CA-C-003485 Top 5%
Windsurf — Windsurf Security & Data Handling
Entity
Date detected
July 6, 2026
Effective date
July 6, 2026
Severity
Direction
Negative
Affected users
all users premium subscribers enterprise customers business accounts
Taxonomy
Ai training rights
Changes
+3 sentences added · 2 sentences modified
Share 𝕏 Share in Share 🔒 PDF
Watch Windsurf Get alerts when this policy changes.
Watch — Free

Event Summary

Windsurf changed its default data use policy for model training. Previously, the company stated it would not use customer data for model training unless users explicitly opted in. The updated policy states the company may use customer data for model training by default. Paid plan users can now opt out on the Data Controls settings page, and Enterprise customers require express written consent before any training use. Teams plan administrators control the opt-out setting for their organization.

HIGH

Consumer Impact

The updated terms establish a default policy permitting Windsurf to use customer data for model training purposes to improve services. Previously, the company required explicit opt-in before any training use. Under the revised policy, data training occurs automatically for free and paid users unless they affirmatively opt out through the Data Controls settings page. Once disabled, the terms state your data will not be used for training and Zero Data Retention will be enabled with model providers. Enterprise customers operate under a different standard, requiring express prior written consent before any training use occurs.

Governance Analysis

This change reverses Windsurf's baseline data handling presumption for model training. Previously, users started with non-use and had to actively opt in; now they start with automatic use and must actively opt out. For organizations serving regulated customers or having committed to stricter data practices, the shift from opt-in to opt-out may trigger privacy policy updates and potential compliance review under GDPR, CCPA, and sector-specific frameworks. The explicit consent requirement for Enterprise customers indicates that consent-based processing is operationally available, which may create expectations that other tiers warrant similar controls.

Available Actions

Review your Windsurf account privacy settings within 30 days and navigate to Data Controls to decide whether to opt out of model training.

For Teams plan members, contact your administrator to confirm whether model training opt-out has been disabled for your organization.

If you require stricter data handling guarantees, evaluate whether your use case qualifies for Enterprise tier, which requires express written consent for model training.

If No Action Is Taken

Your data will be used by Windsurf for model training and AI improvement by default unless you affirmatively opt out in the Data Controls settings.

If you do not opt out, Zero Data Retention will not be enabled with Windsurf's model providers, and your data may persist in training datasets.

For Teams plan users, if your administrator does not exercise the opt-out option, all organizational data will be subject to model training use.

Historical Context

ConductAtlas has recorded 2 material changes to this document (since June 2026). An additional minor or cosmetic changes were excluded.

Across all monitored documents, Windsurf has made 3 significant changes.

Key Clauses Affected

Default model training authorization

Changed from explicit opt-in requirement to automatic authorization for all users except Enterprise; shifts presumption from data protection to data use.

Opt-out mechanism for paid users

Establishes right to disable model training via Data Controls settings and triggers Zero Data Retention with model providers.

Enterprise consent requirement

Requires express prior written consent for Enterprise customers before any model training, creating a distinct tier of protection.

Full clause-by-clause analysis available with Compliance.
These clauses may change again. Get alerted when they do. Watch Windsurf — Free

This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology

Evidence Verification

✓ Verified
Previous Version
a7e6dc4f15152ca497f54aeea5cd6134ffd3e6bb2444c8d862ecc41fc8499c34
June 23, 2026 00:59 UTC
✓ Verified
Current Version
87e0c922df6f81ddd3b0b0cd1a4c89e032f31245c90a31c47bfc8fc12173717b
July 6, 2026 00:54 UTC
✓ Verified
Change Detected
July 6, 2026 00:54 UTC
Analysis Methodology
✓ Verified
Source Document
https://windsurf.com/security
Citation Record
Entity: Windsurf
Document: Windsurf Security & Data Handling
Record ID: CA-C-003485
Captured: 2026-07-06 00:54:16 UTC
URL: https://conductatlas.com/change/2026-07-06-windsurf-windsurf-security-data-handling-3485/
Accessed: July 6, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Impact Summary

1
Expanded
1
Protection removed
Consumers Expanded

Windsurf can now use your data to train and improve its AI models unless you turn this off in settings.

Consumers Removed

You no longer need to actively agree to let Windsurf use your data for training; it happens automatically.

+ 1 more obligation changes. Full breakdown available with Monitor.

Track changes →
For legal and compliance teams

Institutional Analysis

Assessment

Windsurf reversed its model training default from opt-in to opt-out for general users while maintaining a stricter consent requirement for Enterprise customers. This change may implicate GDPR Article 6 (lawful basis for processing) and Article 13 (information to be provided to data subjects), as processing personal data for AI model training constitutes a material change in processing purpose. Under GDPR, organizations relying on this service to serve EU residents may need to reassess lawful basis documentation and update their own privacy notices to reflect the new default. The change also affects how data processing agreements or standard contractual clauses describe the scope of permitted uses. Non-Enterprise customers in the EU may face additional compliance obligations, as consent via opt-out may not satisfy GDPR's affirmative consent requirements depending on implementation and regulatory interpretation.

Regulatory Exposure

GDPR (Articles 6, 13, 21), CCPA (California Consumer Privacy Act), UK Data Protection Act 2018, sector-specific frameworks depending on customer industry

Full compliance analysis

Obligation analysis, escalation trigger, board language, and recommended action.

Monitor $19/mo Compliance $249/mo

Monitor: regulatory citations + obligations. Compliance: full compliance memo.

ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-003485.

Full Changes

See the full side-by-side comparison of every sentence added, removed, and modified.

🔒 Full diff — Monitor

Document Context

Version history → Policy drift analysis → Document page →
Document
Windsurf Security & Data Handling
Entity
Windsurf
Captured
July 6, 2026
Source URL
https://windsurf.com/security
Other changes to Windsurf Security & Data Handling
Previous change Jun 23, 2026
Windsurf replaced technical documentation about their Devin AI product with a comprehensive security and data handling disclosure. The previous document …
Medium Positive
View full version history →
More from Windsurf
Jul 1, 2026 Medium
Windsurf Terms of Service

Windsurf's Terms of Service were substantially rewritten on July 1, 2026. The updated terms rebrand the service from Windsurf to …

Jun 30, 2026 Low
Windsurf Terms of Service

Windsurf updated its Terms of Service landing page on June 30, 2026, replacing 'Try Devin' with 'Log in' in the …

Jun 23, 2026 Medium
Windsurf Security & Data Handling

Windsurf replaced technical documentation about their Devin AI product with a comprehensive security and data handling disclosure. The previous document …

Track Windsurf policy changes

Get alerted when this policy changes again — including what changed and why it matters.

Prefer a weekly summary instead?

Get the biggest policy changes across 352+ platforms every Sunday.