Cotera Privacy Policy
Introduction
Supersheets, Inc. (trading as "Cotera," "we," "us," or "our") is a customer journey monitoring platform incorporated in Delaware, with offices in New York and London and a subsidiary in the United Kingdom. We integrate with our customers' data warehouses and other data sources to help them understand and optimize their customer lifecycle through data modeling, segmentation, segment tracking, and event-driven communications.
This Privacy Policy describes how we collect, use, store, and protect information in connection with our platform and website. It applies to all users of our services, visitors to our website, and the personal data we process on behalf of our customers.
Our Role as a Data Processor
When we provide our platform services to customers, we act as a data processor (or "service provider" under applicable US privacy laws). Our customers are the data controllers who determine the purposes and means of processing. We process customer data strictly in accordance with our customers' instructions as set out in our Data Processing Agreement (DPA) and applicable service agreements.
We do not sell, share, or use customer data for our own marketing purposes, and we do not make independent decisions about the purposes of processing customer data.
Data We Collect
Customer Data (Processed on Behalf of Our Customers)
Customer data is information our customers provide to us or make available through integrations for processing via our platform. This may include customer operating data, personally identifiable information (PII) belonging to our customers' end users, and any other data subject to a confidentiality agreement with a customer. The specific categories of data processed depend on what the customer chooses to connect and share.
Account and Usage Data (Collected as a Data Controller)
When you interact with our website or platform as an authorized user, we may collect information necessary to provide and improve our services, including name and contact details provided during account setup, authentication and session data, usage telemetry and product analytics, and support request content.
Website Visitor Data
When you visit our website, we may collect standard web traffic information such as IP address, browser type, pages visited, and referring URL. We use this information to improve our website and understand how visitors interact with our content.
How We Process Customer Data
Zero-Storage Architecture
Cotera operates a zero-storage architecture by design. All customer data resides in a data warehouse — either one provisioned and controlled by the customer, or a dedicated instance (such as Snowflake or BigQuery) that we provision on the customer's behalf. In either case, the data warehouse is the sole persistent store for customer data and is not part of Cotera's backend infrastructure.
Data syncs to and from the warehouse are managed by the warehouse itself or by an ETL platform of the customer's choosing, not by Cotera's servers. Our application servers read data from the warehouse and temporarily cache it in memory for processing, but all results are written back to that same warehouse. We do not persist customer data on our own systems at any point.
Data Access Controls
Customers maintain full control over what data Cotera can access. Depending on the deployment model chosen, customers may grant access through direct OAuth integrations with source systems, scoped service accounts on their own data warehouse with column-level and row-level controls, or credentials limited to curated views that expose only selected fields. We support customers in configuring the level of access that aligns with their security requirements.
Legal Bases for Processing
Where the EU General Data Protection Regulation (GDPR) or UK GDPR applies, we process personal data on the following bases:
- Contractual necessity: To provide our platform services as described in our customer agreements.
- Legitimate interests: To maintain the security and performance of our platform, and to improve our services.
- Consent: Where required by applicable law, such as for certain marketing communications.
- Legal obligation: To comply with applicable laws and regulations.
For customer data that we process as a data processor, the legal basis for processing is determined by the customer (the data controller).
Data Security
We implement technical and organizational measures designed to protect the confidentiality, integrity, and availability of data. These measures include:
- Encryption: All data is encrypted in transit using TLS v1.3 or better. Data at rest within our infrastructure is encrypted using AES-256. All laptop hard drives are encrypted.
- Access control: We operate on the principle of least privilege. Access to systems is role-based, requires multi-factor authentication for privileged access to production systems, and is reviewed annually.
- Infrastructure: Our production environment is hosted on Google Cloud Platform (GCP). Development and production environments are strictly segregated. Confidential production customer data is not used in development or test environments without express management approval.
- Monitoring: We maintain logging and monitoring across production infrastructure, with alerts configured for events that represent a significant threat to confidentiality, availability, or integrity.
- Vulnerability management: We perform continuous vulnerability scanning on external-facing systems and maintain defined SLAs for remediation of identified vulnerabilities based on severity.
- Incident response: We maintain a documented Incident Response Plan that is tested at least annually.
Our security program is assessed annually through a SOC 2 Type 2 examination. Our most recent report covers the period February 23, 2024 to February 23, 2025. Customers and prospective customers may request access to our SOC 2 report and our Vanta Trust Center for real-time visibility into our control posture.
Data Retention and Disposal
Customer data is retained for the duration of the service agreement. Upon termination of services or upon customer request, all relevant customer data will be removed within 60 days.
We securely delete or destroy data classified as restricted or confidential when it is no longer needed, in accordance with our Data Management Policy. Devices are securely wiped prior to disposal or physically destroyed. Where a third-party e-waste service is used for device destruction, a certificate of destruction is obtained and retained.
Sub-Processors
We use a limited number of third-party sub-processors to assist in providing our services. A sub-processor is a third-party data processor engaged by Cotera who may have access to or process customer data in the course of delivering our platform. We conduct due diligence on all sub-processors and review them at least annually as part of our vendor management program.
We will notify customers of any material changes to this list in accordance with the terms of our Data Processing Agreement (DPA).
Sub-Processors That May Process Customer Data
| Sub-Processor | Purpose | Data Processing Location |
|---|---|---|
| Google Cloud Platform (GCP) | Cloud infrastructure hosting for the Cotera platform | United States |
| Snowflake | Customer data warehouse (when provisioned by Cotera on customer's behalf) | United States |
| WorkOS | Authentication and identity management | United States |
| Cloudflare | DNS, CDN, and DDoS protection; may process request metadata in transit | United States |
| Datadog | Infrastructure monitoring and logging; may process application telemetry | United States |
| Segment | User event tracking for product analytics | United States |
Service Providers Used for Internal Operations
The following providers support Cotera's internal business operations and do not have access to customer data in the ordinary course of service delivery.
| Provider | Purpose |
|---|---|
| Vanta | Compliance automation and SOC 2 evidence collection |
| Google Workspace | Corporate identity, email, and collaboration |
| GitHub | Source code version control |
| Linear | Internal issue and project tracking |
| Slack | Internal team communications |
| Rippling | Human resources and payroll |
| Checkr | Employee background checks |
Customer-Managed Integrations
Depending on the deployment option chosen by the customer, additional third-party services may be involved in the data pipeline. When a customer elects to use an ETL platform (such as Fivetran or Portable) to sync data into their own data warehouse, these services are engaged directly by the customer and are not Cotera sub-processors. Cotera does not control or manage these integrations; the customer maintains their own contractual and data processing relationship with these providers.
International Data Transfers
Cotera is incorporated in the United States with a subsidiary in the United Kingdom. Customer data is primarily processed in the United States. Where personal data is transferred from the European Economic Area (EEA) or the United Kingdom to the United States, we rely on appropriate transfer mechanisms as set out in our DPA, which may include Standard Contractual Clauses (SCCs) approved by the European Commission or the UK International Data Transfer Agreement/Addendum as applicable.
Your Rights
Depending on your jurisdiction, you may have rights in relation to your personal data, including the right to access, correct, delete, or port your data, and the right to object to or restrict certain processing.
If you are an end user of one of our customers and wish to exercise your data protection rights, please contact the relevant customer directly, as they are the data controller for your information. We will assist our customers in fulfilling their obligations to respond to data subject requests in accordance with our DPA.
If you are a website visitor or account holder and wish to exercise your rights in relation to data we control, please contact us using the details below.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated policy on our website and update the "Last updated" date above. Material changes will be communicated to customers through reasonable means.
Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us at:
Supersheets, Inc. (trading as Cotera) Email: [privacy@cotera.com]