Effective: April 2026
This Data Processing Agreement ("DPA") is incorporated by reference into the Terms of Service between CoStar AI Agent (the "Processor") and you or your organization (the "Controller").
Controller: The individual or organization that determines the purposes and means of processing personal data (i.e., you, the subscriber).
Processor: CoStar AI Agent and its parent organization, which processes personal data on behalf of the Controller in accordance with documented instructions.
Personal Data: Any information relating to an identified or identifiable natural person, including email address, subscriber name, usage patterns, and any CoStar listing data submitted for analysis.
Processing: Any operation performed on personal data, including collection, recording, organization, use, transmission, storage, erasure, or any other manipulation.
Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.
Data Subject: The individual to whom personal data relates.
Applicable Data Protection Laws: The General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable state, federal, and international data protection regulations.
The Processor processes personal data solely to provide the CoStar AI Agent service as described in the service terms. Personal data processed by the Processor includes:
The Processor will not process personal data for any purpose other than providing the service without the prior written instruction of the Controller.
The Processor processes personal data only on documented instructions from the Controller. Instructions are provided through the service terms and any supplementary written agreements. The Processor will not process personal data beyond the scope of documented instructions without obtaining prior written authorization from the Controller.
The Processor ensures that persons authorized to process personal data are committed to confidentiality or under an appropriate legal obligation of confidentiality.
The Processor implements appropriate technical and organizational security measures to protect personal data against accidental or unlawful processing, including:
The Processor will assist the Controller in fulfilling requests from data subjects regarding access, rectification, erasure, portability, restriction, and objection to processing. Requests must be submitted in writing to privacy@costarai.co, and the Processor will respond within 30 days.
The Processor will notify the Controller without undue delay and in no case later than 72 hours after becoming aware of a personal data breach. Notifications will include: (a) the nature of the breach; (b) categories of personal data affected; (c) likely consequences; (d) measures taken or proposed to mitigate the breach.
Upon termination of the service agreement, the Processor will delete or return all personal data belonging to the Controller within 30 days unless retention is required by applicable law. The Processor will certify deletion in writing upon request.
The Processor has authorized the following sub-processors to process personal data on behalf of the Controller:
The Processor will notify the Controller at least 30 days before adding or removing sub-processors. If the Controller objects to the appointment of a new sub-processor, the Controller may terminate the service without penalty.
All personal data is processed and stored within the United States. For international data transfers from the EU or other regions, the Processor relies on Standard Contractual Clauses (SCCs) as approved by the relevant data protection authorities. The Processor will ensure all sub-processors are contractually bound to equivalent data protection standards.
The Processor implements industry-standard security measures including:
The Processor will assist the Controller in enabling data subjects to exercise their rights under applicable data protection laws, including:
Requests to exercise these rights must be submitted in writing to privacy@costarai.co. The Processor will respond within 30 days.
The Controller may audit the Processor's compliance with this DPA upon at least 30 days written notice. Audits may be conducted no more than once per calendar year unless there is a reasonable basis for a special audit. The Processor will cooperate with audits conducted by the Controller or an independent third-party auditor designated by the Controller, subject to reasonable confidentiality protections.
In the event of a personal data breach, the Processor will notify the Controller without undue delay and in no case later than 72 hours after discovering the breach. The notification will include:
The Processor will cooperate fully with the Controller in meeting any notification obligations to data subjects or regulatory authorities.
This DPA is effective for the duration of the service agreement between the Controller and the Processor. Upon termination of the service agreement for any reason, the Processor will, at the Controller's election, delete or return all personal data within 30 days unless the Processor is required by law to retain such data. The Processor will certify compliance with this obligation in writing upon request.
This DPA is governed by and construed in accordance with the laws of the State of California, without regard to its conflict of law principles. Both parties consent to the exclusive jurisdiction of the state and federal courts located in California for the resolution of any disputes arising from this DPA.
For questions, concerns, or to exercise data subject rights related to this DPA, contact the Data Protection Officer:
Email: privacy@costarai.co
The Processor will respond to all inquiries within 10 business days.