Enterprise
Cursor Enterprise: Compliance & Monitoring
Cursor Enterprise records audit logs of security events and administrative actions, viewable in the team dashboard and streamable to your SIEM, S3 or webhooks. Cursor does not log agent responses or generated code, so development-activity logging is left to hooks. Cursor is SOC 2 Type II and GDPR compliant, with reports in the Trust Center.
On this page
What does Cursor's audit log record?
Audit logs record security events and administrative actions so you can see who did what, when. They are available on the Enterprise plan and viewable in the team dashboard with admin access. Cursor does not log agent responses or generated code content - for that, it recommends hooks (covered below).
- Authentication: logins and logouts.
- User management: additions (via SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool., invite, signup, team creation or auto-enrollment), removals, role changes and individual spend limits.
- API keys: team and user API key creation and revocation.
- Team settings: team-wide and per-user spending limits, admin settings, team name changes, Slack integration settings and repository mappings.
- Repositories, Cloud Agent environments, directory groups, Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. changes, team rules (including BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs.), team hooks and custom commands.
Audit logs cover administrative actions only. Prompts and generated code are not in them, so don't promise security review a record of "what the AI wrote" from audit logs alone - that needs hooks.
How do we access and stream audit logs?
View audit logs in the team dashboard at cursor.com/dashboard/audit-log; this requires admin access on an Enterprise plan. For monitoring, Cursor can stream logs to your existing systems - contact hi@cursor.com to set up streaming.
Streaming sends the same events to wherever your alerting and retention already live, so you aren't checking a second dashboard. Cursor lists four destination categories: SIEM systems, webhook endpoints, object storage and log aggregators.
- Destination
- SIEM systems
- Examples
- Splunk, Sumo Logic, Datadog
- Destination
- Webhook endpoints
- Examples
- Custom processing pipelines
- Destination
- Object storage
- Examples
- S3 buckets for long-term retention
- Destination
- Log aggregators
- Examples
- Elasticsearch, CloudWatch
| Destination | Examples |
|---|---|
| SIEM systems | Splunk, Sumo Logic, Datadog |
| Webhook endpoints | Custom processing pipelines |
| Object storage | S3 buckets for long-term retention |
| Log aggregators | Elasticsearch, CloudWatch |
Streaming destinations Cursor lists for audit logs.
Logs are delivered as JSON with a metadata block (timestamp, event_id), plus team_id, ip_address, user_email and an event object with event-specific fields. The event_type covers actions like login, logout, add_user, update_user_role, team_settings, privacy_mode and BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. events. In the dashboard you can filter by date range, event type and actor, and export filtered results to CSV for compliance reports.
How do we tell which code an agent wrote?
Cursor BlameAn augmented git blame that records line-level human and agent co-authorship, so you can trace which code was written by AI versus a person. augments git blame with line-level human and agent co-authorship. Commits are tagged with AI-code tracking, and an AI-code-tracking API exposes the same data. During a security review or incident you can answer who wrote a given line: a human or an agent. That feeds the audit trail and tells you which lines need extra scrutiny before they ship.
Above the line level, the team dashboard reports adoption and an exportable audit log gives per-action detail. A read-only Analytics API lets you pull the same metrics into your own reporting stack.
- Cursor Blame
- Git blame plus line-level human/agent co-authorship; per-commit AI-code tags.
- AI-code-tracking API
- Exposes the tagging so you can ask 'who wrote this?' for audit trails.
- Dashboard metrics
- AI share of committed code, agent edits, Tab completions, active users across Agent, BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs., cloud and CLI.
- Audit log
- Detailed, exportable, per-action visibility for compliance and incident review.
- Analytics API
- Read-only feed into your org's own reporting.
What each surface answers during a review.
When an incident lands on a file, line-level co-authorship tells reviewers which lines came from an agent before they read a single diff. That decides where the extra scrutiny goes.
How do we log prompts and generated code for compliance?
Some compliance requirements need a record of development activity, which audit logs don't capture. Cursor's recommendation is hooks: a prompts-submitted hook can log when a prompt is sent, and a code-generated hook can log when code is written, posting to your own compliance endpoint.
Cursor's own guidance: be careful logging actual code or prompts, because they may contain sensitive information. Log metadata - who, when, which file - rather than content when you can.
Is Cursor SOC 2 and GDPR compliant?
Yes. Cursor maintains compliance with industry standards including SOC 2 Type II and GDPR. Compliance documentation is available through the Trust Center at trust.cursor.com, including SOC 2 reports, penetration test summaries, security architecture documentation and data flow diagrams.
- SOC 2 reports
- Trust Center (trust.cursor.com).
- Pen test summaries
- Trust Center.
- Security architecture + data flow
- Trust Center documentation.
- Audit log of admin actions
- Team dashboard, Enterprise plan.
How do we report a security vulnerability in Cursor?
Use Cursor's responsible disclosure program. Email security-reports@cursor.com with a detailed description of the vulnerability, steps to reproduce, and any relevant screenshots or proof of concept.
Frequently asked questions
Does Cursor's audit log include the prompts developers type or the code the AI generates?
No. Cursor does not log agent responses or generated code content in audit logs - those cover authentication, user management, settings and other administrative actions. To log development activity, Cursor recommends using hooks, and to log metadata rather than full prompt or code content.
Can we send Cursor audit logs to our SIEM?
Yes. Cursor can stream audit logs to SIEM systems such as Splunk, Sumo Logic and Datadog, to webhook endpoints, to S3 buckets for retention, or to aggregators like Elasticsearch and CloudWatch. Contact hi@cursor.com to set up streaming. Logs are delivered as JSON.
Which plan includes audit logs?
Audit logs are available on the Enterprise plan and require admin access. You view them in the team dashboard and can filter by date range, event type and actor, then export to CSV.
Can we see which code was written by an agent versus a human?
Yes. Cursor Blame augments git blame with line-level human and agent co-authorship, commits are tagged with AI-code tracking, and an AI-code-tracking API exposes it. During a security review or incident this answers 'who wrote this code?' for the audit trail and helps you decide which code needs extra scrutiny. The dashboard also reports AI share of committed code, agent edits, Tab completions and active users across Agent, Bugbot, cloud and CLI, with a read-only Analytics API for your own reporting.
Sources & last verified
Cursor ships frequently. Facts verified against primary sources on June 25, 2026.