The document discloses that OpenAI, Anthropic, and Google Cloud Vertex models may be used for background processing tasks such as summarization regardless of which model the user has selected for their primary AI interactions. Enterprise administrators can disable specific providers at the organizational level.
This analysis describes what Windsurf's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that user model selection does not fully constrain which inference providers receive code-derived data, as background tasks may route data to additional providers. Enterprise administrators have controls to disable specific providers, but individual users do not appear to have equivalent granular controls outside of zero-data retention mode.
Provision was renamed from 'AI Model Use Independent of User Selection' to 'Model Use Independent of User Selection' with identical content.
View full change record →Under these terms, data including code context may be routed to OpenAI, Anthropic, and Google Cloud Vertex for background tasks such as summarization independent of the user's explicit model selection. Enterprise administrators can disable specific model providers for their organization, but individual user controls over this routing are not described beyond zero-data retention mode.
How other platforms handle this
For campus users only, we may provide identifiers to select food service providers that operate restaurants and other food ordering and delivery services on your campus so that they can communicate directly with you and send you personalized communications and marketing. Please see Section 2.1 below...
We will share individual user information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to: meet any applicable law, regulation, legal process or enforceable govern...
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
Monitoring
Windsurf has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We may leverage OpenAI models independent of user selection for processing other tasks (e.g. for summarization). We may leverage Anthropic models independent of user selection for processing other tasks (e.g. for summarization). We may leverage these models independent of user selection for processing other tasks (e.g. for summarization).— Excerpt from Windsurf's Windsurf Security & Data Handling
1. REGULATORY LANDSCAPE: This provision engages GDPR purpose limitation principles, as data submitted for one purpose may be processed by additional third-party providers for background tasks. The FTC Act is relevant to the accuracy of disclosures regarding data routing practices. Enforcement authorities include national supervisory authorities under GDPR and the FTC for US consumer protection purposes. 2. GOVERNANCE EXPOSURE: Medium. The disclosure that model routing for background tasks may differ from user-selected model preferences creates a transparency consideration, particularly for organizations that have approved specific AI providers in their vendor management programs but not others. The zero-data retention agreements with OpenAI, Anthropic, and Google Vertex mitigate but do not eliminate the governance consideration. 3. JURISDICTION FLAGS: EU/EEA users may raise purpose limitation concerns under GDPR if data submitted for code assistance is processed by additional providers for summarization tasks without a clear legal basis. Organizations in regulated sectors that have approved specific AI vendors should assess whether this routing is consistent with their approved vendor lists. 4. CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should confirm that all providers that may receive code-derived data under this provision (OpenAI, Anthropic, Google Vertex) are included in their vendor assessment and approval processes. The ability for administrators to disable specific providers is a material control that should be documented in vendor management records. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should document which providers are enabled or disabled at the organizational level and ensure this aligns with their AI governance policies. For organizations with specific AI provider approval requirements, administrator-level controls over model provider selection should be reviewed and configured before deployment.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that user model selection does not fully constrain which inference providers receive code-derived data, as background tasks may route data to additional providers. Enterprise administrators have controls to disable specific providers, but individual users do not appear to have equivalent granular controls outside of zero-data retention mode.
Under these terms, data including code context may be routed to OpenAI, Anthropic, and Google Cloud Vertex for background tasks such as summarization independent of the user's explicit model selection. Enterprise administrators can disable specific model providers for their organization, but individual user controls over this routing are not described beyond zero-data retention mode.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Windsurf.