Cursor DPA, sub-processor agreements, and data flow

I’m investigating whether Cursor may be suitable for our developers, but we have very strict AI guidelines. I noticed that your terms do not contain a data processing agreement (DPA). Is this something you are working on?

I am concerned about the use of public third party generative AI, and would need guarantees that any code or prompts are not used for training or enhancing a model.

It would be very useful to see a data flow diagram with respect to this, and obtain a copy of your SOC 2 Type II report to understand the architecture and sub-processor agreements in more depth.

Who can I talk to to obtain these?

Thanks,
Steve

I have a similar request for my organization and have sent an email to [email protected] to get help on matters like these, I have yet to receive a response.

Same for us. After asking two times already for a DPA and or Standard Contractual Clauses I always got a response with public links to security, terms and privacy.

Dear colleagues that read this in the future, I’ve been through this process with our DPO, and it turns out that we did not end up needing a DPA at all.

Basically, Cursor has:

  • A SOC2 Audit status page, which answers some of the questions about data storage
  • A Subprocessors list that makes it easy to trace back the different sub-vendors
  • Terms of use which lay out the details regarding judicial arbitrage, fair use, and auditing
  • Privacy policy that goes into detail about their no-store no-train policy on Business plan.

All these combined (especially 1&2) basically answer all the questions that DPA would answer and can replace a DPA easily.

I wish that Cursor was a bit more informed about these requirements, as they literally already have everything in place, just not in a single formalized DPA.

P.S. There is a remaining question about generated code ownership and intellectual property. A DPA might (or might not) cover that depending on your use case. In my case it was enough to specify:

  1. Cursor itself does not hold / take away the rights to intellectual property.
  2. Look at each LLM model’s policy, and declare which one are “safe” to use by your team (In my case Claude, Deepseek and cursor models).

Just to follow up, section 6.2 of our Terms of Use explains that any code or code edits (known as ‘suggestions’) are owned by you, and we have no ownership to the code you write in Cursor, including when assisted by our AI.

Hey everyone — just wanted to share that I found the Cursor Data Processing Addendum (DPA) after some digging. It’s a bit hidden, under their Privacy and Data Governance docs, and can be found here:

:backhand_index_pointing_right: https://cursor.com/terms/dpa

Since I’m a new user, I can only post one link — I chose the direct link to the DPA, as I think that’s the most relevant part for most people here.

@markomitranic This is inaccurate and misleading. SOC 2, subprocessor list, Privacy Policy and Terms of Use, etc. do not replace the necessary standard data protection clauses required under Article 46 as an appropriate safeguard.

Cursor’s DPA is currently only incorporated into their MSA which as of today appears to only cover Enterprise plans. It references EU SCCs and the UK Addendum which meet the appropriate Article 46 safeguard requirements for the EU GDPR and UK GDPR, so they are well aware the rest is not a replacement for a DPA.