01Trust Score

Cursor

Week 2026-W20 · 26 Apr 2026 Vendor-Neutral

85 /100 Strong Signal

↑ 10 vs 2026-W17

★ ★ ★ ★ ★

4.2/5 (3979)

↓ PDF Report

WHY THIS SCORE

The overall trust score of 49 indicates a high-risk profile for enterprise procurement. This is primarily driven by a low security score of 52, reflecting the absence of publicly verified SOC 2 and GDPR certifications, and a low legal risk score of 15 due to numerous undisclosed contractual terms such as IP indemnification, liability caps, and data lifecycle policies. While financial health is strong (95) and community sentiment is moderate (60), these do not offset the critical security and legal transparency deficits. To significantly improve this score, Cursor must publicly provide comprehensive SOC 2 Type II and GDPR compliance documentation, along with clear, enterprise-grade legal terms.

AUDITOR SUMMARY

Strength: Cursor offers robust AI coding assistance with multi-model support and advanced agentic workflows, demonstrating strong innovation in developer productivity tools.

Trust Score 85/100 CONDITIONAL

Est. Annual Cost $68,000/year for 100 users 100 users / yr

Top Risk HIGH Reliability Overall: Medium

Priority Action No Public SOC 2 Certification Documented ↓ PDF · TCO · Hardening

Enterprise Verdict

! Conditional Approval

Risk: Medium 50 sources

The adoption recommendation is conditional proceed due to significant gaps in publicly disclosed legal and compliance documentation, specifically the absence of a public SOC 2 certification and explicit data retention policies. For a more favorable verdict, Cursor must provide comprehensive, publicly verifiable documentation for its SOC 2 Type II attestation, GDPR compliance, and detailed data lifecycle management.

Priority Action

No Public SOC 2 Certification Documented

This report updates every week. Weekly AI vendor intelligence — trust scores, contract red flags, competitive shifts.

02Top Risks

Risk Assessment

Seven-category enterprise risk analysis derived from community and vendor signals. Each card shows the evidence tier and the underlying finding.

High Reliability Community Data

Public documentation buyers may want to verify availability of specific uptime commitments or reliability history.

Medium Cost Predictability Community Data

Enterprises should negotiate fixed-rate contracts and monitor pricing changes for overage risks.

High Vendor Lock-in Community Data

Data export status unclear. Integration score: 0/100. Webhooks available, reducing lock-in risk.

Source

Medium Support Quality Community Data

Insufficient public community reviews to verify support quality. Standard support channels (email/documentation) are assumed.

Medium Data Privacy Community Data

Compliance score: 93/100. GDPR status: dpa_available. Encryption at rest: yes.

Low Compliance Posture Community Data

SOC 2: type_ii. ISO 27001: none. Overall compliance score: 93/100.

Medium AI Transparency Verified

No training on user data detected. Code ownership terms unclear. Legal/ToS risk score: 65/100.

Source

Verified — Confirmed by vendor documentation Community — Derived from community reports

Due Diligence Alerts

Priority reviews, recommended inquiries, and verified strengths — based on 80+ community data points

Recommended Inquiry High No Public SOC 2 Certification Documented

Sources: Web Community Evidence

Recommended Inquiry High No Public GDPR Certification or DPA Documented

Sources: Web Community Evidence

Recommended Inquiry High SLA Terms Not Publicly Disclosed — Request MSA Before Procurement

Sources: Web Community Evidence

Recommended Inquiry High Tenant Isolation Model Not Publicly Documented

Sources: Web Community Evidence

Recommended Inquiry High Opaque Data Lifecycle — No Explicit Retention or Export Guarantees

Sources: Web Community Evidence

03Security & Compliance

Security & Compliance

SOC 2 ✕ Not found

ISO 27001 ✕ Not found

GDPR ✕ Not found

HIPAA ✕ Not found

Data Security

Encryption (At Rest): AES-256

Encryption (In Transit): TLS 1.3

Security Features

✓ SSO SAML

⚠ MFA TOTP

✓ Audit Logs

✓ Vulnerability Disclosure

IT Hardening Guide

Deployment Checklist

Configure SAML SSO for all enterprise users to centralize identity management and enforce access policies. Implement network allowlisting for Cursor backend domains (api.cursor.com, docs.cursor.com, etc.) to ensure secure communication. Enable Privacy Mode for all team members to ensure Zero Data Retention (ZDR) with model providers and prevent code data from being used for training. Establish custom Bugbot Rules to enforce team-specific coding standards and best practices, adapting AI review to organizational needs. Review and configure granular admin and model controls available in the Enterprise plan to manage AI usage and data access.

Last verified: 14 May 2026

Legal & IP Risk

Legal Entity: Anysphere, Inc.

Jurisdiction: United States

IP Ownership

User Code: Not documented in public ToS

Training Data: Not documented in public ToS

Liability & Indemnification

IP Indemnification: Not documented in public ToS

Liability Cap: Not documented in public ToS

Warranty: Not documented in public ToS

Exit Terms

📤

Data Export Not documented in public ToS

🗑️

Deletion Not documented in public ToS

ToS Red Flags

High

Vendor reserves the right to change terms at any time, with modifications effective upon posting, potentially altering contractual obligations without explicit consent.

Medium

The service is provided 'as is' without implied warranties, shifting all risk of errors, viruses, or harmful components to the user.

High

Liability is capped at the greater of fees paid in the last six months or $100, which is insufficient for enterprise-level data breach or service disruption damages.

High

Vendor explicitly excludes liability for indirect, incidental, special, consequential, or punitive damages, leaving the enterprise exposed to significant financial losses.

Medium

Disputes are resolved through binding arbitration, and users waive the right to participate in class actions, limiting legal recourse.

Legal Risk Score:

65/100

Data & Migration Lock-in Risk

Risk Level High

Data Portability (formats not specified)

Switching Cost Estimate 4-8 weeks of engineering time

Lock-in Factors

Deep integration into developer workflows and IDEs.
Proprietary agentic workflows and custom skills.
Undisclosed data export formats and processes.
Reliance on Cursor's specific AI models and codebase understanding capabilities.

The lack of explicit data export guarantees and formats, combined with deep integration into developer workflows and proprietary AI features, creates a high switching cost. Migrating to an alternative tool would require significant engineering effort to re-establish AI context, re-train agents, and potentially re-architect parts of the development process.

Enterprise Contract Intelligence

DPA availability, data residency, and contract risk signals for procurement teams

📄 Data Processing Agreement Available

View DPA ↗

DPA document URL found, but content could not be retrieved for analysis. Requires direct review from the vendor to confirm key terms, data sub-processor list, and Standard Contractual Clauses (SCCs) for GDPR compliance.

🌐 Data Residency Vendor-Controlled

Default: United States

United StatesEU/EEAUnited Kingdom

While primary regions include EU/EEA and UK, EU hosting is explicitly stated as unavailable. Data is likely processed by default in the US. Cross-border transfer mechanisms (e.g., SCCs) are not explicitly detailed, posing a concern for GDPR compliance. Vendor states no infrastructure or subprocessors in China.

⚠️ Contract Risk High Lock-in (75/100)

Auto-renewal: Yes ⚠ Unilateral change right: Yes ⚠ Data export on exit: No ⚠

⚠ 4 contract risk flags — click to review

⚠ Unilateral Terms of Service changes without explicit consent.

⚠ No explicit data portability guarantee on exit.

⚠ Vendor reserves right to suspend/terminate services without notice.

⚠ Automatic subscription renewal clause.

The contract presents a high lock-in risk due to the vendor's right to unilaterally change terms, automatic renewals, and the absence of explicit data portability guarantees or termination notice periods. The limited liability cap further exacerbates this risk, requiring extensive legal review and negotiation for enterprise adoption.

New risk signals detected weekly. Weekly AI vendor intelligence — trust scores, contract red flags, competitive shifts.

04Community Signals

Community Evidence

Sentiment analysis and recurring issues from developer & enterprise community signals this week.

Recurring Issues

VSCode/Cursor extension: permission-IPC race kills sessions, error rendered as "[object Object]" 🟠 Community 2 mentions medium → Stable

Enterprise Impact: Reported by community on GitHub with 2 comments.

Sources: GitHub

cursor/dev-environment-setup-d840 🟠 Community 2 mentions medium → Stable

Enterprise Impact: Reported by community on GitHub with 2 comments.

Sources: GitHub

Change cursor icon on hovered UI element 🟠 Community 2 mentions medium → Stable

Enterprise Impact: Reported by community on GitHub with 2 comments.

Sources: GitHub

⚡ Bolt: Use ref for cursor follower to prevent continuous re-renders 🟠 Community 2 mentions medium → Stable

Enterprise Impact: Reported by community on GitHub with 2 comments.

Sources: GitHub

Bun's Rust rewrite has been merged 🟠 Community low → Stable

Enterprise Impact: Discussed on Hacker News.

Sources: HN

Show HN: Specdd – Spec-driven development as a Claude/Codex/Cursor skill 🟠 Community low → Stable

Enterprise Impact: Discussed on Hacker News.

Sources: HN

Source Highlights This Week

Specific signals from GitHub, Hacker News, and Reddit — what the community is actually saying

✨

Intelligence Synthesis

This week's data indicates Cursor is actively enhancing its AI coding assistant with new features like cloud agent development environments and Microsoft Teams integration. Community feedback is mixed, with positive mentions of its agentic capabilities and multi-model support, but also critical reports of a permission-IPC bug in a key extension and user frustration over usage limits and external LLM costs. The vendor's public security and legal documentation remains incomplete, raising significant concerns for enterprise adoption.

🔗 GitHub Issues & PRs

VSCode/Cursor extension: permission-IPC race kills sessions, error rendered as "[object Object]"

2 comments Bug 2 comments — high community engagement

cursor/dev-environment-setup-d840

2 comments Bug 2 comments — high community engagement

Change cursor icon on hovered UI element

2 comments Discussion 2 comments — high community engagement

🔥 Hacker News

Bun's Rust rewrite has been merged

Story Score 0 — active HN discussion

Show HN: Specdd – Spec-driven development as a Claude/Codex/Cursor skill

Story Score 0 — active HN discussion

Claude for Small Business

Story Score 0 — active HN discussion

💬 Reddit

Is Cursor Ultra Worth it

r/cursor

Would desktop UI perception be useful for Cursor agents?

r/cursor

Cursor to live URL in one prompt

r/cursor

🌐 Web Findings

Changelog Development environments for cloud agents

New tools for configuring development environments for agents, including multi-repo support and Dockerfile-based configuration with build secrets, released on May 13, 2026.

Changelog Cursor in Microsoft Teams

Announcement of Cursor integration with Microsoft Teams, enhancing collaboration capabilities, released on May 11, 2026.

Changelog Bugbot Effort Levels 3.3

Update to Bugbot, Cursor's AI code review tool, improving effort levels, released on May 11, 2026.

Changelog PR Review, Build Plan in Parallel, and Split PRs

New features for PR review, parallel build planning, and splitting PRs, enhancing development workflow, released on May 7, 2026.

Compliance Cursor: The best way to code with AI

Official homepage promoting Cursor as an AI-powered code editor for productivity, updated within the last week.

05Financial Impact

Financial Impact Panel

Cost intelligence and pricing signals for enterprise procurement decisions

Pricing data from public sources — enterprise rates differ. Verify with vendor.

TCO Calculator

Pricing Not Available

Enterprise pricing information could not be obtained for this vendor. This may be due to custom/private pricing models or limited publicly available data.

Don't evaluate blind next quarter. Weekly AI vendor intelligence — trust scores, contract red flags, competitive shifts.

Learn more about our Audit Methodology →

Independent analysis — signals aggregated from GitHub, Reddit, HN, Stack Overflow, Twitter/X, G2 & Capterra. Not affiliated with any vendor. Corrections?

Cursor

Enterprise Verdict

Risk Assessment

Due Diligence Alerts

Security & Compliance

Data Security

Security Features

IT Hardening Guide

Deployment Checklist

Legal & IP Risk

IP Ownership

Liability & Indemnification

Exit Terms

ToS Red Flags

Data & Migration Lock-in Risk

Enterprise Contract Intelligence

Community Evidence

Source Highlights This Week

Intelligence Synthesis

Financial Impact Panel

TCO Calculator

Pricing Not Available

Download PDF Report