Windsurf states its platform is HIPAA compliant and will provide a Business Associate Agreement for larger healthcare implementations, but notes that most code submitted to the platform is not considered protected health information.
This analysis describes what Windsurf's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Healthcare organizations using Windsurf should be aware that a BAA is described as available for 'significant implementations' rather than as a standard offering, meaning smaller healthcare customers may need to specifically request and negotiate one.
Interpretive note: The document does not define what constitutes a 'significant implementation' that would qualify for a BAA, leaving smaller healthcare customers uncertain about their eligibility or whether they must proactively request one.
The updated document establishes explicit commitments about how Windsurf protects data and manages security. The terms state that all data transmission is encrypted in transit and at rest, that access to production systems is restricted to a small number of employees or contractors based on business roles, and that production systems are monitored via logging, error handling, and monitoring dashboards. The document discloses that Windsurf obtained SOC 2 Type II certification as of March 2024 and that all employees and contractors are required to use multi-factor authentication and receive annual security training. These disclosures describe organizational practices rather than establishing new user-facing rights or obligations.
View change record →Removal of explicit HIPAA compliance and BAA availability statements removes transparency about healthcare data handling and regulatory compliance options.
View full change record →This provision states that Windsurf maintains HIPAA compliance and will provide a BAA for significant healthcare implementations. Healthcare organizations should assess whether their use of Windsurf constitutes a significant implementation requiring a BAA and should proactively request one rather than assuming it is automatically in place.
How other platforms handle this
To access and use the Services, you must be at least the age of majority in the state, province, or territory where you live or at least 18 years of age. If you are under the age of 13, you may not use the Services and you should not be visiting the Sites or using the Services.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Monitoring
Windsurf has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"HIPAA compliance: In most cases, the data that a customer provides to us is not Personal Health Information (PHI) and does not need special compliance considerations in order to use our platform, even if you are a healthcare organization. This is particularly true for code, which does not carry any PHI itself. That said, our platform is maintained as HIPAA compliant and for significant implementations, we will entertain a Business Associate Agreement (BAA) to confirm HIPAA compliance.— Excerpt from Windsurf's Windsurf Security & Data Handling
(1) REGULATORY LANDSCAPE: This provision directly implicates HIPAA and its implementing regulations, including the Privacy Rule and Security Rule. HHS OCR is the primary enforcement authority. The document's statement that the platform is 'maintained as HIPAA compliant' is an assertion rather than a certification; covered entities and their legal teams should verify the scope and currency of this compliance posture. The availability of a BAA is a material HIPAA requirement where Windsurf functions as a business associate. (2) GOVERNANCE EXPOSURE: Medium. The document does not specify what constitutes a 'significant implementation' that would trigger BAA availability, nor does it indicate whether smaller healthcare customers can obtain a BAA on request. This ambiguity creates a potential gap for healthcare organizations that may require a BAA under HIPAA but do not meet an undefined significance threshold. (3) JURISDICTION FLAGS: All US-based covered entities and business associates under HIPAA face exposure if a BAA is not in place and Windsurf processes or has access to PHI. The document's assertion that code generally does not carry PHI may not hold in all implementation scenarios, particularly where developers work on healthcare applications that include PHI in code comments, variable names, or test data. (4) CONTRACT AND VENDOR IMPLICATIONS: Healthcare organizations should request a BAA before deployment and confirm that its scope covers all relevant use cases. Procurement teams should not rely on the document's general assertion that code does not carry PHI as a substitute for a PHI risk assessment specific to their implementation. The document does not specify the timeline or process for obtaining a BAA, which should be established during vendor onboarding. (5) COMPLIANCE CONSIDERATIONS: Legal and compliance teams at healthcare organizations should conduct a PHI risk assessment for their specific Windsurf use case, including whether any code, comments, or test data processed through the platform could contain PHI. Where a BAA is required, organizations should initiate that process before production use of the platform. HHS OCR guidance on business associate relationships should be reviewed in conjunction with this provision.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Healthcare organizations using Windsurf should be aware that a BAA is described as available for 'significant implementations' rather than as a standard offering, meaning smaller healthcare customers may need to specifically request and negotiate one.
This provision states that Windsurf maintains HIPAA compliance and will provide a BAA for significant healthcare implementations. Healthcare organizations should assess whether their use of Windsurf constitutes a significant implementation requiring a BAA and should proactively request one rather than assuming it is automatically in place.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Windsurf.