Windsurf · Windsurf Security & Data Handling · View original document ↗

Subprocessor Disclosure and Data Exposure Scope

Medium severity Medium confidence Explicitdocumentlanguage Unique · 0 of 343 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity Windsurf recorded 7 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for Windsurf Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

Windsurf uses a range of third-party compute providers, including Crusoe, Modal, and Oracle Cloud, to train and host its custom AI models, and these providers have access to code data used for inference.

This analysis describes what Windsurf's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

The document discloses that code data submitted to Windsurf may be processed by multiple third-party compute providers for model training and hosting, which extends the data exposure footprint beyond Windsurf's own infrastructure.

Interpretive note: The document does not specify whether zero-data retention or equivalent contractual protections exist for Crusoe, Modal, and Oracle Cloud, creating ambiguity about the data protection scope for these subprocessors.

Recent Activity

This document changed recently

Medium Jun 23, 2026

The updated document establishes explicit commitments about how Windsurf protects data and manages security. The terms state that all data transmission is encrypted in transit and at rest, that access to production systems is restricted to a small number of employees or contractors based on business roles, and that production systems are monitored via logging, error handling, and monitoring dashboards. The document discloses that Windsurf obtained SOC 2 Type II certification as of March 2024 and that all employees and contractors are required to use multi-factor authentication and receive annual security training. These disclosures describe organizational practices rather than establishing new user-facing rights or obligations.

View change record →

Change history

removed Jun 2, 2026

Removal of Oracle Cloud from subprocessor list and restructuring of subprocessor disclosure format; Oracle Cloud's code data access capability is no longer explicitly disclosed.

View full change record →

Consumer impact (what this means for users)

This provision identifies Crusoe, Modal, and Oracle Cloud as subprocessors that see code data for inference and model training purposes, in addition to the AI inference providers listed separately. Users and enterprises should account for these additional compute providers when assessing the full scope of parties that may process their code data.

How other platforms handle this

Ledger Medium

At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.

Garmin Medium

If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...

Strava Medium

We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...

See all platforms with this clause type →

Monitoring

Windsurf has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
Crusoe (Sees code data for inference): We manage Crusoe's compute for training some of our custom models, as well as hosting some of our custom models. Modal (Sees code data for inference): We manage Modal's compute for training some of our custom models, as well as hosting some of our custom models. Oracle Cloud (Sees code data for inference): We manage Oracle Cloud's compute for training some of our custom models, as well as hosting some of our custom models.

— Excerpt from Windsurf's Windsurf Security & Data Handling

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: This provision implicates GDPR Article 28 subprocessor obligations, requiring that subprocessors provide sufficient data protection guarantees and that data processing agreements flow down to subprocessors. It also engages CCPA requirements regarding disclosure of service providers and third parties. Relevant enforcement authorities are EU supervisory authorities and the California Privacy Protection Agency. The document does not specify whether Crusoe, Modal, or Oracle Cloud have zero-data retention agreements in place. (2) GOVERNANCE EXPOSURE: Medium. The document states that these providers see code data for inference without specifying whether zero-data retention agreements are in place for each, unlike the explicit disclosures made for OpenAI, Anthropic, Google Vertex, xAI, and Fireworks. This creates a potential gap in the data protection chain that compliance teams should verify. (3) JURISDICTION FLAGS: EU/EEA users should assess whether data processed by Crusoe, Modal, and Oracle Cloud is subject to adequate data transfer mechanisms under GDPR Chapter V. Oracle Cloud's Frankfurt cluster is disclosed, but the jurisdiction of Crusoe and Modal's compute is not specified in the document. Organizations in regulated sectors should assess whether these subprocessors meet their sector-specific data protection requirements. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should request confirmation from Windsurf regarding whether zero-data retention or equivalent contractual protections are in place with Crusoe, Modal, and Oracle Cloud. Vendor assessment checklists should include all named subprocessors, not only the AI inference providers for whom zero-data retention agreements are explicitly disclosed. (5) COMPLIANCE CONSIDERATIONS: Legal teams should request a current and complete subprocessor list from Windsurf as part of due diligence, and assess whether the disclosures in this document are sufficient to satisfy GDPR Article 13/14 information obligations. Data flow maps should be updated to reflect all named compute subprocessors. Where subprocessor data protection terms are not specified, legal teams should seek written confirmation before deployment.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has jurisdiction over whether subprocessor disclosures are adequate and whether third-party data processing arrangements are consistent with consumer-facing privacy representations.
    File a complaint →

Applicable regulations

EU AI Act
European Union
CCPA/CPRA
California, USA
Colorado AI Act
US-CO
Connecticut Data Privacy Act Amendments
US-CT
EU AI Act - High Risk Provisions
EU
FTC Act Section 5
United States Federal
GDPR
European Union
Indiana Consumer Data Protection Act
US-IN
Kentucky Consumer Data Protection Act
US-KY
Universal Opt-Out Mechanism Expansion 2026
US

Provision details

Document information
Document
Windsurf Security & Data Handling
Entity
Windsurf
Document last updated
May 11, 2026
Tracking information
First tracked
May 11, 2026
Last verified
May 12, 2026
Record ID
CA-P-011260
Document ID
CA-D-00783
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
712fafa072f4ddaa82cb418bf6718dcc9783559af0681efa6fe16d44b530e852
Analysis generated
May 11, 2026 12:52 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Windsurf
Document: Windsurf Security & Data Handling
Record ID: CA-P-011260
Captured: 2026-05-11 12:52:11 UTC
SHA-256: 712fafa072f4ddaa…
URL: https://conductatlas.com/platform/windsurf/windsurf-security-data-handling/subprocessor-disclosure-and-data-exposure-scope/
Accessed: July 4, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Windsurf's Subprocessor Disclosure and Data Exposure Scope clause do?

The document discloses that code data submitted to Windsurf may be processed by multiple third-party compute providers for model training and hosting, which extends the data exposure footprint beyond Windsurf's own infrastructure.

How does this clause affect you?

This provision identifies Crusoe, Modal, and Oracle Cloud as subprocessors that see code data for inference and model training purposes, in addition to the AI inference providers listed separately. Users and enterprises should account for these additional compute providers when assessing the full scope of parties that may process their code data.

Is ConductAtlas affiliated with Windsurf?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Windsurf.