DPA
Available on request for paid customers who require one.
Costr offers a Data Processing Agreement (DPA) for Pro and Team customers who need one for GDPR compliance or internal procurement requirements. The DPA formalizes the relationship between Costr as a data processor and your organization as the data controller.
A DPA is relevant if you are processing personal data on behalf of your end users through the Costr proxy — for example, if the customer IDs you pass in the x-costr-user header correspond to identifiable individuals.
As described in the security page, Costr stores only call metadata — token counts, model name, timestamp, and your opaque customer identifier. Prompt content and response bodies are never stored. The scope of personal data processed by Costr is therefore narrow.
Email support@costr.dev with the subject line DPA request and include your account email and organization name. Available to active Pro and Team subscribers. Turnaround within 3 business days.
Free tier accounts do not include a DPA. Upgrade to Pro or Team to request one.