COSaiCOSai

Legal

Data Processing Addendum

COSai processes financial data on behalf of business customers. This page summarizes the terms; we sign the full DPA on request — email legal@cosai.tech and we'll send it within one business day.

Roles

For data you connect to COSai (bank, accounting, payroll, and email data, including data about your employees, customers, and vendors), you are the controller and COSai is the processor. We process that data only on your documented instructions — to operate the Service — and not for our own purposes.

Scope of processing

Subject matter: provision of COSai's financial-intelligence service. Duration: the term of your subscription. Nature/purpose: ingesting, categorizing, reconciling, and surfacing financial data and documents. Categories of data: financial transactions, accounting and payroll records, and financial documents extracted from connected mailboxes (read-only). Data subjects: you, your personnel, and the third parties reflected in your financial records.

Subprocessors

We use the following subprocessors, each under a contract requiring appropriate safeguards:

  • Anthropic — AI processing of financial data (zero-retention; no model training)
  • Amazon Web Services — cloud hosting, database, and encrypted storage (US)
  • Plaid — read-only bank transaction data
  • Google — read-only Gmail access for financial-document extraction
  • Microsoft — read-only Outlook / Microsoft 365 mail access
  • Finch — payroll data aggregation
  • Stripe — subscription billing and payments
  • Clerk — authentication and identity (incl. multi-factor)
  • Twilio — SMS notifications (only if you opt in)

We give notice before adding or replacing a subprocessor so you can object.

Security, data-subject rights & breach notification

We maintain technical and organizational measures appropriate to the data (per-tenant envelope encryption, AWS KMS, encryption in transit and at rest, required multi-factor authentication, immutable access logging, and least-privilege access). We assist you in responding to data-subject access, correction, and deletion requests. We notify you without undue delay — and in any event consistent with the 30-day FTC Safeguards Rule timeline — after becoming aware of a security incident affecting your data.

Return & deletion on termination

On termination you may export your data for 30 days. After that, we delete or return your data within 30 days, except data we are required to retain by law (for example, certain financial records for up to 7 years), which remains protected under this addendum until its retention period ends. Disconnecting a source deletes the data harvested from it. See our data deletion policy.

Need custom redlines? We redline directly during intake — email legal@cosai.tech.