Dear colleagues that read this in the future, I’ve been through this process with our DPO, and it turns out that we did not end up needing a DPA at all.
Basically, Cursor has:
- A SOC2 Audit status page, which answers some of the questions about data storage
- A Subprocessors list that makes it easy to trace back the different sub-vendors
- Terms of use which lay out the details regarding judicial arbitrage, fair use, and auditing
- Privacy policy that goes into detail about their no-store no-train policy on Business plan.
All these combined (especially 1&2) basically answer all the questions that DPA would answer and can replace a DPA easily.
I wish that Cursor was a bit more informed about these requirements, as they literally already have everything in place, just not in a single formalized DPA.
P.S. There is a remaining question about generated code ownership and intellectual property. A DPA might (or might not) cover that depending on your use case. In my case it was enough to specify:
- Cursor itself does not hold / take away the rights to intellectual property.
- Look at each LLM model’s policy, and declare which one are “safe” to use by your team (In my case Claude, Deepseek and cursor models).