AI Vendor Security & Compliance Brief
Cursor
Independent due-diligence summary · every fact links to the vendor's official source
89/100
AI Governance Readiness
Enterprise-Ready
The vendor is rated Enterprise-Ready with a score of 89 out of 100. This is supported by confirmed SOC 2 Type 2 and ISO certifications, with the audit report available under NDA. A critical vulnerability, CVE-2026-22708, was disclosed and fixed in version 2.3. For comprehensive due diligence, requesting the full audit report under NDA is the most useful next step.
Summarized strictly from the source-cited facts below — no outside information. Verify each point against its linked source.
Readiness Breakdown deterministic · evidence-only
- Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, SOC 2.
- Customer-Data Training Vendor states it does NOT train on customer data.
- Data Processing Agreement A Data Processing Agreement is published and tracked.
- Breach History No known breaches in Have I Been Pwned.
- Vulnerability Exposure 19 known CVE(s); none currently in CISA KEV.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy Publishes a security.txt disclosure policy (RFC 9116).
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 12 legal/policy documents publicly tracked.
Score is normalized over assessed components only — “unknown” items
are shown but never silently counted against the vendor.
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| GDPR | Stated by vendor | https://trust.cursor.com/ |
| SOC 2 | Stated by vendor | https://trust.cursor.com/ |
| HIPAA | Not publicly verified | — |
| BAA Available (HIPAA) | Not publicly verified | — |
As published on the vendor's own trust/compliance pages — not independently audited. Independently verified attestations, when available, appear in the certifications section below. Request the underlying report before relying on these.
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| IP / Content Ownership key clause |
True
“You retain all of your right, title, and interest that you have in Inputs, and Anysphere hereby assigns to you all of our right, title, and interest if any in and to any Suggestions.”vendor's exact wording |
https://cursor.com/terms-of-service |
| Limitation of Liability key clause |
True
“TO THE FULLEST EXTENT PERMITTED BY LAW, THE AGGREGATE LIABILITY OF THE ANYSPHERE ENTITIES TO YOU FOR ALL CLAIMS, DAMAGES AND LOSSES ARISING OUT OF OR RELATING TO THESE TERMS, THE SERVICE, AND CONTENT, WHETHER IN CONTRACT, TORT, OR OTHERWISE, IS LIMITED TO THE GREATER OF: (A) THE AMOUNT YOU HAVE P…”vendor's exact wording |
https://cursor.com/terms-of-service |
| Trains on Customer Data key clause |
False
“We do not use Inputs or Suggestions to train our models, or permit third parties to use them for training, unless: (1) they are flagged for security review (in which case we may analyze them to improve our ability to detect and enforce our Terms of Service ), (2) you explicitly report them to us…”vendor's exact wording |
https://cursor.com/privacy |
Security Posture authoritative · cited
Known Vulnerabilities (CVE / CISA KEV)
Found
19
Vulnerabilities are usually disclosed after the vendor ships a fix, so most carry a patch. What matters for your risk is whether any are actively exploited (CISA KEV) and whether you run a patched version — patched entries below are a normal sign of an active security-response process, not an open exposure.
Vulnerability Disclosure Policy (security.txt)
Found
1
Email Spoofing Protection (DMARC)
Protected
DMARC enforced and SPF present — spoofing well mitigated.
Web TLS Certificate
Valid
Data Breach History
None found
Queried the authoritative source; no records.
Supply-Chain Security (OpenSSF Scorecard)
Not applicable
Closed-source service — no public source repository; OpenSSF Scorecard (open-source supply-chain) does not apply.
OFAC Sanctions Screening
None found
Queried the authoritative source; no records.
SEC Cyber Incident Disclosures (8-K 1.05)
Not applicable
Privately held — not a US-listed public company, so no SEC 8-K cyber-incident reporting obligation applies.
Security & Compliance Timeline authoritative · dated
Dated, source-cited history from authoritative records (NVD, SEC, CISA KEV). Subscribe to get alerted the moment a new event lands.
- 2026-03-11 CVE CVE-2026-31854 disclosed (HIGH · patched in 2.0)
- 2026-02-13 CVE CVE-2026-26268 disclosed (HIGH · patched in 2.5)
- 2026-01-14 CVE CVE-2026-22708 disclosed (CRITICAL · patched in 2.3)
- 2025-11-05 CVE CVE-2025-64110 disclosed (HIGH · patched in 2.0)
- 2025-11-04 CVE CVE-2025-64108 disclosed (HIGH · patched in 2.0)
- 2025-11-04 CVE CVE-2025-64107 disclosed (HIGH · patched in 2.0)
- 2025-11-04 CVE CVE-2025-64106 disclosed (HIGH · patched in 2.0)
- 2025-10-03 CVE CVE-2025-61593 disclosed (HIGH · patched)
- 2025-10-03 CVE CVE-2025-61592 disclosed (HIGH · no fix listed)
- 2025-10-03 CVE CVE-2025-61591 disclosed (HIGH · no fix listed)
- 2025-10-03 CVE CVE-2025-61590 disclosed (HIGH · patched in 1.7)
- 2025-10-03 CVE CVE-2025-61589 disclosed (MEDIUM · patched in 1.7)
- 2025-10-03 CVE CVE-2025-59944 disclosed (HIGH · patched in 1.7.)
- 2025-08-05 CVE CVE-2025-54135 disclosed (HIGH · patched in 1.3.9)
Certifications Available Under NDA / Trust Center attested · report gated
| Certification | Status | Trust Center |
|---|---|---|
| SOC2 TYPE2 | Available via Trust Center | https://cursor.sh/security |
An independent audit report exists but is gated behind an NDA or trust-center registration. Request it directly via the vendor's trust center. These count as partial assurance — stronger than a vendor claim, but not an open third-party attestation.
Vendor-Claimed, Not Independently Verified treat as unconfirmed
| PEN TEST | Claimed — not independently verified | https://cursor.sh/security |
These appear on the vendor's site but we could not confirm an independent audit report. Request the underlying attestation before relying on them.
Tracked Legal & Policy Documents
| Document | URL |
|---|---|
| Baa | https://cursor.sh/baa |
| Cookie | https://cursor.com/cookie-policy |
| Dpa | https://cursor.com/terms/dpa |
| Msa | https://cursor.com/terms/msa |
| Pricing | https://www.cursor.com/pricing |
| Privacy | https://cursor.com/privacy |
| Security | https://www.cursor.com/security |
| Soc Report | https://trust.cursor.com |
| Subprocessors | https://cursor.sh/sub-processors |
| Tos | https://cursor.com/terms-of-service |
| Trust | https://cursor.com/security |
| Vuln Mgmt | https://cursor.sh/.well-known/security.txt |
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Service Level Agreement (SLA) | Enterprise tier | A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center → |
Continuous Monitoring change-tracking active
7 legal & policy documents under change-monitoring since 2026-05-31. 2 tracked changes detected since baseline.
BaaCookieDpaMsaPrivacySubprocessorsTos
| Detected | Change | Detail |
|---|---|---|
| 2026-06-17 | ToS Clause Change |
The Terms of Service was re-published with only formatting changes — no clause change.
What this means: The Terms of Service text changed, but the edit doesn't clearly touch a tracked legal concern (it may be a heading, formatting, or minor wording change) — skim the current Terms of Service to confirm.
Show exact changed text@@ -1,3 +1,2 @@-Cursor · Terms of Service Terms of Service Privacy Policy |
| 2026-06-16 | ToS Clause Change |
The Privacy Policy was re-published with only formatting changes — no clause change.
What this means: The Privacy Policy text changed, but the edit doesn't clearly touch a tracked legal concern (it may be a heading, formatting, or minor wording change) — skim the current Privacy Policy to confirm.
Show exact changed text@@ -1,3 +1,2 @@-Cursor · Privacy Policy Terms of Service Privacy Policy |
Ask the Legal Documents grounded · cited
Ask a question about Cursor's captured Terms, DPA, Privacy Policy or sub-processor list. Answers are read only from the actual document text and always shown with the exact clause. If the documents don't cover it, we say so — we never guess.
The summary only restates the clauses below it and is verified against them — the verbatim clause is always the source of truth.
Monitor Cursor — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Cursor changes something that affects your risk. Built for procurement & security teams.
Free. One email per material change. Unsubscribe anytime. No sales spam.
Every data point above is extracted from the vendor's own official trust, security, or legal
pages and links to its source. This brief contains no scraped sentiment, forum chatter, or
AI-inferred opinion — only verifiable, deterministic facts. Verify each source before
procurement decisions.