The document provides a comprehensive list of subprocessors, identifying for each whether they see code data and under what conditions. Multiple infrastructure and analytics providers including GCP, Crusoe, Modal, Oracle Cloud, and dashboard tools including Retool, Raindrop, Metabase, and Tableau may access code data for individual users not on zero-data retention mode.
This analysis describes what Windsurf's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision discloses the full subprocessor chain and the conditions under which each provider may access code-derived data, enabling enterprise compliance teams to conduct third-party risk assessments and verify alignment with their vendor approval requirements. The disclosure that multiple analytics dashboard tools may expose code logs for users not on zero-data retention mode is operationally significant for individual user data governance.
New provision adds plan-dependent disclosure of subprocessors and introduces Google Cloud Platform as a subprocessor with conditional code data storage.
View full change record →Under these terms, individual plan users not in zero-data retention mode may have code snippet logs accessible to multiple internal analytics and dashboard subprocessors including Retool, Raindrop, Metabase, and Tableau for debugging and analytics purposes. Enterprise and Teams plan users operating under zero-data retention defaults are not subject to this subprocessor code data exposure under normal operation.
How other platforms handle this
By issuing a chargeback or refund request for Premium subscriptions paid for through a third party, you agree to allow Telegram to release necessary data to that third party regarding your account status and Telegram Premium purchases.
We will share individual user information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to: meet any applicable law, regulation, legal process or enforceable govern...
11 Inferences Conclusions that could be used to create a profile reflecting an individual's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, aptitude. YES. YES
Monitoring
Windsurf has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Depending on your choice of plan (and thus deployment), we may use some or all of the following subcontractors. Google Cloud Platform (GCP) (Stores code data only if Cloud and relevant features are opted-in, sees code data): Usage analytics and logs are primarily hosted on GCP. Crusoe (Sees code data for inference): We manage Crusoe's compute for training some of our custom models, as well as hosting some of our custom models. Modal (Sees code data for inference): We manage Modal's compute for training some of our custom models, as well as hosting some of our custom models.— Excerpt from Windsurf's Windsurf Security & Data Handling
1. REGULATORY LANDSCAPE: This provision engages GDPR Article 28 requirements for data processing agreements with subprocessors, requiring that each subprocessor listed provide sufficient guarantees of GDPR-compliant data processing. CCPA obligations regarding disclosure of service providers and their data handling practices are also relevant for California users. Enforcement authorities include national supervisory authorities under GDPR and the California Privacy Protection Agency. 2. GOVERNANCE EXPOSURE: Medium. The breadth of the subprocessor list and the conditional code data access descriptions create a data mapping and vendor assessment obligation for organizations deploying Windsurf, particularly for regulated industries. The disclosure is detailed and specific, which reduces transparency risk but does not eliminate the underlying third-party data exposure. 3. JURISDICTION FLAGS: EU/EEA organizations must verify that each subprocessor listed has adequate data processing agreements and that cross-border data transfer mechanisms are in place where applicable. The Oracle Cloud cluster in Frankfurt is disclosed, which may assist with EU data residency requirements for enterprise deployments. 4. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should add each subprocessor that may access code data to their vendor risk management registers. The conditional nature of access for GCP, Retool, Raindrop, Metabase, and Tableau depending on plan and zero-data retention status should be documented in data processing agreements and data flow maps. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should conduct data mapping exercises using this subprocessor list to ensure all code data flows are documented. For GDPR compliance, organizations should verify that Windsurf maintains current data processing agreements with each listed subprocessor and that these are available for review upon request.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision discloses the full subprocessor chain and the conditions under which each provider may access code-derived data, enabling enterprise compliance teams to conduct third-party risk assessments and verify alignment with their vendor approval requirements. The disclosure that multiple analytics dashboard tools may expose code logs for users not on zero-data retention mode is operationally significant for individual user data …
Under these terms, individual plan users not in zero-data retention mode may have code snippet logs accessible to multiple internal analytics and dashboard subprocessors including Retool, Raindrop, Metabase, and Tableau for debugging and analytics purposes. Enterprise and Teams plan users operating under zero-data retention defaults are not subject to this subprocessor code data exposure under normal operation.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Windsurf.