This analysis describes what Windsurf's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The provision operationalizes different data handling standards based on subscription tier, with enterprise and team arrangements automatically excluding data retention while individual users must affirmatively elect this configuration.
The updated document establishes explicit commitments about how Windsurf protects data and manages security. The terms state that all data transmission is encrypted in transit and at rest, that access to production systems is restricted to a small number of employees or contractors based on business roles, and that production systems are monitored via logging, error handling, and monitoring dashboards. The document discloses that Windsurf obtained SOC 2 Type II certification as of March 2024 and that all employees and contractors are required to use multi-factor authentication and receive annual security training. These disclosures describe organizational practices rather than establishing new user-facing rights or obligations.
View change record →Individual plan users operate under a default data retention model unless they affirmatively enable zero-data retention mode from their profile page; teams and enterprise plan users have zero-data retention applied without requiring configuration.
How other platforms handle this
We retain personal data for as long as needed to provide our services, comply with our legal obligations, resolve disputes, and enforce our policies. Retention periods will vary depending on the type of data and the purposes for which we use it.
Microsoft retains personal data for as long as necessary to provide the products and fulfill the transactions you have requested, or for other legitimate purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for differen...
We keep information as long as we need it to provide our products and services and fulfil the purposes described in this policy. This is a case-by-case determination that depends on things like the nature of the information, why it is collected and processed, relevant legal or operational retention ...
Monitoring
Windsurf has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"For any teams or enterprise plans, all inputs and outputs to these requests follow zero-data retention policies by default. For any individual plan, users can opt-in to zero-data retention mode from their profile page. A large fraction of individual users have zero-data retention mode enabled.— Excerpt from Windsurf's Windsurf Security & Data Handling
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The provision operationalizes different data handling standards based on subscription tier, with enterprise and team arrangements automatically excluding data retention while individual users must affirmatively elect this configuration.
Individual plan users operate under a default data retention model unless they affirmatively enable zero-data retention mode from their profile page; teams and enterprise plan users have zero-data retention applied without requiring configuration.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Windsurf.