Windsurf states that personal data from EEA, Switzerland, and UK users may be transferred to the United States and other countries, relying on Standard Contractual Clauses as the transfer mechanism.
This analysis describes what Windsurf's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the legal basis for cross-border transfers of EEA, Swiss, and UK personal data to the US and other jurisdictions, but does not specify which SCC module is in use or identify the supervisory authority overseeing the transfer.
Interpretive note: The policy does not specify which SCC module is in use, whether Transfer Impact Assessments have been conducted, or which supervisory authority is designated, creating ambiguity for compliance verification.
EEA, Swiss, and UK users' personal data, including Prompts and Outputs, may be transferred to and processed in the United States under Standard Contractual Clauses; the specific SCC modules and safeguards in place are not detailed in the policy but can be requested from Windsurf.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Your personal information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Monitoring
Windsurf has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you are a resident in the EEA, Switzerland or the UK, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. We may transfer Personal Information from the EEA, Switzerland or the UK to the U.S. and other third countries based on approved Standard Contractual Clauses, or otherwise in accordance with applicable data protection laws.— Excerpt from Windsurf's Windsurf Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR Chapter V (Articles 44-49) governing international data transfers, as well as UK GDPR's equivalent transfer provisions and the Swiss Federal Act on Data Protection. The European Commission's 2021 Standard Contractual Clauses replace prior versions and require identification of the applicable module (controller-to-controller, controller-to-processor, etc.). The provision does not identify the applicable SCC module or the competent supervisory authority. GOVERNANCE EXPOSURE: Medium. The reliance on SCCs is a recognized transfer mechanism, but the absence of specified module information creates a gap for compliance documentation. Transfer Impact Assessments may be required under GDPR Article 46 supplementary guidance, particularly for transfers involving AI processing of personal data. JURISDICTION FLAGS: EEA users face exposure if the SCC module used does not match the actual data processing relationship (e.g., if Windsurf acts as a processor but uses controller-to-controller SCCs). UK users should note that UK SCCs (International Data Transfer Agreements or Addenda) are distinct from EU SCCs and must be used for UK-originating transfers. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should request copies of the applicable SCCs and confirm whether supplementary measures or Transfer Impact Assessments have been conducted for US-bound transfers, particularly given US government access rights under surveillance laws. The policy states copies of safeguards can be obtained by contacting Windsurf. COMPLIANCE CONSIDERATIONS: Legal teams in EEA, Swiss, or UK jurisdictions should request the applicable SCC documentation and any Transfer Impact Assessments. Data mapping should reflect the US-based server infrastructure disclosed in the policy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the legal basis for cross-border transfers of EEA, Swiss, and UK personal data to the US and other jurisdictions, but does not specify which SCC module is in use or identify the supervisory authority overseeing the transfer.
EEA, Swiss, and UK users' personal data, including Prompts and Outputs, may be transferred to and processed in the United States under Standard Contractual Clauses; the specific SCC modules and safeguards in place are not detailed in the policy but can be requested from Windsurf.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Windsurf.