Data Processing Addendum

Last updated: April 29, 2026

Version 2026-04-29 · Effective April 29, 2026

This Cover Page incorporates the Common Paper Data Processing Agreement Standard Terms (Version 1.1), available at commonpaper.com/standards/data-processing-agreement/1.1. Standard Terms are incorporated by reference and have not been modified except as expressly stated in this Cover Page.

This DPA is incorporated into and forms part of the Costa Cloud Service Agreement between Costa Security Inc. (“Provider”) and Customer.


Parties

Provider: Costa Security Inc. Provider Address: 3790 El Camino Real #1090, Palo Alto, CA 94306 Provider Privacy / Security Contact: security@costa.app

Customer: As identified in the Cloud Service Agreement.

Effective Date: Same as the Cloud Service Agreement.


Key Terms

Governing Member State: Ireland

Provider Security Policy: costa.app/security

Approved Subprocessors: trust.costa.app

Notice Period for New Subprocessors: 30 days


Annex I(B) · Processing Details

Field Details
Categories of Data Subjects Customer’s employees, contractors, and agents; end users of Customer’s AI-powered products routing through Costa
Categories of Personal Data Account data (name, email, org); interaction metadata (timestamps, token counts, model IDs, agent IDs, latency); thread content (prompts and responses); technical data (IP address, browser, device); security scan results
Special Category Data None authorized unless specified in an Order Form
Nature and Purpose of Processing Proxy routing; observability and session recording; security scanning (Tool Defender); analytics and billing; storage and deletion per CSA Additional Term 3
Duration of Processing Subscription Period plus applicable retention periods per CSA Additional Term 3
Frequency of Transfer Continuous during Subscription Period

Annex II · Technical and Organizational Measures

Control Area Measures
Encryption TLS 1.2+ in transit; AES-256 at rest; HSM-backed key management
Access Control Role-based least-privilege; MFA for all internal systems; quarterly access reviews
Audit Logging All access to Customer Data logged with timestamp, actor, and action; logs retained for Subscription Period + 60 days
Incident Response Documented incident response plan; 72-hour breach notification target; annual tabletop exercises
Vulnerability Management Annual penetration testing; continuous vulnerability scanning; coordinated disclosure program
Physical Security AWS data center controls (ISO 27001 certified)
Personnel Confidentiality obligations; annual security training; background checks for personnel with Customer Data access
Business Continuity Multi-region replication; automated backups; documented recovery procedures
Sub-processor Oversight Equivalent data protection terms imposed on all sub-processors; annual compliance review

Annex III · Approved Subprocessors

See live list at trust.costa.app.


Additional Terms

Retention and Deletion. Upon termination of the Cloud Service Agreement, Customer has a 30-day window to export Customer Data in machine-readable format (JSON). Provider will delete Customer Data within 30 days after the export window closes, except for billing data (6 years, tax/audit) and data required by law. Provider will certify deletion in writing upon request.

SOC 2 in lieu of audit. Provider’s current SOC 2 Type II report, provided under NDA upon request, will satisfy Customer’s audit rights unless Customer demonstrates a specific compliance need not addressed by the report.

EU Data Residency. Customers using eu.costa.app have all Customer Data processed and stored exclusively within the EEA.


Changelog

Version Date Summary
2026-04-29 April 29, 2026 Initial version. Adopts Common Paper DPA 1.1.