AI Vendor Security & Compliance Brief

Windsurf

Independent due-diligence summary · every fact links to the vendor's official source
0 source-cited facts
2 independently verified certs
29 legal documents tracked
Generated 2026-06-05

Security Posture authoritative · cited

Known Vulnerabilities (CVE / CISA KEV) Not determinable
Could not map this vendor to a software identity — abstained rather than guess.
Vulnerability Disclosure Policy (security.txt) None found
Queried the authoritative source; no records.
Email Spoofing Protection (DMARC) Protected
DMARC enforced and SPF present — spoofing well mitigated.
Web TLS Certificate Valid
Data Breach History (HIBP) None found
Queried the authoritative source; no records.
Supply-Chain Security (OpenSSF Scorecard) Not determinable
Could not map this vendor to a software identity — abstained rather than guess.
OFAC Sanctions Screening None found
Queried the authoritative source; no records.
SEC Cyber Incident Disclosures (8-K 1.05) Not determinable
Could not map this vendor to a software identity — abstained rather than guess.

Independently Verified Certifications

CertificationStatusEvidence
PEN TEST active https://windsurf.com/security
SOC2 TYPE2 active https://windsurf.com/security

Vendor-Claimed, Not Independently Verified treat as unconfirmed

FEDRAMP HIGH claimed_unverified https://windsurf.com/security
HIPAA claimed_unverified https://windsurf.com/security
These appear on the vendor's site but we could not confirm an independent audit report. Request the underlying attestation before relying on them.

Tracked Legal & Policy Documents

DocumentURL
Ai Policy https://windsurf.com/ai-policy
Aup https://windsurf.com/aup
Baa https://windsurf.com/baa
Bcp https://windsurf.com/bcp
Caiq https://windsurf.com/caiq
Ccpa Compliance https://windsurf.com/ccpa
Cookie https://windsurf.com/cookies
Data Flow https://windsurf.com/data-flow
Data Retention https://windsurf.com/legal/data-retention
Dpa https://windsurf.com/dpa
Drp https://windsurf.com/drp
Gdpr Compliance https://windsurf.com/gdpr
Incident Response https://windsurf.com/incident-response
Kvkk Compliance https://windsurf.com/kvkk
Msa https://windsurf.com/legal/msa
Offboarding https://windsurf.com/data-export
Oss Inventory https://windsurf.com/oss
Patch Mgmt https://windsurf.com/security/patch-management
Pricing https://windsurf.com/pricing
Privacy https://windsurf.com/privacy
Sbom https://windsurf.com/sbom
Security https://windsurf.com/compliance
Sig Questionnaire https://windsurf.com/sig
Sla https://windsurf.com/sla
Soc Report https://windsurf.com/soc
Subprocessors https://windsurf.com/subprocessors
Tos https://windsurf.com/agreements
Trust https://windsurf.com/trust
Vuln Mgmt https://windsurf.com/security/vulnerability

Monitor Windsurf — get alerted when this changes

This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Windsurf changes something that affects your risk. Built for procurement & security teams.

Free. One email per material change. Unsubscribe anytime. No sales spam.
Every data point above is extracted from the vendor's own official trust, security, or legal pages and links to its source. This brief contains no scraped sentiment, forum chatter, or AI-inferred opinion — only verifiable, deterministic facts. Verify each source before procurement decisions.