Windsurf uses a range of third-party compute providers, including Crusoe, Modal, and Oracle Cloud, to train and host its custom AI models, and these providers have access to code data used for inference.
This analysis describes what Windsurf's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The document discloses that code data submitted to Windsurf may be processed by multiple third-party compute providers for model training and hosting, which extends the data exposure footprint beyond Windsurf's own infrastructure.
Interpretive note: The document does not specify whether zero-data retention or equivalent contractual protections exist for Crusoe, Modal, and Oracle Cloud, creating ambiguity about the data protection scope for these subprocessors.
The updated document establishes explicit commitments about how Windsurf protects data and manages security. The terms state that all data transmission is encrypted in transit and at rest, that access to production systems is restricted to a small number of employees or contractors based on business roles, and that production systems are monitored via logging, error handling, and monitoring dashboards. The document discloses that Windsurf obtained SOC 2 Type II certification as of March 2024 and that all employees and contractors are required to use multi-factor authentication and receive annual security training. These disclosures describe organizational practices rather than establishing new user-facing rights or obligations.
View change record →Removal of Oracle Cloud from subprocessor list and restructuring of subprocessor disclosure format; Oracle Cloud's code data access capability is no longer explicitly disclosed.
View full change record →This provision identifies Crusoe, Modal, and Oracle Cloud as subprocessors that see code data for inference and model training purposes, in addition to the AI inference providers listed separately. Users and enterprises should account for these additional compute providers when assessing the full scope of parties that may process their code data.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Windsurf has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Crusoe (Sees code data for inference): We manage Crusoe's compute for training some of our custom models, as well as hosting some of our custom models. Modal (Sees code data for inference): We manage Modal's compute for training some of our custom models, as well as hosting some of our custom models. Oracle Cloud (Sees code data for inference): We manage Oracle Cloud's compute for training some of our custom models, as well as hosting some of our custom models.— Excerpt from Windsurf's Windsurf Security & Data Handling
(1) REGULATORY LANDSCAPE: This provision implicates GDPR Article 28 subprocessor obligations, requiring that subprocessors provide sufficient data protection guarantees and that data processing agreements flow down to subprocessors. It also engages CCPA requirements regarding disclosure of service providers and third parties. Relevant enforcement authorities are EU supervisory authorities and the California Privacy Protection Agency. The document does not specify whether Crusoe, Modal, or Oracle Cloud have zero-data retention agreements in place. (2) GOVERNANCE EXPOSURE: Medium. The document states that these providers see code data for inference without specifying whether zero-data retention agreements are in place for each, unlike the explicit disclosures made for OpenAI, Anthropic, Google Vertex, xAI, and Fireworks. This creates a potential gap in the data protection chain that compliance teams should verify. (3) JURISDICTION FLAGS: EU/EEA users should assess whether data processed by Crusoe, Modal, and Oracle Cloud is subject to adequate data transfer mechanisms under GDPR Chapter V. Oracle Cloud's Frankfurt cluster is disclosed, but the jurisdiction of Crusoe and Modal's compute is not specified in the document. Organizations in regulated sectors should assess whether these subprocessors meet their sector-specific data protection requirements. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should request confirmation from Windsurf regarding whether zero-data retention or equivalent contractual protections are in place with Crusoe, Modal, and Oracle Cloud. Vendor assessment checklists should include all named subprocessors, not only the AI inference providers for whom zero-data retention agreements are explicitly disclosed. (5) COMPLIANCE CONSIDERATIONS: Legal teams should request a current and complete subprocessor list from Windsurf as part of due diligence, and assess whether the disclosures in this document are sufficient to satisfy GDPR Article 13/14 information obligations. Data flow maps should be updated to reflect all named compute subprocessors. Where subprocessor data protection terms are not specified, legal teams should seek written confirmation before deployment.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The document discloses that code data submitted to Windsurf may be processed by multiple third-party compute providers for model training and hosting, which extends the data exposure footprint beyond Windsurf's own infrastructure.
This provision identifies Crusoe, Modal, and Oracle Cloud as subprocessors that see code data for inference and model training purposes, in addition to the AI inference providers listed separately. Users and enterprises should account for these additional compute providers when assessing the full scope of parties that may process their code data.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Windsurf.