For Teams
Cursor Security & Privacy Mode: What Teams Need to Know
Privacy Mode guarantees your code is never used to train Cursor or the model providers, and most models run under zero-data-retention agreements so inputs aren't stored. Cursor is SOC 2 Type II certified; Enterprise adds CMEK, SSO/SCIM, and a HIPAA BAA. The honest limit: there is no on-prem/self-hosted option.
What does Privacy Mode actually do?
Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. ensures your code is never used for training — by Cursor or the underlying model providers. It's available on all tiers and can be enforced and locked org-wide on Enterprise so members can't turn it off. Note: your code is still sent to providers to generate responses; the guarantee is about training and retention, not transmission.
Which security controls should teams enforce?
| Control | Effect | Tier |
|---|---|---|
| Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. (enforced) | No training on your code; lock org-wide | All; enforce on Enterprise |
| Zero Data Retention | Providers don't store inputs/outputs | Default for most models |
| SOC 2 Type II | Audited security posture | Report via trust.cursor.com |
| SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. / SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. | Central identity + provisioning | Teams / Enterprise |
| CMEK | Your key encrypts embeddings | Enterprise |
Verify current details at cursor.com/security. No on-prem/VPC deployment exists.
Frequently asked questions
Does Cursor store or train on my code?
Not with Privacy Mode on — code isn't used for training, and most models run under zero-data-retention agreements so providers don't store it. Using your own API keys can change this, so check those terms.
Is Cursor SOC 2 compliant?
Yes, SOC 2 Type II, with the report available on request via trust.cursor.com.
Can we self-host Cursor?
No — there's no on-prem or single-tenant VPC option. Inference runs on Cursor's infrastructure or third-party providers. If air-gapped deployment is required, Cursor won't meet it.
Sources & last verified
Cursor ships frequently. Facts verified against primary sources on June 15, 2026.