Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This is Windsurf's security and privacy disclosure, covering how the company handles code, usage data, and personal information across its AI coding assistant platform. The most significant aspect for individual users is that without actively enabling zero-data retention mode in their profile settings, logs containing code snippets and user activity trajectories may be stored and accessible to internal teams and third-party dashboard tools including Retool, Metabase, and Tableau. Individual users who want to prevent their code data from being retained should navigate to their profile page in the Windsurf application and enable zero-data retention mode.
This document is Windsurf's security and privacy disclosure page (last updated March 11, 2025), governing how the company handles customer data, infrastructure, subprocessors, and compliance posture across its AI-assisted software development platform. The document states that teams and enterprise plans default to zero-data retention with subprocessors, that individual plan users must opt in to zero-data retention from their profile page, and that without opt-in, logs containing code snippets and user trajectories may be stored and discussed internally via tools such as Slack, Google Workspace, Retool, Metabase, and Tableau. The document discloses an extensive list of subprocessors, including OpenAI, Anthropic, Google Vertex, xAI, Fireworks, Crusoe, Modal, Oracle Cloud, AWS, and Bing API, noting that Bing does not carry a zero-data retention agreement and requires explicit administrator enablement; the document also states that Windsurf may leverage AI models independent of user selection for tasks such as summarization, which may create exposure for users who have not explicitly authorized a specific provider. The document engages GDPR through its EU deployment option in Frankfurt and its data residency disclosures, CCPA through its California-applicable data handling practices, HIPAA through its maintained compliance posture and Business Associate Agreement availability, and FedRAMP High through its Palantir FedStart accreditation; SOC 2 Type II certification and annual third-party penetration testing are also disclosed. Compliance teams should evaluate whether individual user consent mechanisms for zero-data retention opt-in satisfy applicable regulatory standards, and whether the use of AI models independent of user selection is adequately disclosed under applicable privacy law.
Institutional analysis available with Professional
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.
Start Professional free trialMonitoring
Windsurf has updated this document before.
Watcher includes same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
Professional Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Professional includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Professional free trialCross-platform context
See how other platforms handle Agentic Experience and Terminal Command Auto-Run Opt-In and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.