Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This document describes Cursor's security practices and data handling procedures for source code and developer environments processed through its AI-powered code editor platform. The document establishes Privacy Mode as a configurable feature that implements Zero Data Retention terms with AI model providers, preventing storage and use of code data for model training purposes; Privacy Mode is enabled by default for team members. The document also specifies that infrastructure access controls operate under least privilege principles and that multi-factor authentication is enforced.
This document is Cursor's Security page (last updated April 24, 2026), a disclosure document rather than a privacy policy or terms of service; it describes Cursor's operational security posture, data handling controls, and vulnerability disclosure process, without asserting contractual obligations on users or establishing a formal legal basis. The document states that a SOC 2 Type II attestation report is available on request, that annual third-party penetration testing is conducted, that Privacy Mode implements Zero Data Retention contractual terms with model providers to prevent code data from being stored or used for training, and that account deletion is available at any time from the Settings dashboard. Operationally notable is the explicit statement that Cursor does not use or maintain infrastructure in China and does not use China-headquartered subprocessors, and that Privacy Mode is enabled by default for team members and available to free and Pro users; these disclosures address supply chain and data sovereignty concerns that are increasingly material to enterprise procurement. The document engages questions relevant to GDPR, CCPA, and SOC 2 compliance frameworks through its disclosures on subprocessor management, data retention controls, and access governance, though the document itself does not assert compliance with any specific regulation. As a security disclosure page rather than a binding policy instrument, its compliance significance lies primarily in the representations it makes that procurement and legal teams may rely upon during vendor due diligence.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Start Compliance free trial1 important change detected
2 versions captured · Last updated: June 2026
No textual changes detected; provision content remains identical.
6 provisions unchanged.
View full change record →Monitoring
Cursor has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Compliance free trialCross-platform context
See how other platforms handle Privacy Mode and Zero Data Retention and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.