Windsurf · Windsurf Security & Data Handling · View original document ↗

Subprocessor Model Routing Independent of User Selection

Medium severity High confidence Explicitdocumentlanguage Unique · 0 of 343 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity Windsurf recorded 7 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for Windsurf Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.

This analysis describes what Windsurf's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

The provision establishes an operational framework where model selection occurs at the system level rather than per-request, enabling Windsurf to allocate processing tasks to OpenAI infrastructure based on internal routing logic while limiting data persistence through contractual safeguards with the subprocessor.

Recent Activity

This document changed recently

Medium Jun 23, 2026

The updated document establishes explicit commitments about how Windsurf protects data and manages security. The terms state that all data transmission is encrypted in transit and at rest, that access to production systems is restricted to a small number of employees or contractors based on business roles, and that production systems are monitored via logging, error handling, and monitoring dashboards. The document discloses that Windsurf obtained SOC 2 Type II certification as of March 2024 and that all employees and contractors are required to use multi-factor authentication and receive annual security training. These disclosures describe organizational practices rather than establishing new user-facing rights or obligations.

View change record →

Consumer impact (what this means for users)

Users operating under standard settings may have requests processed through OpenAI models without explicit per-request confirmation, though the terms establish that data is not retained by OpenAI. Organizations with enterprise administration access can opt out of OpenAI model usage entirely through administrative controls.

How other platforms handle this

Peloton Medium

By submitting or posting User Content on or through the Services, you grant us a worldwide, non-exclusive, royalty-free license (with the right to sublicense) to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute such User Content in any and all media or distribu...

Calm Medium

By making any User Content available to Calm, you hereby grant to Calm a non-exclusive, transferable, sublicensable, worldwide, royalty-free, license to use, store, publish, translate, reproduce, adapt, copy, modify, create derivative works based upon, publicly display, publicly perform, and distrib...

Headspace Medium

By submitting User Material you hereby grant Headspace an irrevocable, perpetual, non-exclusive, royalty free, worldwide license to use, telecast, copy, perform, display, edit, distribute and otherwise exploit the User Material you post on the Products, or any portion thereof, and any ideas, concept...

See all platforms with this clause type →

Monitoring

Windsurf has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
We offer the optionality of using OpenAI's models for various AI requests. We may leverage OpenAI models independent of user selection for processing other tasks (e.g. for summarization). We have a zero data retention agreement with OpenAI. Enterprise administrators can disable use of OpenAI models for their organization.

— Excerpt from Windsurf's Windsurf Security & Data Handling

Applicable regulations

EU AI Act
European Union
CCPA/CPRA
California, USA
Colorado AI Act
US-CO
ePrivacy Directive
European Union
EU AI Act - High Risk Provisions
EU
FTC Act Section 5
United States Federal
GDPR
European Union

Provision details

Document information
Document
Windsurf Security & Data Handling
Entity
Windsurf
Document last updated
May 11, 2026
Tracking information
First tracked
May 11, 2026
Last verified
May 12, 2026
Record ID
CA-P-010664
Document ID
CA-D-00783
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
712fafa072f4ddaa82cb418bf6718dcc9783559af0681efa6fe16d44b530e852
Analysis generated
May 11, 2026 12:52 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Windsurf
Document: Windsurf Security & Data Handling
Record ID: CA-P-010664
Captured: 2026-05-11 12:52:11 UTC
SHA-256: 712fafa072f4ddaa…
URL: https://conductatlas.com/platform/windsurf/windsurf-security-data-handling/subprocessor-model-routing-independent-of-user-selection/
Accessed: July 4, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Windsurf's Subprocessor Model Routing Independent of User Selection clause do?

The provision establishes an operational framework where model selection occurs at the system level rather than per-request, enabling Windsurf to allocate processing tasks to OpenAI infrastructure based on internal routing logic while limiting data persistence through contractual safeguards with the subprocessor.

How does this clause affect you?

Users operating under standard settings may have requests processed through OpenAI models without explicit per-request confirmation, though the terms establish that data is not retained by OpenAI. Organizations with enterprise administration access can opt out of OpenAI model usage entirely through administrative controls.

Is ConductAtlas affiliated with Windsurf?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Windsurf.