Data Processing Addendum
Last updated: April 29, 2026
Version 2026-04-29 · Effective April 29, 2026
This Cover Page incorporates the Common Paper Data Processing Agreement Standard Terms (Version 1.1), available at commonpaper.com/standards/data-processing-agreement/1.1. Standard Terms are incorporated by reference and have not been modified except as expressly stated in this Cover Page.
This DPA is incorporated into and forms part of the Costa Cloud Service Agreement between Costa Security Inc. (“Provider”) and Customer.
Parties
Provider: Costa Security Inc. Provider Address: 3790 El Camino Real #1090, Palo Alto, CA 94306 Provider Privacy / Security Contact: security@costa.app
Customer: As identified in the Cloud Service Agreement.
Effective Date: Same as the Cloud Service Agreement.
Key Terms
Governing Member State: Ireland
Provider Security Policy: costa.app/security
Approved Subprocessors: trust.costa.app
Notice Period for New Subprocessors: 30 days
Annex I(B) · Processing Details
| Field | Details |
|---|---|
| Categories of Data Subjects | Customer’s employees, contractors, and agents; end users of Customer’s AI-powered products routing through Costa |
| Categories of Personal Data | Account data (name, email, org); interaction metadata (timestamps, token counts, model IDs, agent IDs, latency); thread content (prompts and responses); technical data (IP address, browser, device); security scan results |
| Special Category Data | None authorized unless specified in an Order Form |
| Nature and Purpose of Processing | Proxy routing; observability and session recording; security scanning (Tool Defender); analytics and billing; storage and deletion per CSA Additional Term 3 |
| Duration of Processing | Subscription Period plus applicable retention periods per CSA Additional Term 3 |
| Frequency of Transfer | Continuous during Subscription Period |
Annex II · Technical and Organizational Measures
| Control Area | Measures |
|---|---|
| Encryption | TLS 1.2+ in transit; AES-256 at rest; HSM-backed key management |
| Access Control | Role-based least-privilege; MFA for all internal systems; quarterly access reviews |
| Audit Logging | All access to Customer Data logged with timestamp, actor, and action; logs retained for Subscription Period + 60 days |
| Incident Response | Documented incident response plan; 72-hour breach notification target; annual tabletop exercises |
| Vulnerability Management | Annual penetration testing; continuous vulnerability scanning; coordinated disclosure program |
| Physical Security | AWS data center controls (ISO 27001 certified) |
| Personnel | Confidentiality obligations; annual security training; background checks for personnel with Customer Data access |
| Business Continuity | Multi-region replication; automated backups; documented recovery procedures |
| Sub-processor Oversight | Equivalent data protection terms imposed on all sub-processors; annual compliance review |
Annex III · Approved Subprocessors
See live list at trust.costa.app.
Additional Terms
Retention and Deletion. Upon termination of the Cloud Service Agreement, Customer has a 30-day window to export Customer Data in machine-readable format (JSON). Provider will delete Customer Data within 30 days after the export window closes, except for billing data (6 years, tax/audit) and data required by law. Provider will certify deletion in writing upon request.
SOC 2 in lieu of audit. Provider’s current SOC 2 Type II report, provided under NDA upon request, will satisfy Customer’s audit rights unless Customer demonstrates a specific compliance need not addressed by the report.
EU Data Residency. Customers using eu.costa.app have all Customer Data processed and stored exclusively within the EEA.
Changelog
| Version | Date | Summary |
|---|---|---|
| 2026-04-29 | April 29, 2026 | Initial version. Adopts Common Paper DPA 1.1. |