Security

Last updated: April 2026

Overview

CoStar AI Agent is designed with a security-first architecture. Your data stays in your browser. Your CoStar credentials are never accessed or stored by our service. We process only the visible listing data you explicitly submit for analysis, and we never retain it longer than necessary.

Architecture & Data Flow

The CoStar AI Agent extension runs entirely within your Chrome browser. When you submit a query:

Only the visible CoStar listing data from the current page is extracted
This data is sent via encrypted HTTPS (TLS 1.3) to our processing endpoint
The data is forwarded to Anthropic's Claude API for analysis
The AI generates a response and returns it to your browser
The response is displayed in the extension UI
CoStar page data is never permanently stored in our systems

Data Flow Diagram

Your Browser
↓
HTTPS (TLS 1.3)
↓
Supabase Edge Function
↓
Anthropic Claude API
↓
Response
↓
Your Browser

All data is transient and not stored on our servers.

Encryption

In transit: All data transmitted between your browser and our services is encrypted using TLS 1.3, the industry standard for secure communication.

At rest: Data stored in our systems (email address, subscription status) is encrypted using AES-256 encryption within Supabase's SOC 2 Type II certified infrastructure.

Payment data: Payment information is handled exclusively by Stripe, which maintains PCI DSS Level 1 compliance. We never see, store, or access credit card numbers or sensitive payment details.

Access Controls

The extension operates exclusively on costar.com and costargroup.com domains. It does not request wildcard permissions and cannot access other websites or extension data.

Google Sheets integration requires explicit user consent via OAuth2 and is limited to creating and editing spreadsheets only. The extension cannot access your other Google data.

Chrome Extension Permissions

CoStar AI Agent requests the following permissions, each with a specific security purpose:

activeTab: Allows the extension to access the current CoStar page you're viewing. Without this, the extension cannot extract listing data.
scripting: Enables the extension to read visible content from CoStar pages and inject the response UI. No credentials or sensitive data are accessed.
storage: Stores your subscription status and user preferences locally on your device. This data never leaves your browser unless you explicitly export it.
clipboardWrite: Allows you to copy analysis results to your clipboard with a single click.
identity: Used only for Google Sheets OAuth authentication. Requests your Google account information to create authenticated API connections for spreadsheet exports.

Sub-processors

CoStar AI Agent uses the following sub-processors to deliver the service:

Supabase Inc. (San Francisco, CA) — Database hosting, user authentication, email storage. SOC 2 Type II certified.
Stripe Inc. (San Francisco, CA) — Payment processing and subscription management. PCI DSS Level 1 compliant.
Anthropic PBC (San Francisco, CA) — AI model inference. Processes listing data for analysis; does not retain it.
Google LLC (Mountain View, CA) — Google Sheets API for spreadsheet exports. OAuth2-authenticated and limited to spreadsheet operations.

Data Retention

Email & subscription status: Retained while your account is active.
CoStar page content: Processed in real-time for AI analysis and never stored permanently on our servers.
Analytics events: Anonymized usage metrics (feature usage frequency, error rates) are retained for product improvement and debugging.
Full deletion: Upon account deletion request, all personal data associated with your account is deleted within 30 days.

Compliance

GDPR (EU General Data Protection Regulation): If you are an EU resident, you have the right to request access to, correction of, or deletion of your personal data. Submit requests to privacy@costarai.co.

CCPA (California Consumer Privacy Act): If you are a California resident, you have the right to know what personal data is collected and to opt out of data sales. We do not sell your personal data. Submit requests to privacy@costarai.co.

SOC 2 Type II: Our infrastructure providers (Supabase and Stripe) maintain SOC 2 Type II certification, demonstrating robust security controls and regular independent audits.

Incident Response

In the event of a data breach, we will notify all affected users within 72 hours via email. The notification will include details about the nature of the breach, what data was affected, and steps we took to remediate it.

We maintain a documented incident response plan and conduct regular security reviews to identify and address potential vulnerabilities.

Responsible Disclosure

If you discover a security vulnerability in CoStar AI Agent, please report it responsibly to security@costarai.co. Do not publicly disclose the vulnerability until we have had time to investigate and release a fix. We take security reports seriously and will respond within 48 hours.

Questions?

For security-related questions or concerns, contact us at security@costarai.co.