What are the institutional and regulatory implications of this document?

1. REGULATORY LANDSCAPE: This document engages GDPR (particularly for the EU deployment cluster in Frankfurt and data residency considerations), CCPA (for California-based individual users whose code and usage data may be retained), HIPAA (the document discloses a HIPAA-compliant posture with optional BAA for healthcare organizations), and FedRAMP High (for federal and government-adjacent enterprise customers). The FTC Act is relevant to the accuracy of disclosures regarding subprocessor data r…

How does Windsurf's Windsurf Security & Data Handling affect users?

The document establishes that individual plan users operate under data retention by default, meaning code snippets and user trajectories may be stored and accessible to internal analytics subprocessors unless zero-data retention mode is explicitly enabled. The agreement discloses that multiple third-party inference providers including OpenAI, Anthropic, Google Cloud Vertex, xAI, and Fireworks receive code data for inference, each covered by zero-data retention agreements, while Bing API receive…

How often is Windsurf's Windsurf Security & Data Handling updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Windsurf updates this document?

Yes. Monitor subscribers ($19/month) can add Windsurf to their watchlist and receive same-day email alerts whenever this document or any other Windsurf document changes.

CA-D-000783

Windsurf Security & Data Handling

Windsurf

Last change detected June 2, 2026 Privacy policy

SHA-256: bcb9b134abe873978bb… 3 versions captured 1 change documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Windsurf ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

7 Total

0 High severity

6 Medium severity

1 Low severity

Summary

This is Windsurf's security and privacy disclosure covering how the company handles code data, model inference, subprocessors, and deployment options for its AI code assistant products. For individual users on cloud plans, logs containing code snippets and user interaction trajectories may be retained unless the user manually enables zero-data retention mode from their profile page; for Teams and Enterprise plans, zero-data retention applies by default. The document also discloses that multiple AI inference providers including OpenAI, Anthropic, Google Vertex, xAI, and Fireworks receive code data, each under zero-data retention agreements, while Bing API receives query data derived from code without such an agreement.

Technical / Legal Breakdown

This document is Windsurf's security and privacy disclosure page (last updated March 11, 2025), governing data flows, subprocessor relationships, deployment architectures, and compliance posture for an AI-powered code assistant platform serving individual developers and enterprise customers. The document states that for individual cloud plans without zero-data retention mode enabled, logs that may contain code snippets and user trajectories could be stored, while teams and enterprise plans apply zero-data retention by default; the policy discloses that OpenAI, Anthropic, Google Cloud Vertex, xAI, and Fireworks each receive code data for inference with zero-data retention agreements in place, while Bing API receives text potentially derived from code data without a zero-data retention agreement. The document identifies a notable operational distinction for individual users: zero-data retention is opt-in rather than default, meaning code snippets and usage trajectories may be retained and accessible to internal analytics tools including Retool, Raindrop, Metabase, and Tableau unless the user actively enables the mode; the document also discloses that OpenAI and Anthropic models may be leveraged independent of user model selection for background tasks such as summarization. The document references SOC 2 Type II certification, FedRAMP High accreditation, and HIPAA compliance posture with optional Business Associate Agreements, engaging frameworks relevant to federal procurement, healthcare data handling, and enterprise data residency requirements. Compliance teams should note that the Bing API integration for web search lacks a zero-data retention agreement and requires explicit Team or Enterprise administrator enablement, and that individual user data protections are materially weaker than enterprise defaults absent active opt-in to zero-data retention mode.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

1 important change detected

3 versions captured · Last updated: May 2026

May 16, 2026

low

What changed Windsurf updated its Security & Data Handling policy on May 16, 2026 to disclose two practices involving data exposure. The policy now states that Windsurf uses Raindrop, a third-party service, to view usage analytics and aggregate statistics, and that users not using Zero-data retention mode may have their logs exposed for debugging purposes. Previously, this disclosure was not present in the policy.

Why this matters The updated policy now explicitly states that Windsurf uses Raindrop to view usage analytics and aggregate statistics, and that debug logs may be exposed for users not on zero-data retention mode. Previously these practices were not disclosed in the policy. The policy establishes that Zero-data retention mode provides more restricted log access, while standard users operate under different log exposure terms. You can switch to Zero-data retention mode to limit debug log exposure.

View full change record →

Recent Provision Changes Jun 2, 2026

Added (2)

Account Deletion and Zero-Data Retention Medium

New provision explicitly addresses account deletion and data retention practices, clarifying that zero-data retention applies by default for enterprise/team plans.

Subprocessor Code Data Access Disclosure Medium

New provision adds plan-dependent disclosure of subprocessors and introduces Google Cloud Platform as a subprocessor with conditional code data storage.

Removed (3)

Internal Tool Access to Code Logs Without Zero-Data Retention

Removal of transparency about internal tool access (Slack, Google Workspace, Retool) and debugging data discussions suggests either consolidation into other provisions or de-emphasis of internal data handling disclosures.

HIPAA Compliance and Business Associate Agreement Availability

Removal of explicit HIPAA compliance and BAA availability statements removes transparency about healthcare data handling and regulatory compliance options.

Subprocessor Disclosure and Data Exposure Scope

Removal of Oracle Cloud from subprocessor list and restructuring of subprocessor disclosure format; Oracle Cloud's code data access capability is no longer explicitly disclosed.

Modified (3)

Model Use Independent of User Selection

Provision was renamed from 'AI Model Use Independent of User Selection' to 'Model Use Independent of User Selection' with identical content.

Code Ownership and Attribution Filtering

Changed detection methodology from 'line-by-line fuzzy matching algorithm of hashes' to 'Jaccardian edit-distance' and added explicit statement about sanitizing training data.

Real-Time and Ahead-of-Time Personalization Data Collection

Severity was downgraded from 'medium' to 'low' while content remained identical.

2 provisions unchanged.

View full change record →

Medium — 6 provisions

Individual User Zero-Data Retention Opt-In Compare →

Individual plan users are subject to data retention by default, meaning code snippets and usage data may be stored unless the user actively enables zero-data retention mode via their profile page. Teams and Enterprise plans receive zero-data retention as a default.

Added May 12, 2026 Standard Seen across 284 platforms
Bing API Subprocessor Without Zero-Data Retention Agreement Compare →

The Bing API receives query data derived from user inputs, conversation history, and potentially code data as part of web search functionality. Unlike other inference providers, Windsurf does not have a zero-data retention agreement with Bing, and this integration must be explicitly enabled by Team or Enterprise administrators.

Added May 21, 2026 Standard Seen across 252 platforms
Model Use Independent of User Selection Compare →

The document discloses that OpenAI, Anthropic, and Google Cloud Vertex models may be used for background processing tasks such as summarization regardless of which model the user has selected for their primary AI interactions. Enterprise administrators can disable specific providers at the organizational level.

Added May 21, 2026 Standard Seen across 252 platforms
Code Ownership and Attribution Filtering Compare →

The document asserts that users own code generated by Windsurf products to the extent permitted by law, and discloses that attribution filtering is applied to intercept generated code similar to non-permissively licensed code before it is shown to users. The document also acknowledges limitations in making representations about third-party model training data.

Added May 12, 2026 Standard Seen across 242 platforms
Subprocessor Code Data Access Disclosure Compare →

The document provides a comprehensive list of subprocessors, identifying for each whether they see code data and under what conditions. Multiple infrastructure and analytics providers including GCP, Crusoe, Modal, Oracle Cloud, and dashboard tools including Retool, Raindrop, Metabase, and Tableau may access code data for individual users not on zero-data retention mode.

Added May 21, 2026 Standard Seen across 252 platforms
Account Deletion and Zero-Data Retention Compare →

The document discloses account deletion and zero-data retention mechanisms, distinguishing between default protections for enterprise and teams users versus opt-in protections for individual users. The document includes a dedicated section on account deletion linked from the table of contents, though the full text of that section was not available in the provided document excerpt.

Added May 21, 2026 Standard Seen across 284 platforms

Low — 1 provision

Real-Time and Ahead-of-Time Personalization Data Collection Compare →

The document discloses that Windsurf makes background requests to its servers without user-triggered input events, for the purposes of building context, understanding developer intent, and scanning for potential next steps. Embedding computation requests are also made proactively to process existing codebases.

Added May 21, 2026 Standard Seen across 284 platforms

Monitoring

Windsurf has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Account Deletion and Zero-Data Retention and similar clauses.

Compare across platforms →