Cursor states it has no servers or infrastructure in China and does not use Chinese companies as data processors, including at the sub-subprocessor level to the best of its knowledge.
This analysis describes what Cursor's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This disclosure addresses data sovereignty concerns relevant to users and enterprises subject to regulations or policies restricting data flows to or processing by entities in certain jurisdictions; the qualification 'to our knowledge' at the sub-subprocessor level introduces a bounded uncertainty.
Interpretive note: The 'to our knowledge' qualifier on sub-subprocessors means the exclusion is a best-efforts representation rather than an absolute guarantee, and the document is not a binding contractual instrument.
This provision states that source code and other data processed through Cursor is not routed through Chinese infrastructure or Chinese-headquartered vendors, which is a material consideration for enterprise security policies and government contractor compliance programs. The 'to our knowledge' qualifier on sub-subprocessors means the exclusion is not an absolute guarantee at the extended supply chain level.
Cross-platform context
See how other platforms handle China Infrastructure and Subprocessor Exclusion and similar clauses.
Compare across platforms →Monitoring
Cursor has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Cursor does not use or maintain any infrastructure in China. We do not use any companies headquartered in China as subprocessors, and to our knowledge none of our subprocessors do either.— Excerpt from Cursor's Cursor Security Practices
(1) REGULATORY LANDSCAPE: This disclosure is relevant to U.S. federal procurement requirements, ITAR-adjacent considerations for defense contractors, and data localization policies in various jurisdictions. It may also engage EU data transfer restrictions under GDPR Chapter V where Chinese-headquartered entities could be considered subject to PRC national security laws. (2) GOVERNANCE EXPOSURE: Medium. The provision makes a direct representation about infrastructure and first-tier subprocessors, but qualifies the sub-subprocessor assertion with 'to our knowledge,' which limits the strength of the commitment for due diligence purposes. Enterprises with zero-tolerance data sovereignty requirements should seek contractual reinforcement of this representation. (3) JURISDICTION FLAGS: U.S. government contractors and entities subject to CMMC, FedRAMP, or sector-specific foreign adversary restrictions face heightened exposure if supply chain assurances are not contractually documented. EU enterprises evaluating data transfers under GDPR schrems-related frameworks may also find this disclosure relevant. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should request that the China exclusion be incorporated as a contractual representation in vendor agreements rather than relying solely on this webpage disclosure, which is not a binding contractual commitment in the absence of incorporation by reference. (5) COMPLIANCE CONSIDERATIONS: Legal teams should assess whether the 'to our knowledge' qualifier on sub-subprocessors satisfies their organization's supply chain security requirements and, if not, request additional contractual assurances or audit rights.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This disclosure addresses data sovereignty concerns relevant to users and enterprises subject to regulations or policies restricting data flows to or processing by entities in certain jurisdictions; the qualification 'to our knowledge' at the sub-subprocessor level introduces a bounded uncertainty.
This provision states that source code and other data processed through Cursor is not routed through Chinese infrastructure or Chinese-headquartered vendors, which is a material consideration for enterprise security policies and government contractor compliance programs. The 'to our knowledge' qualifier on sub-subprocessors means the exclusion is not an absolute guarantee at the extended supply chain level.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Cursor.