What are the institutional and regulatory implications of this document?

1. REGULATORY LANDSCAPE: This document engages GDPR (particularly for the EU deployment cluster in Frankfurt and data residency considerations), CCPA (for California-based individual users whose code and usage data may be retained), HIPAA (the document discloses a HIPAA-compliant posture with optional BAA for healthcare organizations), and FedRAMP High (for federal and government-adjacent enterprise customers). The FTC Act is relevant to the accuracy of disclosures regarding subprocessor data r…

How does Windsurf's Windsurf Security & Data Handling affect users?

The document establishes that individual plan users operate under data retention by default, meaning code snippets and user trajectories may be stored and accessible to internal analytics subprocessors unless zero-data retention mode is explicitly enabled. The agreement discloses that multiple third-party inference providers including OpenAI, Anthropic, Google Cloud Vertex, xAI, and Fireworks receive code data for inference, each covered by zero-data retention agreements, while Bing API receive…

How often is Windsurf's Windsurf Security & Data Handling updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Windsurf updates this document?

Yes. Monitor subscribers ($19/month) can add Windsurf to their watchlist and receive same-day email alerts whenever this document or any other Windsurf document changes.

CA-D-000783

Windsurf Security & Data Handling

Windsurf

Last change detected June 23, 2026 Privacy policy

SHA-256: a7e6dc4f15152ca497f… 4 versions captured 2 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Windsurf ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

7 Total

0 High severity

6 Medium severity

1 Low severity

Summary

This is Windsurf's security and privacy disclosure covering how the company handles code data, model inference, subprocessors, and deployment options for its AI code assistant products. For individual users on cloud plans, logs containing code snippets and user interaction trajectories may be retained unless the user manually enables zero-data retention mode from their profile page; for Teams and Enterprise plans, zero-data retention applies by default. The document also discloses that multiple AI inference providers including OpenAI, Anthropic, Google Vertex, xAI, and Fireworks receive code data, each under zero-data retention agreements, while Bing API receives query data derived from code without such an agreement.

Technical / Legal Breakdown

This document is Windsurf's security and privacy disclosure page (last updated March 11, 2025), governing data flows, subprocessor relationships, deployment architectures, and compliance posture for an AI-powered code assistant platform serving individual developers and enterprise customers. The document states that for individual cloud plans without zero-data retention mode enabled, logs that may contain code snippets and user trajectories could be stored, while teams and enterprise plans apply zero-data retention by default; the policy discloses that OpenAI, Anthropic, Google Cloud Vertex, xAI, and Fireworks each receive code data for inference with zero-data retention agreements in place, while Bing API receives text potentially derived from code data without a zero-data retention agreement. The document identifies a notable operational distinction for individual users: zero-data retention is opt-in rather than default, meaning code snippets and usage trajectories may be retained and accessible to internal analytics tools including Retool, Raindrop, Metabase, and Tableau unless the user actively enables the mode; the document also discloses that OpenAI and Anthropic models may be leveraged independent of user model selection for background tasks such as summarization. The document references SOC 2 Type II certification, FedRAMP High accreditation, and HIPAA compliance posture with optional Business Associate Agreements, engaging frameworks relevant to federal procurement, healthcare data handling, and enterprise data residency requirements. Compliance teams should note that the Bing API integration for web search lacks a zero-data retention agreement and requires explicit Team or Enterprise administrator enablement, and that individual user data protections are materially weaker than enterprise defaults absent active opt-in to zero-data retention mode.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

2 important changes detected

4 versions captured · Last updated: June 2026

June 23, 2026

medium

What changed Windsurf replaced technical documentation about their Devin AI product with a comprehensive security and data handling disclosure. The previous document described Devin's vulnerability remediation capabilities; the updated document now describes Windsurf's organizational security practices, including encryption, access controls, employee authentication requirements, third-party audits (SOC 2 Type II certification obtained March 2024), and a vulnerability disclosure program. This shift establishes explicit statements about how Windsurf handles data security, operational monitoring, and employee access to production systems.

Why this matters The updated document establishes explicit commitments about how Windsurf protects data and manages security. The terms state that all data transmission is encrypted in transit and at rest, that access to production systems is restricted to a small number of employees or contractors based on business roles, and that production systems are monitored via logging, error handling, and monitoring dashboards. The document discloses that Windsurf obtained SOC 2 Type II certification as of March 2024 and that all employees and contractors are required to use multi-factor authentication and receive annual security training. These disclosures describe organizational practices rather than establishing new user-facing rights or obligations.

View full change record →

May 16, 2026

low

What changed Windsurf updated its Security & Data Handling policy on May 16, 2026 to disclose two practices involving data exposure. The policy now states that Windsurf uses Raindrop, a third-party service, to view usage analytics and aggregate statistics, and that users not using Zero-data retention mode may have their logs exposed for debugging purposes. Previously, this disclosure was not present in the policy.

Why this matters The updated policy now explicitly states that Windsurf uses Raindrop to view usage analytics and aggregate statistics, and that debug logs may be exposed for users not on zero-data retention mode. Previously these practices were not disclosed in the policy. The policy establishes that Zero-data retention mode provides more restricted log access, while standard users operate under different log exposure terms. You can switch to Zero-data retention mode to limit debug log exposure.

View full change record →

Recent Provision Changes Jun 23, 2026

7 provisions unchanged.

View full change record →

Medium — 6 provisions

Individual User Zero-Data Retention Opt-In Compare →

Individual plan users are subject to data retention by default, meaning code snippets and usage data may be stored unless the user actively enables zero-data retention mode via their profile page. Teams and Enterprise plans receive zero-data retention as a default.

Added May 12, 2026 Standard Seen across 284 platforms
Bing API Subprocessor Without Zero-Data Retention Agreement Compare →

The Bing API receives query data derived from user inputs, conversation history, and potentially code data as part of web search functionality. Unlike other inference providers, Windsurf does not have a zero-data retention agreement with Bing, and this integration must be explicitly enabled by Team or Enterprise administrators.

Added May 21, 2026 Standard Seen across 252 platforms
Model Use Independent of User Selection Compare →

The document discloses that OpenAI, Anthropic, and Google Cloud Vertex models may be used for background processing tasks such as summarization regardless of which model the user has selected for their primary AI interactions. Enterprise administrators can disable specific providers at the organizational level.

Added May 21, 2026 Standard Seen across 252 platforms
Code Ownership and Attribution Filtering Compare →

The document asserts that users own code generated by Windsurf products to the extent permitted by law, and discloses that attribution filtering is applied to intercept generated code similar to non-permissively licensed code before it is shown to users. The document also acknowledges limitations in making representations about third-party model training data.

Added May 12, 2026 Standard Seen across 242 platforms
Subprocessor Code Data Access Disclosure Compare →

The document provides a comprehensive list of subprocessors, identifying for each whether they see code data and under what conditions. Multiple infrastructure and analytics providers including GCP, Crusoe, Modal, Oracle Cloud, and dashboard tools including Retool, Raindrop, Metabase, and Tableau may access code data for individual users not on zero-data retention mode.

Added May 21, 2026 Standard Seen across 252 platforms
Account Deletion and Zero-Data Retention Compare →

The document discloses account deletion and zero-data retention mechanisms, distinguishing between default protections for enterprise and teams users versus opt-in protections for individual users. The document includes a dedicated section on account deletion linked from the table of contents, though the full text of that section was not available in the provided document excerpt.

Added May 21, 2026 Standard Seen across 284 platforms

Low — 1 provision

Real-Time and Ahead-of-Time Personalization Data Collection Compare →

The document discloses that Windsurf makes background requests to its servers without user-triggered input events, for the purposes of building context, understanding developer intent, and scanning for potential next steps. Embedding computation requests are also made proactively to process existing codebases.

Added May 21, 2026 Standard Seen across 284 platforms

Monitoring

Windsurf has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Account Deletion and Zero-Data Retention and similar clauses.

Compare across platforms →