Windsurf uses a range of third-party compute providers, including Crusoe, Modal, and Oracle Cloud, to train and host its custom AI models, and these providers have access to code data used for inference.
This analysis describes what Windsurf's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The document discloses that code data submitted to Windsurf may be processed by multiple third-party compute providers for model training and hosting, which extends the data exposure footprint beyond Windsurf's own infrastructure.
Interpretive note: The document does not specify whether zero-data retention or equivalent contractual protections exist for Crusoe, Modal, and Oracle Cloud, creating ambiguity about the data protection scope for these subprocessors.
This provision identifies Crusoe, Modal, and Oracle Cloud as subprocessors that see code data for inference and model training purposes, in addition to the AI inference providers listed separately. Users and enterprises should account for these additional compute providers when assessing the full scope of parties that may process their code data.
How other platforms handle this
We process many types of data to support business decisioning, including data about people, businesses, organizations, places, economic activity, sustainability, legal, and other significant business events, and third-party risks. Some of the data we process is considered personal data. Some of the ...
This Privacy Policy does not apply where Anthropic acts as a data processor and processes personal data on behalf of commercial customers using Anthropic's Commercial Services – for example, your employer has provisioned you a Claude for Work account, or you're using an app that is powered on the ba...
We may link or combine information that we collect about you (such as linking your travel booking to your AAdvantage® account, or adding saved AAdvantage® account information to your booking). This may include information that we collect offline (such as in-person airport interactions), information ...
Monitoring
Windsurf has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Crusoe (Sees code data for inference): We manage Crusoe's compute for training some of our custom models, as well as hosting some of our custom models. Modal (Sees code data for inference): We manage Modal's compute for training some of our custom models, as well as hosting some of our custom models. Oracle Cloud (Sees code data for inference): We manage Oracle Cloud's compute for training some of our custom models, as well as hosting some of our custom models.— Excerpt from Windsurf's Windsurf Security & Data Handling
(1) REGULATORY LANDSCAPE: This provision implicates GDPR Article 28 subprocessor obligations, requiring that subprocessors provide sufficient data protection guarantees and that data processing agreements flow down to subprocessors. It also engages CCPA requirements regarding disclosure of service providers and third parties. Relevant enforcement authorities are EU supervisory authorities and the California Privacy Protection Agency. The document does not specify whether Crusoe, Modal, or Oracle Cloud have zero-data retention agreements in place. (2) GOVERNANCE EXPOSURE: Medium. The document states that these providers see code data for inference without specifying whether zero-data retention agreements are in place for each, unlike the explicit disclosures made for OpenAI, Anthropic, Google Vertex, xAI, and Fireworks. This creates a potential gap in the data protection chain that compliance teams should verify. (3) JURISDICTION FLAGS: EU/EEA users should assess whether data processed by Crusoe, Modal, and Oracle Cloud is subject to adequate data transfer mechanisms under GDPR Chapter V. Oracle Cloud's Frankfurt cluster is disclosed, but the jurisdiction of Crusoe and Modal's compute is not specified in the document. Organizations in regulated sectors should assess whether these subprocessors meet their sector-specific data protection requirements. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should request confirmation from Windsurf regarding whether zero-data retention or equivalent contractual protections are in place with Crusoe, Modal, and Oracle Cloud. Vendor assessment checklists should include all named subprocessors, not only the AI inference providers for whom zero-data retention agreements are explicitly disclosed. (5) COMPLIANCE CONSIDERATIONS: Legal teams should request a current and complete subprocessor list from Windsurf as part of due diligence, and assess whether the disclosures in this document are sufficient to satisfy GDPR Article 13/14 information obligations. Data flow maps should be updated to reflect all named compute subprocessors. Where subprocessor data protection terms are not specified, legal teams should seek written confirmation before deployment.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The document discloses that code data submitted to Windsurf may be processed by multiple third-party compute providers for model training and hosting, which extends the data exposure footprint beyond Windsurf's own infrastructure.
This provision identifies Crusoe, Modal, and Oracle Cloud as subprocessors that see code data for inference and model training purposes, in addition to the AI inference providers listed separately. Users and enterprises should account for these additional compute providers when assessing the full scope of parties that may process their code data.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Windsurf.