What are the institutional and regulatory implications of this document?

(1) REGULATORY LANDSCAPE: The document's disclosures on subprocessor management, Zero Data Retention contractual controls, and data access governance are relevant to GDPR processor accountability obligations, CCPA service provider contractual requirements, and SOC 2 Trust Service Criteria. The document does not assert compliance with any named regulation, but the disclosures it makes are the type of representations that GDPR Article 28 data processing agreements and CCPA service provider contra…

How does Cursor's Cursor Security Practices affect users?

This security disclosure page describes controls Cursor has implemented to protect source code and developer data, including Privacy Mode which the document states prevents code data from being stored or used for training by AI model providers when enabled. The document also states that infrastructure access follows least privilege principles and that multi-factor authentication is enforced. You can enable Privacy Mode in Cursor's Settings dashboard, or verify with your team administrator that …

How often is Cursor's Cursor Security Practices updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Cursor updates this document?

Yes. Watcher subscribers ($9.99/month) can add Cursor to their watchlist and receive same-day email alerts whenever this document or any other Cursor document changes.

CA-D-000832

Cursor Security Practices

Cursor

Last change detected May 12, 2026 Privacy policy

SHA-256: 04fdef38e1310e6e3f5… 1 version captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Cursor ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

7 Total

0 High severity

2 Medium severity

5 Low severity

Summary

This is Cursor's Security disclosure page, which describes how Cursor (an AI-powered code editor) protects user source code and developer environments. The most significant disclosure for users is the Privacy Mode feature: when enabled, Cursor implements Zero Data Retention terms with its AI model providers so that code data is not stored by those providers or used for model training, and this mode is on by default for team members. Users who want to ensure their code is not stored by AI model providers should verify that Privacy Mode is enabled in their Cursor settings, or ask their team administrator to confirm it is active.

Technical / Legal Breakdown

This document is Cursor's Security page (last updated April 24, 2026), a disclosure document rather than a privacy policy or terms of service; it describes Cursor's operational security posture, data handling controls, and vulnerability disclosure process, without asserting contractual obligations on users or establishing a formal legal basis. The document states that a SOC 2 Type II attestation report is available on request, that annual third-party penetration testing is conducted, that Privacy Mode implements Zero Data Retention contractual terms with model providers to prevent code data from being stored or used for training, and that account deletion is available at any time from the Settings dashboard. Operationally notable is the explicit statement that Cursor does not use or maintain infrastructure in China and does not use China-headquartered subprocessors, and that Privacy Mode is enabled by default for team members and available to free and Pro users; these disclosures address supply chain and data sovereignty concerns that are increasingly material to enterprise procurement. The document engages questions relevant to GDPR, CCPA, and SOC 2 compliance frameworks through its disclosures on subprocessor management, data retention controls, and access governance, though the document itself does not assert compliance with any specific regulation. As a security disclosure page rather than a binding policy instrument, its compliance significance lies primarily in the representations it makes that procurement and legal teams may rely upon during vendor due diligence.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

Medium — 2 provisions

Privacy Mode and Zero Data Retention

When Privacy Mode is on, Cursor contractually requires its AI model providers not to store your code or use it to train their models. This mode is on automatically for team members and can be turned on manually by any individual user.

Added May 12, 2026 Rare
Vulnerability Disclosure and Incident Communication

Cursor accepts vulnerability reports by email and acknowledges them within 5 business days; critical security incidents are communicated by email to affected users.

Added May 12, 2026 Rare

Low — 5 provisions

China Infrastructure and Subprocessor Exclusion

Cursor states it has no servers or infrastructure in China and does not use Chinese companies as data processors, including at the sub-subprocessor level to the best of its knowledge.

Added May 12, 2026 Rare
SOC 2 Type II Attestation and Penetration Testing

Cursor has obtained a SOC 2 Type II security certification and conducts annual third-party penetration tests; both reports can be requested through Cursor's trust portal.

Added May 12, 2026 Rare
Subprocessor Management and Vendor Risk Program

Cursor publishes a list of all third-party vendors that process user data and reviews each one annually; the list is available at trust.cursor.com/subprocessors.

Added May 12, 2026 Rare
Account Deletion

Cursor states that users can delete their accounts at any time through the Settings dashboard, with customer support available at hi@cursor.com for assistance.

Added May 12, 2026 Rare
Infrastructure Access Controls and MFA

Cursor states that its internal systems are accessed only on a need-to-know basis, with multi-factor authentication required for staff and ongoing monitoring of system activity.

Added May 12, 2026 Rare

Monitoring

Cursor has updated this document before.

Watcher includes same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

Professional Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Professional includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Professional free trial

Cross-platform context

See how other platforms handle Privacy Mode and Zero Data Retention and similar clauses.

Compare across platforms →

Archival ProvenanceSource & Archival Record

Last Captured May 12, 2026 05:45 UTC

Capture Method Automated scheduled archival capture

Document ID CA-D-000832

Version ID CA-V-002489

Source URL https://cursor.com/security

Wayback Machine View external archival references →

SHA-256 04fdef38e1310e6e3f564f845b67974206f1aa38bccc1515a1fa667a4f1c5d27

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Cursor Security Practices

Monitor governance changes across the platforms you rely on.