Windsurf states that personal data from EEA, Switzerland, and UK users may be transferred to the United States and other countries, relying on Standard Contractual Clauses as the transfer mechanism.
This analysis describes what Windsurf's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the legal basis for cross-border transfers of EEA, Swiss, and UK personal data to the US and other jurisdictions, but does not specify which SCC module is in use or identify the supervisory authority overseeing the transfer.
Interpretive note: The policy does not specify which SCC module is in use, whether Transfer Impact Assessments have been conducted, or which supervisory authority is designated, creating ambiguity for compliance verification.
EEA, Swiss, and UK users' personal data, including Prompts and Outputs, may be transferred to and processed in the United States under Standard Contractual Clauses; the specific SCC modules and safeguards in place are not detailed in the policy but can be requested from Windsurf.
How other platforms handle this
When we transfer personal data outside the European Economic Area, United Kingdom, or Switzerland, we use appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure your data is protected.
Personal data collected by Unity may be transferred to and processed in countries outside of the European Economic Area, including the United States, where data protection laws may differ from those in your country. Where we transfer personal data from the EEA or the UK, we rely on appropriate safeg...
We may transfer, process, and store all personal information we collect anywhere in the world. Different countries have different data protection laws. If we transfer personal information from the European Economic Area, Switzerland, Brazil and/or the United Kingdom to a country that does not provid...
Monitoring
Windsurf has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"If you are a resident in the EEA, Switzerland or the UK, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. We may transfer Personal Information from the EEA, Switzerland or the UK to the U.S. and other third countries based on approved Standard Contractual Clauses, or otherwise in accordance with applicable data protection laws.— Excerpt from Windsurf's Windsurf Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR Chapter V (Articles 44-49) governing international data transfers, as well as UK GDPR's equivalent transfer provisions and the Swiss Federal Act on Data Protection. The European Commission's 2021 Standard Contractual Clauses replace prior versions and require identification of the applicable module (controller-to-controller, controller-to-processor, etc.). The provision does not identify the applicable SCC module or the competent supervisory authority. GOVERNANCE EXPOSURE: Medium. The reliance on SCCs is a recognized transfer mechanism, but the absence of specified module information creates a gap for compliance documentation. Transfer Impact Assessments may be required under GDPR Article 46 supplementary guidance, particularly for transfers involving AI processing of personal data. JURISDICTION FLAGS: EEA users face exposure if the SCC module used does not match the actual data processing relationship (e.g., if Windsurf acts as a processor but uses controller-to-controller SCCs). UK users should note that UK SCCs (International Data Transfer Agreements or Addenda) are distinct from EU SCCs and must be used for UK-originating transfers. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should request copies of the applicable SCCs and confirm whether supplementary measures or Transfer Impact Assessments have been conducted for US-bound transfers, particularly given US government access rights under surveillance laws. The policy states copies of safeguards can be obtained by contacting Windsurf. COMPLIANCE CONSIDERATIONS: Legal teams in EEA, Swiss, or UK jurisdictions should request the applicable SCC documentation and any Transfer Impact Assessments. Data mapping should reflect the US-based server infrastructure disclosed in the policy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the legal basis for cross-border transfers of EEA, Swiss, and UK personal data to the US and other jurisdictions, but does not specify which SCC module is in use or identify the supervisory authority overseeing the transfer.
EEA, Swiss, and UK users' personal data, including Prompts and Outputs, may be transferred to and processed in the United States under Standard Contractual Clauses; the specific SCC modules and safeguards in place are not detailed in the policy but can be requested from Windsurf.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Windsurf.