Individual plan users are subject to data retention by default, meaning code snippets and usage data may be stored unless the user actively enables zero-data retention mode via their profile page. Teams and Enterprise plans receive zero-data retention as a default.
This analysis describes what Windsurf's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes a materially different default data protection posture for individual users compared to organizational plan users, requiring individual users to take an affirmative opt-in action to prevent retention of code snippets and interaction data. Compliance teams assessing GDPR or CCPA obligations for individual developer users should evaluate whether this opt-in structure satisfies applicable data minimization and consent requirements.
The updated document establishes explicit commitments about how Windsurf protects data and manages security. The terms state that all data transmission is encrypted in transit and at rest, that access to production systems is restricted to a small number of employees or contractors based on business roles, and that production systems are monitored via logging, error handling, and monitoring dashboards. The document discloses that Windsurf obtained SOC 2 Type II certification as of March 2024 and that all employees and contractors are required to use multi-factor authentication and receive annual security training. These disclosures describe organizational practices rather than establishing new user-facing rights or obligations.
View change record →Under these terms, individual users' code snippets and user trajectories may be retained and accessible to internal analytics tools unless zero-data retention mode is explicitly enabled from the profile page. Teams and Enterprise plan users receive zero-data retention protection without needing to take action.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
For individuals in the United States, please also refer to our Notice For Individuals Residing In Certain US States below and the Consumer Health Data Policy.
Depending on your location, you may have certain rights regarding your personal data, including the right to access, correct, delete, or port your data. EU and UK users may also have the right to object to or restrict certain processing. California residents may have the right to know, delete, corre...
Monitoring
Windsurf has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"For any teams or enterprise plans, all inputs and outputs to these requests follow zero-data retention policies by default. For any individual plan, users can opt-in to zero-data retention mode from their profile page. A large fraction of individual users have zero-data retention mode enabled.— Excerpt from Windsurf's Windsurf Security & Data Handling
1. REGULATORY LANDSCAPE: This provision engages GDPR data minimization and purpose limitation principles for EU-resident individual users, as well as CCPA data retention and consumer rights obligations for California residents. The FTC Act is relevant to the accuracy and prominence of the disclosure regarding the opt-in requirement. The relevant enforcement authorities are the European Data Protection Board and national supervisory authorities under GDPR, the California Privacy Protection Agency under CCPA, and the FTC for US consumer protection. Whether the opt-in disclosure is sufficiently prominent to satisfy GDPR consent standards is a jurisdiction-dependent question. 2. GOVERNANCE EXPOSURE: Medium. The asymmetry between individual and enterprise data retention defaults creates a disclosure adequacy risk, particularly for GDPR-covered individual users who may not be aware that zero-data retention is not the default. The document does disclose this clearly, which reduces but does not eliminate regulatory exposure depending on how the disclosure is surfaced during onboarding. 3. JURISDICTION FLAGS: EU/EEA individual users face heightened exposure given GDPR data minimization requirements. California individual users may have CCPA rights regarding data collected and retained under this default posture. The opt-in requirement may be evaluated under GDPR as to whether it constitutes adequate transparency and whether the legal basis for retention absent opt-in is sufficiently established. 4. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams deploying Windsurf for individual developers in regulated industries should confirm zero-data retention mode status across their developer population. The document does not indicate whether enterprise administrators can enforce zero-data retention for individual-tier users within their organization, which may require clarification before deployment. 5. COMPLIANCE CONSIDERATIONS: Legal teams should audit whether onboarding flows for individual users surface the zero-data retention opt-in prominently enough to satisfy GDPR transparency obligations. Data mapping exercises should distinguish between individual and enterprise plan data flows. For regulated industries where developers may be processing sensitive code, a policy requiring developers to enable zero-data retention mode may be warranted.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes a materially different default data protection posture for individual users compared to organizational plan users, requiring individual users to take an affirmative opt-in action to prevent retention of code snippets and interaction data. Compliance teams assessing GDPR or CCPA obligations for individual developer users should evaluate whether this opt-in structure satisfies applicable data minimization and consent requirements.
Under these terms, individual users' code snippets and user trajectories may be retained and accessible to internal analytics tools unless zero-data retention mode is explicitly enabled from the profile page. Teams and Enterprise plan users receive zero-data retention protection without needing to take action.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Windsurf.