Security

Last updated: April 29, 2026

Version 2026-04-29 · Effective April 29, 2026

This page describes how Costa Security Inc. (“Costa”) secures the Costa Platform and Customer data. For contractual security commitments, see our Cloud Service Agreement and Data Processing Addendum.


What Costa Is — and Is Not

Costa is an AI gateway and observability platform. It sits between your AI coding agents and third-party model providers (Anthropic, OpenAI, Google, and others).

Costa does not:

Costa does:


Encryption

Layer Standard
Data in transit TLS 1.2+ on all connections
Data at rest AES-256
Key management HSM-backed; keys rotated regularly
Provider Tokens (customer API keys) AES-256 at rest; never logged in plaintext

Access Controls


Tool Defender

Tool Defender is Costa’s AST-based security scanning engine. It analyzes agent tool calls and requests in real time, flagging:

Important: Tool Defender operates on a best-effort basis. It does not warrant detection of all threats. Customers should implement additional defense-in-depth appropriate to their use case. Tool Defender’s detection rules are Costa’s trade secrets and may not be reverse engineered.


Data Handling

Data Type Default Retention Configurable
Interaction Metadata Subscription Period + 60 days Enterprise (per Order Form)
Thread Content 30 days Yes (Costa settings)
Billing Data 6 years No (tax/audit requirement)
Provider Tokens Until revoked by customer N/A
Security Scan Results Same as Interaction Metadata Enterprise (per Order Form)

No training: Costa never uses your prompts, responses, or thread content to train any AI/ML model. This applies to all tiers including free. See Cloud Service Agreement for the full legal commitment.

EU data residency: Customers using eu.costa.app have all data processed and stored exclusively within the EEA.


Infrastructure


Compliance

Standard Status
SOC 2 Type II In progress
GDPR Compliant — see DPA
CCPA / CPRA Compliant — see Privacy Policy
EU AI Act (Article 3) Costa operates as intermediary, not AI Provider
EU Data Act Data portability commitments in CSA

SOC 2 report available under NDA — request at security@costa.app.


Incident Response


Vulnerability Disclosure

Costa operates a responsible disclosure program.


Penetration Testing

Costa conducts annual third-party penetration testing. A summary of findings and remediation status is available under NDA upon request at security@costa.app.


Security Questionnaires

Costa accepts CAIQ, SIG, VSAQ, and custom questionnaires. Response SLA: 5 business days. Contact enterprise@costa.app.


Subprocessors

See trust.costa.app for the full list of subprocessors, their locations, and GDPR posture.


Contact

Security incidents and vulnerability reports: security@costa.app Enterprise security reviews and questionnaires: enterprise@costa.app Privacy and data subject rights: privacy@costa.app


Changelog

Version Date Summary
2026-04-29 April 29, 2026 Initial version.