Enterprise
Cursor Data Residency: Regions, US-Only Mode, EU Gaps
Cursor offers one formal data-residency control: an enterprise opt-in program that keeps inference, processing and storage for supported features US-only. Non-enterprise plans get no residency guarantee. Region behaviour otherwise follows each model provider's footprint — and launch-phase exceptions exist, like Grok 4.5 being unavailable in the EU.
On this page
What data residency does Cursor actually guarantee?
One program, one region, one tier: enterprise customers can opt in to US-only data residency, which Cursor describes as keeping "inference, processing, and storage for supported features" in the United States. It is opt-in (enrollment required, not default), enterprise-only, and scoped to supported features — the phrase doing real work in that sentence.
- Enterprise, enrolled
- US-only inference, processing and storage for supported features. Details on supported models, exclusions and pricing live in Cursor's privacy and data-governance docs.
- Enterprise, not enrolled
- Same as everyone else — no published residency guarantee.
- Pro / Teams plans
- No documented data-residency controls beyond choosing which models you allow.
- EU / UK / AU residency
- Not offered. US-only is the only residency program Cursor publishes today.
Per cursor.com/help/security-and-privacy/regions, checked 2026-07-16.
Cursor does not publish an EU-residency option. Your levers are contractual (DPAData Processing Agreement. The contract spelling out exactly how a vendor may process your data: purposes, subprocessors, retention and breach duties. The document privacy reviews actually read. Press Enter for the full definition. terms), architectural (self-hosted cloud-agent runtimes keep tool execution on your infrastructure) and scope-based (Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. Press Enter for the full definition. and Zero Data Retention reduce what is stored at all). None of those pins model inference to an EU region.
This is covered hands-on in Teams and Enterprise Admin — 6 short modules, free to read.
Where do the models themselves run?
Cursor routes requests to multiple model providers, and each provider has its own regional footprint. Cursor's regions page defers to provider documentation rather than promising anything on their behalf — Anthropic, OpenAI and Google each publish their own supported-regions lists.
- Provider
- Anthropic (Claude)
- Region authority
- Anthropic's supported-regions documentation
- What that means for you
- Region behaviour follows Anthropic's infrastructure, not Cursor's
- Provider
- OpenAI (GPT)
- Region authority
- OpenAI's supported countries and territories list
- What that means for you
- Same pattern — check the provider list, not Cursor's docs
- Provider
- Google (Gemini)
- Region authority
- Google's availability documentation
- What that means for you
- Same pattern
- Provider
- First-party (ComposerCursor's own fast coding model, tuned for the editor and priced well below frontier models; the recommended day-to-day model for executing a plan. Press Enter for the full definition., Grok 4.5)
- Region authority
- Cursor's own infrastructure and help pages
- What that means for you
- The one stack where Cursor is the region authority — and where launch-phase geo gaps show up
| Provider | Region authority | What that means for you |
|---|---|---|
| Anthropic (Claude) | Anthropic's supported-regions documentation | Region behaviour follows Anthropic's infrastructure, not Cursor's |
| OpenAI (GPT) | OpenAI's supported countries and territories list | Same pattern — check the provider list, not Cursor's docs |
| Google (Gemini) | Google's availability documentation | Same pattern |
| First-party (ComposerCursor's own fast coding model, tuned for the editor and priced well below frontier models; the recommended day-to-day model for executing a plan. Press Enter for the full definition., Grok 4.5) | Cursor's own infrastructure and help pages | The one stack where Cursor is the region authority — and where launch-phase geo gaps show up |
Compliance reviews should cite the provider's own region documentation for third-party models.
The concrete example that surprises teams: Grok 4.5, Cursor's flagship first-party model, launched unavailable in the EU — Cursor states it is "available in every country where Cursor normally offers models, except the EU at launch," with EU availability planned. If your rollout standardises on a model, check its geographic availability before writing the policy.
What can admins actually control?
Residency is one lever among several; most regulated-industry deployments combine four. Only the first is a residency control in the strict sense.
- 1Enroll in US-only residency (enterprise): the formal program covering inference, processing and storage for supported features. Confirm the supported-model list and exclusions during procurement — not after.
- 2Constrain the model list: admins can allowlist models team-wide, which indirectly pins your traffic to providers whose regions you have vetted. New first-party models need explicit enablement in team settings.
- 3Reduce what is retained: Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. Press Enter for the full definition. and Zero Data Retention govern storage duration rather than location — often what the auditor actually cares about.
- 4Move execution on-prem where offered: self-hosted cloud-agent runtimes keep tool execution and code checkouts on infrastructure you control, while Cursor's cloud still orchestrates.
Which features are excluded from US-only residency today? Which models are supported under it, and what happens when we select an unsupported one? Is residency contractually committed in the DPAData Processing Agreement. The contract spelling out exactly how a vendor may process your data: purposes, subprocessors, retention and breach duties. The document privacy reviews actually read. Press Enter for the full definition. or described as best-effort? Each answer belongs in the security review file, dated.
Frequently asked questions
Does Cursor offer EU data residency?
No. The only published residency program is US-only, for enterprise customers who enroll. EU-based teams can constrain models, use Privacy Mode and Zero Data Retention, and self-host agent execution, but cannot pin Cursor's inference or storage to the EU today.
Is US data residency on by default for enterprise plans?
No — it is an opt-in program requiring enrollment. Unenrolled enterprise tenants get the same regional behaviour as other plans. Supported models, exclusions, pricing and how to enable it are documented in Cursor's privacy and data-governance pages.
Where is my code processed on a normal Pro or Teams plan?
Cursor does not publish per-plan processing locations for non-enterprise tiers. Requests route to the selected model provider's infrastructure, so the practical answer follows each provider's regional documentation (Anthropic, OpenAI, Google) plus Cursor's own for first-party models.
Why can't EU users access Grok 4.5?
Cursor launched Grok 4.5 in every country it normally supports except the EU, with EU availability planned in the coming weeks. It is a launch-phase geographic gap on a first-party model — worth checking current status before standardising a European team on it.
Does data residency cover Cloud Agents too?
The US-only program covers 'supported features' — confirm during procurement whether cloud-agent execution is on that list for your contract. Teams needing execution locality regardless can use self-hosted runtimes, which keep tool calls and checkouts on infrastructure they operate.
Sources & last verified
- Cursor Help - Regions and data residency
- Cursor Help - Grok 4.5
- Cursor Docs - Cloud agent security and network
Cursor ships frequently. Facts verified against primary sources on July 16, 2026.