What is the severity of this clause?

ConductAtlas classifies this Agentic Experience and Terminal Command Auto-Run Opt-In clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Agentic Experience and Terminal Command Auto-Run Opt-In — Windsurf

Share 𝕏 Share in Share 🔒 PDF

Monitor governance changes for Windsurf Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

ⓘ

This analysis describes what Windsurf's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

The auto-run mode, which executes arbitrary terminal commands including binary execution and infrastructure inspection without per-command user approval, represents a significant operational security consideration for individual users who enable it.

Consumer impact (what this means for users)

The document states that individual plan users who have not enabled zero-data retention mode may have logs containing code snippets and user trajectories stored and potentially discussed via internal communications and analytics tools including Slack, Google Workspace, Retool, Metabase, and Tableau. The document also discloses that Windsurf may route requests to AI model providers, including OpenAI, Anthropic, and Google Vertex, independent of the user's own model selection, for tasks such as summarization. You can enable zero-data retention mode by navigating to your profile page within the Windsurf application.

How other platforms handle this

OpenAI Medium

In agentic contexts, GPT-4o must apply particularly careful judgment about when to proceed versus when to pause and verify with the operator or user, since mistakes may be difficult to reverse, and could have downstream consequences within the same pipeline. We advise operators and users to follow t...

Anthropic Medium

Our Additional Use Case Guidelines apply to certain other use cases, including consumer-facing chatbots, products serving minors, agentic use, and Model Context Protocol servers.

GitHub Medium

ISO/IEC 42001:2023

See all platforms with this clause type →

Monitoring

Windsurf has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

▸ View Original Clause Language DOCUMENT RECORD

"
Another tool suggests arbitrary terminal commands for the user to accept before being executed, which could include actions such as compilation, binary execution, infrastructure inspection, and more. These also use the client's IDE's native terminal. There are various modes for this tool, including an opt-in mode that will auto-run every command, independent of risk (unavailable for any Teams or Enterprise user), as well as controls to whitelist or blacklist various commands. By default, no suggested terminal command auto-runs for customer infrastructure security reasons.

— Excerpt from Windsurf's Windsurf Security & Data Handling

Applicable regulations

EU AI Act

European Union

California AB 2013 AI Training Data Transparency

US-CA

Colorado AI Act

US-CO

EU AI Act - High Risk Provisions

Trump Executive Order on AI Policy Framework

Provision details

Document information

Document

Windsurf Security & Data Handling

Entity

Windsurf

Document last updated

May 11, 2026

Tracking information

First tracked

May 11, 2026

Last verified

May 12, 2026

Record ID

CA-P-010669

Document ID

CA-D-00783

Evidence Provenance

Source URL

https://windsurf.com/security

Wayback Machine

View archived versions →

Content hash (SHA-256)

712fafa072f4ddaa82cb418bf6718dcc9783559af0681efa6fe16d44b530e852

Analysis generated

May 11, 2026 12:52 UTC

Methodology

summarize_document-v8

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: Windsurf
Document: Windsurf Security & Data Handling
Record ID: CA-P-010669
Captured: 2026-05-11 12:52:11 UTC
SHA-256: 712fafa072f4ddaa…
URL: https://conductatlas.com/platform/windsurf/windsurf-security-data-handling/agentic-experience-and-terminal-command-auto-run-opt-in/
Accessed: May 13, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

Medium

Other risks in this policy

Individual User Zero-Data Retention Opt-In medium
AI Model Use Independent of User Selection medium
Bing API Lacks Zero-Data Retention Agreement medium
Internal Tool Access to Code Logs Without Zero-Data Retention medium
Code Ownership and Attribution Filtering medium
HIPAA Compliance and Business Associate Agreement Availability medium

Related Analysis

AI Training Data Provisions Across Major Platforms: A Provision-Level Comparison
How 10 AI platforms describe the use of user data for model training, improvement, and development, based on archived governance provisions.

Professional Governance Intelligence

Need to monitor specific governance provisions?

Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Professional free trial

Or start with Watcher →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Windsurf's Agentic Experience and Terminal Command Auto-Run Opt-In clause do?

Is ConductAtlas affiliated with Windsurf?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Windsurf.