Windsurf replaced technical documentation about their Devin AI product with a comprehensive security and data handling disclosure. The previous document described Devin's vulnerability remediation capabilities; the updated document now describes Windsurf's organizational security practices, including encryption, access controls, employee authentication requirements, third-party audits (SOC 2 Type II certification obtained March 2024), and a vulnerability disclosure program. This shift establishes explicit statements about how Windsurf handles data security, operational monitoring, and employee access to production systems.
The updated document establishes explicit commitments about how Windsurf protects data and manages security. The terms state that all data transmission is encrypted in transit and at rest, that access to production systems is restricted to a small number of employees or contractors based on business roles, and that production systems are monitored via logging, error handling, and monitoring dashboards. The document discloses that Windsurf obtained SOC 2 Type II certification as of March 2024 and that all employees and contractors are required to use multi-factor authentication and receive annual security training. These disclosures describe organizational practices rather than establishing new user-facing rights or obligations.
The updated document establishes formal security commitments previously absent from public Windsurf documentation. By disclosing SOC 2 Type II certification, encryption practices, access controls, and employee security requirements, Windsurf creates a documented baseline against which procurement teams and compliance officers can evaluate the platform's data protection measures. This materialization of security practices may reduce vendor assessment friction for organizations subject to GDPR, CCPA, or internal data protection governance.
→ Review Windsurf's Trust Center for additional security documentation and certification details
→ Evaluate the SOC 2 Type II certification scope against your organization's data processing requirements
→ The updated security practices will apply to all data processed by Windsurf as described in the updated terms
→ Organizations that do not review the updated security disclosures may not have documented evidence of Windsurf's security controls for vendor governance or audit purposes
All data transmission is encrypted in transit and at rest; production systems are routinely monitored via logging and error handling.
Access to cloud environment in AWS is granted on as-required basis based on business roles; only a small number of employees or contractors have direct access to production systems.
Windsurf obtained SOC 2 Type II certification as of March 2024, with auditors reviewing security policies, procedures, and controls related to data security, privacy, processing integrity, confidentiality, and availability.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
Windsurf replaced product-focused documentation with formal security and data handling disclosures. The updated document asserts SOC 2 Type II certification (March 2024), establishes mandatory employee MFA and annual security training requirements, describes production access controls, and commits to routine system monitoring and alerting. For organizations evaluating Windsurf as a vendor, this change materializes security commitments previously absent from public documentation. No specific regulatory article citation is indicated in the change text, but SOC 2 Type II certification is generally recognized as addressing AICPA Trust Service Criteria and may support compliance with data security requirements under GDPR, CCPA, and similar frameworks. No new vendor obligations appear to be imposed on downstream users.
GDPR (data security and controller-processor responsibilities), CCPA (service provider obligations), FTC Act Section 5 (unfair or deceptive practices regarding data security)
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-003202.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — MonitorWindsurf's privacy policy was updated on June 21, 2026 to change the company website URL from www.cognition.ai to cognition.com in …
Windsurf reordered the navigation links in their privacy policy footer on June 12, 2026. The 'Privacy Policy' link moved from …
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and lia…
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.