The computed embeddings from your code is stored on Cursor servers and contain a lot of information bits about your code. They currently don’t seem to address the concerns and think these embeddings are not their customer’s data. That is problematic and they need to fix it and give more control over it to their customers.
Here is the section from their current privacy policy (Privacy Policy | Cursor - The AI-first Code Editor):
If you choose to index your codebase, Cursor will upload your codebase in small chunks to our server to compute embeddings, but all plaintext code ceases to exist after the life of the request. The embeddings and metadata about your codebase (hashes, file names) may be stored in our database, but none of your code is.
Until they do so, this is not really enterprise ready.
Here are some more questions that need clarification before our security folks can allow its usage at work:
That said, they have done a very good job on the security side, their explanation of their security story is one of the best I have seen.