Cursor publishes a list of all third-party vendors that process user data and reviews each one annually; the list is available at trust.cursor.com/subprocessors.
This analysis describes what Cursor's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The subprocessor list and annual review commitment are operationally significant for enterprise customers who need to track third-party data flows for GDPR Article 28 compliance or internal vendor risk programs.
Interpretive note: The document does not specify whether customers receive advance notice of subprocessor changes or have objection rights, which are material gaps for GDPR Article 28 compliance assessment.
This provision states that Cursor maintains and publishes a list of vendors that may process user data, including code, and reviews each vendor annually; enterprise customers can consult trust.cursor.com/subprocessors to identify all entities that may receive their data.
Cross-platform context
See how other platforms handle Subprocessor Management and Vendor Risk Program and similar clauses.
Compare across platforms →Monitoring
Cursor has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Our list of subprocessors is published on our trust portal. Each subprocessor is evaluated under our vendor risk management program and re-reviewed annually. Cursor respects model blocklists and will not send requests to models on a blocklist.— Excerpt from Cursor's Cursor Security Practices
(1) REGULATORY LANDSCAPE: GDPR Article 28 requires controllers to use only processors that provide sufficient guarantees and to impose sub-processor obligations contractually. The published subprocessor list and annual review program are directly relevant to this obligation. CCPA service provider requirements also necessitate that personal information is not shared with vendors beyond the purposes described. (2) GOVERNANCE EXPOSURE: Medium. The annual re-review commitment creates a governance expectation that customers may rely upon; however, the document does not specify whether customers receive advance notice of subprocessor changes, which is a standard GDPR Article 28 requirement. Enterprise customers should verify this via their DPA. (3) JURISDICTION FLAGS: EU and EEA customers face the highest exposure given GDPR Article 28 sub-processor notification requirements. Customers in regulated industries should verify that all listed subprocessors meet sector-specific vendor requirements. (4) CONTRACT AND VENDOR IMPLICATIONS: DPAs or enterprise agreements should specify the notification period for subprocessor changes and any customer objection rights. Procurement teams should cross-reference the published subprocessor list against their own approved vendor lists. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should establish a process to monitor the subprocessor list for changes and assess the impact of any additions or removals on their data processing activities. The model blocklist feature should be evaluated for relevance to internal AI governance policies.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The subprocessor list and annual review commitment are operationally significant for enterprise customers who need to track third-party data flows for GDPR Article 28 compliance or internal vendor risk programs.
This provision states that Cursor maintains and publishes a list of vendors that may process user data, including code, and reviews each vendor annually; enterprise customers can consult trust.cursor.com/subprocessors to identify all entities that may receive their data.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Cursor.