The Bing API receives query data derived from user inputs, conversation history, and potentially code data as part of web search functionality. Unlike other inference providers, Windsurf does not have a zero-data retention agreement with Bing, and this integration must be explicitly enabled by Team or Enterprise administrators.
This analysis describes what Windsurf's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision identifies a specific subprocessor relationship where code-derived data is transmitted to a third party without the zero-data retention agreement that applies to other inference providers. Enterprise compliance teams should assess the Bing API data flow against their data classification policies and third-party risk frameworks before enabling this feature.
Under this clause, enabling the Bing API web search feature results in transmission of code-derived query data to Microsoft's Bing API without a zero-data retention guarantee, distinguishing this integration from other inference providers disclosed in the policy. The integration is disabled by default and requires explicit administrator enablement on Teams and Enterprise plans.
How other platforms handle this
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
RedCard. We share information with our financial partners to operate the Target RedCard program.
Monitoring
Windsurf has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Bing API (Sees text potentially derived from code data): Used for web search functionality. The search query that is sent to the Bing API to retrieve website data is derived from the user's inputs, past conversation history, and potentially code data. We do not have a zero data retention agreement with Bing, so this must be explicitly enabled by Team and Enterprise administrators.— Excerpt from Windsurf's Windsurf Security & Data Handling
1. REGULATORY LANDSCAPE: This provision engages GDPR data transfer and third-party processor obligations, particularly where EU-resident users' code-derived data is transmitted to Bing API infrastructure that may not offer equivalent data protection guarantees. The relevant enforcement authorities are national data protection supervisory authorities under GDPR. CCPA obligations regarding disclosure of data sharing with third parties are also relevant for California-based users. The absence of a zero-data retention agreement may require evaluation under GDPR Article 28 processor requirements. 2. GOVERNANCE EXPOSURE: Medium. The explicit disclosure that no zero-data retention agreement exists with Bing distinguishes this subprocessor from others in the list. Organizations processing sensitive or proprietary code should assess whether enabling this feature is consistent with their data classification and third-party risk policies before administrator enablement. 3. JURISDICTION FLAGS: EU/EEA users face heightened exposure given GDPR requirements for adequate data processing agreements with subprocessors. Organizations subject to sector-specific data handling requirements (financial services, healthcare, defense) should evaluate whether enabling Bing API web search is permissible under their applicable frameworks. 4. CONTRACT AND VENDOR IMPLICATIONS: The document does not specify whether Bing API processes data under Microsoft's standard API terms or a negotiated agreement, which may be relevant to procurement teams conducting vendor assessments. The absence of a zero-data retention agreement should be flagged in third-party risk registers for organizations that enable this feature. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should ensure that administrator enablement of the Bing API web search feature is documented and approved through the organization's third-party risk review process. For EU deployments, a data transfer impact assessment may be warranted given the absence of a zero-data retention agreement. Organizations should maintain a record of which features have been enabled and the corresponding subprocessor data flows.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision identifies a specific subprocessor relationship where code-derived data is transmitted to a third party without the zero-data retention agreement that applies to other inference providers. Enterprise compliance teams should assess the Bing API data flow against their data classification policies and third-party risk frameworks before enabling this feature.
Under this clause, enabling the Bing API web search feature results in transmission of code-derived query data to Microsoft's Bing API without a zero-data retention guarantee, distinguishing this integration from other inference providers disclosed in the policy. The integration is disabled by default and requires explicit administrator enablement on Teams and Enterprise plans.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Windsurf.