Book Free Call
Cursor GDPR and data processing agreement compliance for German companies
tools

Cursor DPA: Where to Find It and What It Covers (GDPR Guide)

Cursor does have a Data Processing Agreement (DPA) available for Business and Enterprise customers. The DPA is publicly accessible at cursor.com/terms/dpa — free Hobby plan users are not covered and should not process personal data through the tool. German and DACH companies evaluating Cursor under GDPR need to examine more than DPA availability — data residency, sub-processor chains, and works council obligations all require attention before deployment. For a broader view of AI development and coding tools available to German businesses, see the AI tools guide.

How to Access and Sign the Cursor DPA

Cursor’s DPA is publicly available at cursor.com/terms/dpa — you do not need to contact sales to download and review it. However, the plan you are on determines whether the DPA applies to you.

Three steps to access the Cursor DPA:

  1. Verify your plan: The DPA applies to Cursor Business and Enterprise subscribers only. Free Hobby plan users are not covered by the DPA and must not process personal data through Cursor in a business context.
  2. Review the DPA at cursor.com/terms/dpa: The agreement covers the obligations of Article 28 GDPR, Standard Contractual Clauses for US data transfers, and the sub-processor list. Anysphere publishes its sub-processor list and trust documentation at trust.cursor.com.
  3. Countersign if required internally: For many companies, accepting the Business or Enterprise plan terms is sufficient. If your organization requires a separately signed DPA, contact Cursor sales or legal to arrange countersignature.

Sub-processor transparency: Cursor routes code and prompts through OpenAI and Anthropic APIs. Both are listed as sub-processors in the Cursor DPA. SCCs apply for EU-to-US data transfers. Check trust.cursor.com for the current sub-processor list. For a broader DPA framework overview, see our data processing agreement guide.

What is Cursor?

Cursor is an AI-powered code editor developed by Anysphere Inc., a US-based company. It is built on top of VS Code and integrates large language models — including models from Anthropic and OpenAI — to provide intelligent code completion, refactoring, and chat-based programming assistance.

Because Cursor routes code snippets and queries to third-party AI APIs, it functions as a data processor under GDPR Article 28. That means any company deploying Cursor in a professional or corporate environment must put a valid DPA in place before processing personal data through the tool.

Is Cursor GDPR-Compliant?

Cursor can be used in a GDPR-compliant manner with the right contractual and technical setup. Anysphere offers a DPA for Business and Enterprise plan subscribers that covers the obligations of Article 28 DSGVO. Out-of-the-box use of the free Hobby plan does not come with a DPA, which makes it unsuitable for processing personal data in a business context under GDPR.

Key points for GDPR compliance:

  • DPA availability: Available on Business and Enterprise plans. Free Hobby plan users are not covered.
  • Sub-processors: Cursor routes requests through OpenAI and Anthropic APIs. Both are US-based. Anysphere lists these as sub-processors in its DPA.
  • International data transfers: Code and context sent to AI models is processed in the United States. Standard Contractual Clauses (SCCs) under GDPR Chapter V apply and must be in place.
  • Privacy Mode: Cursor offers a Privacy Mode setting that prevents code from being stored or used for model training. Enabling this is strongly recommended for any work involving client code, proprietary systems, or personal data.

Does Cursor Have a DPA?

Yes. Anysphere provides a Data Processing Agreement for Cursor Business and Enterprise subscribers. The DPA covers the processing of personal data that passes through the Cursor editor and its underlying AI models.

For German companies, the DPA is necessary but not sufficient. You also need to verify:

  1. That Standard Contractual Clauses are executed for transfers to Anysphere (US) and its sub-processors (OpenAI, Anthropic).
  2. That your internal records of processing activities (Verzeichnis von Verarbeitungstätigkeiten, Article 30 DSGVO) are updated to include Cursor.
  3. That a Data Protection Impact Assessment (DPIA) is conducted if Cursor will process sensitive data or be used in contexts involving risk to data subjects.

Compare this with Claude Enterprise, which processes data exclusively on Anthropic’s infrastructure with stronger data residency guarantees, or OpenAI’s API, which similarly requires SCC-backed DPAs for European use.

Data Residency and Sub-Processors

When you use Cursor, your code and prompts are transmitted to Anysphere’s servers and then — depending on which AI model is invoked — forwarded to OpenAI or Anthropic APIs for processing. This means your data travels through at least two US-based entities.

Sub-processor chain:

EntityRoleLocation
Anysphere Inc.Data processor (Cursor platform)United States
OpenAISub-processor (AI model API)United States
AnthropicSub-processor (AI model API)United States

All transfers from the EU/EEA to these processors rely on Standard Contractual Clauses. German data protection authorities (the Datenschutzkonferenz) have accepted SCCs as a valid transfer mechanism, provided appropriate supplementary measures are in place — such as encryption in transit and at rest, and limiting the categories of data transferred.

Data retention: In Privacy Mode, Cursor does not retain code or prompts after the session ends. Outside of Privacy Mode, usage data and interaction logs may be retained for service improvement purposes. Check the current Cursor Privacy Policy for up-to-date retention periods.

What German Companies Need to Know Before Using Cursor

German companies face specific compliance considerations that go beyond the standard GDPR DPA checklist:

Works Council (Betriebsrat) involvement: Under §87 BetrVG, works councils have co-determination rights over the introduction of technical monitoring systems. An AI code editor that logs developer activity, generates usage metrics, or influences performance assessment may trigger this obligation. Engage your Betriebsrat before rolling out Cursor to developers.

Employment law angle: If Cursor is deployed across a development team, your company should have a written usage policy (Nutzungsrichtlinie) that sets out permitted use cases, data handling expectations, and what data may or may not be entered into the tool. This is especially relevant for law firms and professional services companies where client confidentiality is at stake.

Client code and professional secrecy: Lawyers, auditors, and other professionals subject to professional secrecy obligations (Berufsgeheimnispflicht) must treat AI code editors with particular caution. Routing client-related code or data through Cursor without client consent and appropriate data protection safeguards could constitute a breach of professional duty.

AI Act classification: Cursor is a general-purpose AI tool. Under the EU AI Act, general-purpose AI systems used in development workflows are not typically classified as high-risk. However, if Cursor outputs are used in a pipeline that makes consequential decisions — for example, automated deployment of financial software — the risk classification of the overall system should be reviewed. See our guide on AI code generation compliance for more detail. Development teams should also consider AI cybersecurity compliance requirements where Cursor is used to build or maintain security-sensitive systems. These considerations are especially pressing in the manufacturing sector AI adoption and financial services AI regulation in Germany, where code quality and security controls are subject to stricter scrutiny.

Our Assessment

For German companies, Cursor is a viable tool with appropriate setup. The DPA is available, Privacy Mode exists, and the sub-processor chain is documented. The gaps that need addressing are the same as with any US-based AI tool: SCCs must be in place, data minimisation should be enforced through Privacy Mode, and works council consultation should happen before deployment.

We do not recommend using Cursor’s free Hobby plan for any professional work involving client data, proprietary code, or personal data — there is no DPA coverage. Business or Enterprise plans are the appropriate starting point for DACH companies.

Compound Law can assist with DPA review, SCC implementation, DPIA preparation, and works council negotiations for Cursor deployments.

Frequently Asked Questions

Does Cursor store my code?

In Privacy Mode, Cursor does not store your code or prompts after the session ends. Without Privacy Mode enabled, interaction data may be retained by Anysphere and its sub-processors for service improvement. Enable Privacy Mode when working with any sensitive, proprietary, or client-related code.

Is Cursor GDPR compliant for German companies?

Cursor can be used in a GDPR-compliant way with the right setup: a signed DPA (available on Business/Enterprise plans), Standard Contractual Clauses for US data transfers, Privacy Mode enabled, and updated records of processing activities. The free Hobby plan does not include a DPA and is not suitable for business use under GDPR.

Does Cursor have an AVV (Auftragsverarbeitungsvertrag)?

Yes. Anysphere provides a Data Processing Agreement — the equivalent of an Auftragsverarbeitungsvertrag under Article 28 DSGVO — for Business and Enterprise customers. This must be signed before deploying Cursor in any context that involves personal data.

Can German developers use Cursor at work?

Yes, subject to proper compliance measures: DPA in place, Privacy Mode enabled, works council consulted if required, and a usage policy established. Cursor should not be used to process client data or data subject to professional secrecy without additional legal assessment.

What data does Cursor send to AI models?

Cursor sends code context, prompts, and conversation history to the AI model APIs it uses (OpenAI or Anthropic) to generate responses. The exact scope of data transmitted depends on the model and the context window used. In Privacy Mode, this data is not retained after the session.

Where can I find the Cursor DPA?

The Cursor DPA is publicly available at cursor.com/terms/dpa. It applies to Business and Enterprise plan subscribers. Anysphere’s sub-processor list and trust documentation are available at trust.cursor.com. If your organization requires a countersigned DPA, contact Cursor sales or legal.

Does the Cursor DPA cover OpenAI and Anthropic as sub-processors?

Yes. Both OpenAI and Anthropic are listed as sub-processors in the Cursor DPA. Standard Contractual Clauses apply to data transfers from the EU/EEA to these US-based entities. German companies should verify the current sub-processor list at trust.cursor.com before deployment and include Cursor’s sub-processor chain in their record of processing activities.

Related Tool Guides

Claude Enterprise GDPR compliance review for companies in Germany
tools

Claude Enterprise in Germany: GDPR Compliance, DPA, SCCs & EU Hosting Guide

Can German companies use Claude Enterprise under GDPR? Covers DPA/AVV, SCCs, EU hosting options, data residency, and a compliance checklist before rollout.
GitHub Copilot DPA and GDPR compliance guide for German companies
tools

GitHub Copilot GDPR: DPA, IP & German Compliance Guide

GitHub Copilot is GDPR-compliant only on Business or Enterprise plans with a signed DPA. German companies: IP, Betriebsrat, and data residency checklist.
Notion DPA and GDPR compliance guide for German companies
tools

Notion DPA and GDPR: Can German Companies Use Notion Compliantly?

Notion DPA, GDPR compliance, EU data hosting, and AVV requirements for German companies. Practical guide for legal, privacy, and IT teams.
ChatGPT Enterprise GDPR and DPA compliance guide for Germany
tools

ChatGPT Enterprise GDPR & DPA: Compliance Guide for German Companies 2026

Is ChatGPT Enterprise GDPR compliant? OpenAI DPA, EU data residency, SOC 2, AI Act obligations, and works council requirements for German companies.
AI tools for lawyers Germany BRAO GDPR professional secrecy compliance
tools

AI APIs for Law Firms in Germany: BRAO, GDPR & Secrecy Guide

Can lawyers in Germany use AI tools like Claude or ChatGPT? BRAO §43a, GDPR Art. 28, and BRAK guidance explained — with a 7-point compliance checklist.
Make.com DPA and GDPR compliance for German companies
tools

Make.com DPA: Does Make Have a Data Processing Agreement? (GDPR Guide)

Make.com offers a DPA for paid plan customers. What German companies must verify for GDPR compliance — EU data residency, sub-processors, and BetrVG.

Browse More AI Tools

Frequently asked questions

Does Cursor store my code?

In Privacy Mode, Cursor does not store your code or prompts after the session ends. Without Privacy Mode enabled, interaction data may be retained by Anysphere and its sub-processors for service improvement. Enable Privacy Mode when working with any sensitive, proprietary, or client-related code.

Is Cursor GDPR compliant for German companies?

Cursor can be used in a GDPR-compliant way with the right setup: a signed DPA (available on Business/Enterprise plans), Standard Contractual Clauses for US data transfers, Privacy Mode enabled, and updated records of processing activities. The free Hobby plan does not include a DPA and is not suitable for business use under GDPR.

Does Cursor have an AVV (Auftragsverarbeitungsvertrag)?

Yes. Anysphere provides a Data Processing Agreement — the equivalent of an Auftragsverarbeitungsvertrag under Article 28 DSGVO — for Business and Enterprise customers. This must be signed before deploying Cursor in any context that involves personal data.

Can German developers use Cursor at work?

Yes, subject to proper compliance measures: DPA in place, Privacy Mode enabled, works council consulted if required, and a usage policy established. Cursor should not be used to process client data or data subject to professional secrecy without additional legal assessment.

What data does Cursor send to AI models?

Cursor sends code context, prompts, and conversation history to the AI model APIs it uses (OpenAI or Anthropic) to generate responses. The exact scope of data transmitted depends on the model and the context window used. In Privacy Mode, this data is not retained after the session.

Where can I find the Cursor DPA?

The Cursor DPA is publicly available at cursor.com/terms/dpa. It applies to Business and Enterprise plan subscribers. Anysphere's sub-processor list and trust documentation are available at trust.cursor.com. If your organization requires a countersigned DPA, contact Cursor sales or legal.

Does the Cursor DPA cover OpenAI and Anthropic as sub-processors?

Yes. Both OpenAI and Anthropic are listed as sub-processors in the Cursor DPA. Standard Contractual Clauses apply to data transfers from the EU/EEA to these US-based entities. German companies should verify the current sub-processor list at trust.cursor.com before deployment and include Cursor's sub-processor chain in their record of processing activities.

Book Free Call