Costa Security Privacy Policy

Costa Security Privacy Policy

🔖

Version 1.0

Effective Date: April 14, 2025

Retired Date: not applicable, currently in effect

These Costa Security Privacy Policy (Version 1.0) will remain hosted on this page at https://about.costa.security/privacy-1-0.

Any future changes to these terms will be issued under a new version number and posted on a different web page.

This Privacy Policy supplement (”Supplement”) enhances and clarifies the privacy and security practices described in our Costa Security Terms of Service version 1.0 (the “Terms”) and the Costa Security Data Processing Agreement (the “DPA”) and by its inclusion the Common Paper Cloud Service Agreeement version 2.0 (the “CSA”).

1. Information We Collect

In connection with providing cloud services under the CSA, we may collect and process the following types of personal and sensitive user data:

  • Identifiers (e.g., names, emails, IP addresses, device IDs)
  • Usage data (e.g., actions taken within our services)
  • Device information (e.g., OS, model, app version)
  • Location data (only when necessary and with permission)
  • Third-party data (e.g., data a user adds to our platform, such as customer or partner information)

We do not collect data beyond what is necessary to deliver, secure, and improve the service.

2. How We Use the Data

We use personal data for the following purposes:

  • To operate and improve the services described in the CSA
  • To ensure service availability and performance
  • For customer support and troubleshooting
  • To comply with legal obligations or enforce terms

We do not sell or share user data with third parties for marketing or profiling purposes.

We do not use third-party data to train generalized AI or machine learning models.

3. How We Protect Your Data

Security practices are governed by Section 5.4 (Privacy and Security) of the CSA. We implement industry-standard safeguards, including:

  • Encryption in transit and at rest
  • Access control and authentication
  • Security monitoring and incident response

We regularly assess our systems for vulnerabilities and apply updates promptly.

4. Data Sharing

Data may be shared with:

  • Authorized subprocessors, as outlined in the CSA
  • Legal authorities, when required by law or court order

Each such disclosure is carefully reviewed to ensure compliance with applicable privacy laws and minimal intrusion on user privacy.

5. International Data Transfers

If user data is transferred outside of its country of origin, we ensure adequate protection is in place through mechanisms such as standard contractual clauses or other lawful bases.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the data we hold about you
  • Request corrections or deletions
  • Object to or limit certain processing
  • Withdraw consent, where applicable
  • Remove your data from our platform (where noted in the DPA)

To exercise these rights, please contact us at hi@costa.security.

7. Contact

If you have any questions about this policy or our privacy practices, you can contact Costa Security.

By email:

hi@costa.security

By mail:

Costa Security, Inc 3790 El Camino Real #1090 Palo Alto, CA 94306 United States

Incorporation By Reference

This Supplement should be read in conjunction with the Terms and the CSA, particularly the Privacy and Security section. Where there is any ambiguity, this document provides clarification only and does not create additional obligations or require new acceptance by the user.

Terms: https://about.costa.security/terms/1-0

DPA: https://about.costa.security/dpa-1-0

CSA: https://commonpaper.com/standards/cloud-service-agreement/2.0/