Windsurf · Windsurf Privacy Policy

Dual Controller/Processor Role Disclaimer

High severity
Share 𝕏 Share in Share 🔒 PDF

What it is

When Windsurf processes your data on behalf of your employer, Windsurf's own privacy policy does not protect you — your employer's privacy policy governs instead, and Windsurf takes no responsibility for how your employer handles your data.

Consumer impact (what this means for users)

If your employer uses Windsurf as a business tool, Windsurf's privacy protections described in this policy do not apply to your data — your employer's privacy practices govern, which may offer fewer protections.

Cross-platform context

See how other platforms handle Dual Controller/Processor Role Disclaimer and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Enterprise users may have significantly fewer protections than individual users because Windsurf disclaims responsibility for how employer-customers handle personal data processed through the platform.

View original clause language
We are a data controller with respect to data collected and otherwise processed in connection with our Website and Services. However, in certain circumstances we may agree to process information in the role of a processor or service provider on behalf of our customers (for example, on behalf of your employer). When we act as a processor, this Privacy Policy will not apply to that information, as our customers are the data controllers and their privacy policies will apply to the processing of your personal information. We are not responsible for the privacy or data security practices of our customers, which may differ from those explained in this Privacy Policy.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: This provision directly implicates GDPR Article 28 (processor obligations and mandatory DPA requirements), Article 26 (joint controller arrangements), and Article 82 (liability allocation between controller and processor). The UK GDPR imposes equivalent obligations. For US enterprise deployments, CCPA/CPRA §1798.140(ag) defines 'service provider' and 'contractor' roles with specific contractual requirements. The FTC Act Section 5 applies if the disclaimer is used to evade accountability for deceptive practices. (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    The FTC has jurisdiction if the dual-role disclaimer is used to evade accountability for data practices that harm consumers under FTC Act Section 5.
    File a complaint →

Provision details

Document information
Document
Windsurf Privacy Policy
Entity
Windsurf
Document last updated
April 29, 2026
Tracking information
First tracked
April 30, 2026
Last verified
April 30, 2026
Record ID
CA-P-004018
Document ID
CA-D-00486
Evidence Provenance
Source URL
https://codeium.com/privacy-policy
Wayback Machine
View archived versions →
SHA-256
ca691298a1c366388f0a1f48ecc65849f0a7d07d6de5b840c646e62cf6239715
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Windsurf | Document: Windsurf Privacy Policy | Record: CA-P-004018
Captured: 2026-04-30 05:21:09 UTC | SHA-256: ca691298a1c36638…
URL: https://conductatlas.com/platform/windsurf/windsurf-privacy-policy/dual-controllerprocessor-role-disclaimer/
Accessed: May 2, 2026
Classification
Severity
High
Categories
Unknown

Other provisions in this document