Cursor
Enterprise-Ready
The vendor is rated Enterprise-Ready with a score of 79 out of 100. Verified evidence includes SOC 2 Type 2 certification, with the audit report available under NDA. A material security finding notes CVE-2025-61591 (HIGH) with no fix listed, which is also a recent change indicating a newly disclosed vulnerability without a vendor fix. The most useful next step is to request the remediation timeline for CVE-2025-61591 and confirm your exposure.
Readiness Breakdown deterministic · evidence-only
- Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, SOC 2.
- Customer-Data Training Vendor states it does NOT train on customer data.
- Data Processing Agreement No public DPA located — request one during procurement.
- Breach History No known breaches in Have I Been Pwned.
- Vulnerability Exposure 2 known CVE(s); none currently in CISA KEV.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy Publishes a security.txt disclosure policy (RFC 9116).
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 10 legal/policy documents publicly tracked.
Ask This in Your Security Review 1 open items
- Data Processing AgreementRequest the Data Processing Agreement (DPA) and current sub-processor list.
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| GDPR | Stated by vendor | https://trust.cursor.com/ |
| SOC 2 | Stated by vendor | https://trust.cursor.com/ |
| HIPAA | Not publicly verified | — |
| BAA Available (HIPAA) | Not publicly verified | — |
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| IP / Content Ownership key clause |
True
“You retain all of your right, title, and interest that you have in Inputs, and Anysphere hereby assigns to you all of our right, title, and interest if any in and to any Suggestions.”vendor's exact wording |
https://cursor.com/terms-of-service |
| Limitation of Liability key clause |
True
“TO THE FULLEST EXTENT PERMITTED BY LAW, THE AGGREGATE LIABILITY OF THE ANYSPHERE ENTITIES TO YOU FOR ALL CLAIMS, DAMAGES AND LOSSES ARISING OUT OF OR RELATING TO THESE TERMS, THE SERVICE, AND CONTENT, WHETHER IN CONTRACT, TORT, OR OTHERWISE, IS LIMITED TO THE GREATER OF: (A) THE AMOUNT YOU HAVE P…”vendor's exact wording |
https://cursor.com/terms-of-service |
| Trains on Customer Data key clause |
False
“We do not use Inputs or Suggestions to train our models, or permit third parties to use them for training, unless: (1) they are flagged for security review (in which case we may analyze them to improve our ability to detect and enforce our Terms of Service ), (2) you explicitly report them to us…”vendor's exact wording |
https://cursor.com/privacy |
Security Posture authoritative · cited
Security & Compliance Timeline authoritative · dated
- 2025-10-03 CVE CVE-2025-61592 disclosed (HIGH · no fix listed)
- 2025-10-03 CVE CVE-2025-61591 disclosed (HIGH · no fix listed)
Certifications Available Under NDA / Trust Center attested · report gated
| Certification | Status | Trust Center |
|---|---|---|
| SOC2 TYPE2 | Available via Trust Center | https://cursor.sh/security |
Vendor-Claimed, Not Independently Verified treat as unconfirmed
| PEN TEST | Claimed — not independently verified | https://cursor.sh/security |
Common compliance questions
Tracked Legal & Policy Documents
| Document | URL |
|---|---|
| Baa | https://cursor.sh/baa |
| Cookie | https://cursor.com/cookie-policy |
| Pricing | https://www.cursor.com/pricing |
| Privacy | https://cursor.com/privacy |
| Security | https://www.cursor.com/security |
| Soc Report | https://trust.cursor.com |
| Subprocessors | https://cursor.sh/sub-processors |
| Tos | https://cursor.com/terms-of-service |
| Trust | https://cursor.com/security |
| Vuln Mgmt | https://cursor.sh/.well-known/security.txt |
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Data Processing Addendum (DPA) | On request / trust portal | No public DPA link was found. Most vendors provide a DPA on request or let you accept one through their trust/legal portal. Start at the trust center, or email the vendor's privacy team (commonly privacy@<vendor-domain>). Trust center → |
| Master Services Agreement (MSA) | Negotiated per contract | The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center → |
| Service Level Agreement (SLA) | Enterprise tier | A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center → |
Continuous Monitoring change-tracking active
7 legal & policy documents under change-monitoring since 2026-05-31. 6 tracked changes detected since baseline.
| Detected | Change | Detail |
|---|---|---|
| 2026-06-30 | Legal Document Unavailable |
The Master Service Agreement's previous URL stopped responding and we could not locate a current version automatically. We're searching for its new location; th
What this means: A tracked legal/policy document's URL stopped responding and we couldn't auto-locate a current version. We're searching for its new location and have flagged it for manual review — no action needed from you yet.
|
| 2026-06-28 | CVE / Security Incident |
2 new CVEs (published from 2025-10-03): CVE-2025-61591, CVE-2025-61592. 2 of these have no vendor fix listed yet (CVE-2025-61591, CVE-2025-61592).
What this means: A newly disclosed vulnerability has no vendor fix listed yet — ask for the remediation timeline and confirm your exposure.
|
| 2026-06-27 | CVE / Security Incident |
21 new CVEs (published from 2025-08-01): CVE-2025-54130, CVE-2025-54131, CVE-2025-54132, CVE-2025-54133, CVE-2025-54135, CVE-2025-54136 (+15 more). 2 of these h
What this means: A newly disclosed vulnerability has no vendor fix listed yet — ask for the remediation timeline and confirm your exposure.
|
| 2026-06-22 | CVE / Security Incident |
19 new CVEs (published from 2025-08-01): CVE-2025-54130, CVE-2025-54131, CVE-2025-54132, CVE-2025-54133, CVE-2025-54135, CVE-2025-54136 (+13 more). 2 of these h
What this means: A newly disclosed vulnerability has no vendor fix listed yet — ask for the remediation timeline and confirm your exposure.
|
| 2026-06-17 | ToS Clause Change |
The Terms of Service was re-published with only formatting changes — no clause change.
What this means: The Terms of Service text changed, but the edit doesn't clearly touch a tracked legal concern (it may be a heading, formatting, or minor wording change) — skim the current Terms of Service to confirm.
Show exact changed text@@ -1,3 +1,2 @@-Cursor · Terms of Service Terms of Service Privacy Policy |
Search the Legal Documents verbatim · cited
Search Cursor's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.
Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.
Monitor Cursor — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Cursor changes something that affects your risk. Built for procurement & security teams.