disclose AI use to end users where required by law; (d) not represent Costa as endorsing or underwriting the end-user product.

Additional Term 8 · Beta Services

Features designated as beta, preview, or early access are: (a) provided “AS IS” without warranty or SLA; (b) subject to change or discontinuation without notice; (c) excluded from Provider’s indemnification obligations; (d) not subject to the same security commitments as generally available features.

Additional Term 9 · EU Data Residency

For customers using eu.costa.app: all Customer data is processed and stored exclusively within the EEA. No transfer outside the EEA will occur except (i) with Customer’s prior written consent, or (ii) as required by law using Standard Contractual Clauses or other approved transfer mechanisms.

Additional Term 10 · EU Data Act

In accordance with Regulation (EU) 2023/2854, Provider will: (a) make Customer data available for export in machine-readable format (JSON) within 30 days of request; (b) provide reasonable switching assistance upon termination per Additional Term 3(d); (c) not impose unreasonable barriers to Customer’s data portability rights.

Additional Term 11 · Export Controls and Sanctions

Customer may not export or provide access to the Cloud Service where prohibited under applicable U.S. or international trade laws. Customer represents it is not located in an embargoed country; not listed on the SDN, Entity, or Denied Persons lists; and will comply with all applicable export control and sanctions laws.

Additional Term 12 · Acceptable Use Policy

Compliance with the Costa Acceptable Use Policy at costa.app/legal/aup is required. Provider will give at least 30 days notice before making material changes to the AUP. Continued use after the notice period constitutes acceptance.

Additional Term 13 · Data Processing and Privacy

Provider’s Data Processing Addendum at costa.app/legal/dpa is incorporated by reference for customers subject to GDPR, UK GDPR, Swiss FADP, or CCPA/CPRA. Provider’s Privacy Policy at costa.app/legal/privacy applies to all processing of personal data. Provider maintains a subprocessor list at trust.costa.app and will give at least 30 days notice before engaging new subprocessors.


Definitions

In addition to terms defined in the Common Paper Standard Terms and AI Addendum, the following terms apply throughout this Agreement:

Term Definition
Cosmic Routing Costa’s intelligent model routing feature that spreads requests across providers based on performance, cost, and availability.
Pass-Through Mode Operating mode in which Customer’s own Provider Token is forwarded to the upstream model provider and Costa acts solely as a technical conduit.
Provider Token A third-party API key or credential provided by Customer and stored with Costa for use in routing requests to model providers.
Thread A session of sequential Inputs and Outputs associated with a single Costa API Token, stored for observability and security analysis.
Token Identity The identity represented by a single Costa API Token, with isolated thread history, usage tracking, and accountability.
Tool Defender Costa’s AST-based security scanning feature that analyzes agent tool calls and requests for security threats and policy violations.

Note: Input, Output, Model, Train, and AI System are defined in the Common Paper AI Addendum Standard Terms (Version 1.0).


Changelog

Version Date Summary
2026-04-29 April 29, 2026 Full restructure to follow Common Paper Cover Page best practices. Added SLA Variables section incorporating Common Paper SLA 2.0. Moved ML override and dispute resolution to Other Changes section with explicit Standard Terms references. Renamed custom sections to Additional Terms to avoid numbering conflicts with Standard Terms. Added reseller obligations, output IP carve-out, EU AI Act statement, token identity, provider token disclaimer, beta services clause.
2026-03-17 March 17, 2026 Initial version.