Cursor Origin
Cursor Origin for Enterprises: 10 Questions to Ask First
Before adopting Cursor Origin, an enterprise should ask ten questions: SSO and SCIM, audit logs, branch-protection parity, data residency, security terms, CI, network egress, support SLAs, pricing and the exit path. As of mid-2026 Origin is waitlist-only and Cursor has published answers to none of them, which makes the checklist the work you can do now.
On this page
- What should enterprises ask before adopting Cursor Origin?
- Will Origin support SSO, SCIM and audit logs?
- Does Origin match branch protection and data residency?
- What security terms and network controls will Origin ship?
- What is Origin's CI story and support commitment?
- How will Origin be priced, and how do we leave?
What should enterprises ask before adopting Cursor Origin?
Origin is Cursor's git hosting platform, announced at Compile on June 16, 2026 and waitlist-only since. The product page carries a tagline, a signup form and one sentence of positioning. For a platform team that is not a problem to complain about, it is a due-diligence gap to plan around: every enterprise control you rely on from GitHub or GitLab today is, for Origin, an open question.
The table below is the checklist. Each question gets its own treatment further down, with why it matters and what, if anything, is published today. Spoiler on the third column: it is mostly "nothing Origin-specific," and knowing that precisely is the point.
- #
- 1
- Question
- SAMLAn enterprise standard that powers single sign-on. Press Enter for the full definition. SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. Press Enter for the full definition. and SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. Press Enter for the full definition. provisioning?
- Published for Origin today
- Nothing Origin-specific
- #
- 2
- Question
- Audit logs, and can we export them?
- Published for Origin today
- Nothing Origin-specific
- #
- 3
- Question
- Branch-protection parity with rulesets?
- Published for Origin today
- Nothing; stacked-diff model raises real questions
- #
- 4
- Question
- Data residency, can we pin a region?
- Published for Origin today
- Nothing
- #
- 5
- Question
- Security terms covering the hosting?
- Published for Origin today
- None; editor terms don't automatically extend
- #
- 6
- Question
- Egress and network controls?
- Published for Origin today
- Nothing
- #
- 7
- Question
- What runs CI, what happens to pipelines?
- Published for Origin today
- Nothing confirmed; auto CI fixes are reported only
- #
- 8
- Question
- Support tier and uptime SLA?
- Published for Origin today
- Nothing
- #
- 9
- Question
- Pricing model and unit?
- Published for Origin today
- No public pricing
- #
- 10
- Question
- Exit path, what exports?
- Published for Origin today
- Nothing; see the migration guide
| # | Question | Published for Origin today |
|---|---|---|
| 1 | SAMLAn enterprise standard that powers single sign-on. Press Enter for the full definition. SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. Press Enter for the full definition. and SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. Press Enter for the full definition. provisioning? | Nothing Origin-specific |
| 2 | Audit logs, and can we export them? | Nothing Origin-specific |
| 3 | Branch-protection parity with rulesets? | Nothing; stacked-diff model raises real questions |
| 4 | Data residency, can we pin a region? | Nothing |
| 5 | Security terms covering the hosting? | None; editor terms don't automatically extend |
| 6 | Egress and network controls? | Nothing |
| 7 | What runs CI, what happens to pipelines? | Nothing confirmed; auto CI fixes are reported only |
| 8 | Support tier and uptime SLA? | Nothing |
| 9 | Pricing model and unit? | No public pricing |
| 10 | Exit path, what exports? | Nothing; see the migration guide |
Status as of July 2026, checked against cursor.com/origin, cursor.com/pricing and cursor.com/security. Re-verify at launch.
This is covered hands-on in Cursor Compile 2026 — 1 short module, free to read.
Will Origin support SSO, SCIM and audit logs?
Identity and evidence are the first two questions because they gate everything else. A code host your identity provider can't manage is shadow IT on day one, and a host that can't show you who did what is unusable for change-management evidence.
1. Does Origin support SAML SSO and SCIM provisioning?
Why it matters: offboarding. When someone leaves, SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. Press Enter for the full definition. is what revokes their access to the repo the same hour their account is disabled, without a manual sweep. What's known: nothing for Origin. Cursor does publish both for the editor product, which is the closest precedent you have.
2. What lands in the audit log, and can we export it?
Why it matters: a hosting audit log is a different animal from an editor audit log. You need pushes, force-pushes, permission changes, protection-rule edits and merges, exportable to your SIEM, because that trail is what an auditor accepts as evidence that your change process is real. What's known: nothing for Origin. One wrinkle worth raising with the vendor: when an agent opens and merges a change, the log should record which human directed it, or the trail stops meaning anything.
The editor's published plans are your baseline for what Cursor considers enterprise-grade. Treat them as precedent, not as a promise about Origin.
- SAML/OIDC SSO
- Listed on the Teams plan (cursor.com/pricing)
- SCIM seat management
- Listed on the Enterprise plan
- Audit logs + service accounts
- Listed on the Enterprise plan
- SOC 2 Type II
- Attestation report on request at trust.cursor.com
Precedent from cursor.com/pricing and cursor.com/security. None of it names Origin.
Does Origin match branch protection and data residency?
These two questions are about parity: controls your compliance story already leans on, which a new host either matches or breaks.
3. Is there branch-protection parity with GitHub rulesets?
Why it matters: required reviews, status checks and force-push blocks on protected branches are often written into your change-management policy by name. What's known: nothing for Origin, and the stacked-diff model it inherits from Graphite makes this more than a checkbox. Graphite's own docs tell teams to turn off GitHub's "dismiss stale approvals" setting because it fights stacks. If Origin's review flow relaxes a control you currently enforce, you need to know what compensates for it.
4. Where does the repo live, and can we pin a region?
Why it matters: if you operate under GDPR-driven or sector residency rules, the physical location of your source and its metadata is a contract term, not a preference. The bar is set by incumbents: GitHub Enterprise Cloud now offers data residency on ghe.com in the EU, US, Australia and Japan. What's known for Origin: nothing. Cursor's security page states it runs no infrastructure in China and uses no China-headquartered subprocessors, but publishes no region-pinning option for any product.
What security terms and network controls will Origin ship?
This is the custody core, and the pair of questions where a wrong assumption costs most. The mistake to avoid: reading cursor.com/security, which is about the editor and its AI features, and assuming it covers a hosting product that did not exist when those terms were written.
5. Which security terms cover the hosting, specifically?
Why it matters: SOC 2 attestations have a scope, and scope is exactly what changes when a vendor adds a product that holds your canonical source. Cursor holds a SOC 2 Type II attestation and commits to at-least-annual penetration testing, both verifiable at trust.cursor.com. Whether Origin is inside that attestation's scope at launch is a question to ask in writing. The custody deep-dive walks the full framework: data use, training opt-outs, vendor access, continuity.
6. What egress and network controls exist?
Why it matters: a forge built for agents is, by design, a system other software talks to constantly. You will want IP allowlisting, some story for private connectivity, and clarity on what the platform itself reaches out to, because agents and automated review imply model calls somewhere. What's known: nothing for Origin. The editor's Enterprise plan lists auto-run, browser and network controls, which at least shows Cursor builds this class of control when the product calls for it.
The code custody and security guide goes deep on what changes when one vendor runs both your agents and your repo, and how to limit the risk with mirrors and tested exports. Read it before any regulated code goes near a new host.
What is Origin's CI story and support commitment?
Day-two operations decide whether a migration was a project or a mistake. Two questions cover it.
7. What runs CI, and what happens to our pipelines?
Why it matters: CI pipelines are host-specific and do not move with the repo. If your team lives in GitHub Actions, every workflow gets rewritten for whatever Origin runs, and that rewrite is usually the largest line item in a host migration. What's known: nothing confirmed. Coverage of the Compile demo described Origin fixing failed CI runs on its own, but that is reported, not documented by Cursor, and it says nothing about what executes your pipelines in the first place.
8. What SLA and support tier come with it?
Why it matters: when the host holding your source of truth goes down, agents, review and merges stop together, a blast radiusHow much breaks if a change goes wrong; the scope of potential damage. Press Enter for the full definition. the split GitHub-plus-tools setup doesn't have. You want a written uptime commitment and a named escalation path. What's known: nothing. The editor's Enterprise plan lists priority support and account management, so the sales motion exists; the hosting SLA does not, yet.
How will Origin be priced, and how do we leave?
The last two questions are the ones procurement will ask you, so get ahead of them.
9. What is the pricing model?
Why it matters: the unit of pricing shapes behaviour. Per-seat pricing suits human teams; a forge whose whole pitch is agent throughput raises the question of whether you pay per human, per agent, or per unit of compute, and those produce very different bills for an agent-heavy org. What's known: no public pricing of any kind. The editor's Enterprise plan offers pooled usage and invoice/PO billing, which hints at how Cursor prices for large orgs without saying anything about Origin.
10. What is the exit path?
Why it matters: git history is portable and moves with a mirror push, but pull requests, review threads, permissions and CI live in host data and need an exporter or they are gone. Signing up without a tested export path is how lock-in actually happens. What's known: nothing published, no importer or exporter described. The migration guide covers what moves cleanly between hosts and what never does.
One more line for the file: ownership is changing. A Form 8-K filed with the SEC on June 16, 2026 discloses SpaceX's $60 billion all-stock agreement to acquire Anysphere, Cursor's parent, expected to close in Q3 2026 pending regulatory approval. If it closes on schedule, the vendor holding your code on Origin will be a SpaceX subsidiary before GA — so ask who your data-processing agreement will actually be with at signing, and what change-of-control terms apply. The release tracker follows the deal status.
When your waitlist invite arrives, send all ten questions to the vendor and keep the answers in writing. Anything unanswered maps to a simple policy: non-critical repos only, mirrored elsewhere, until it isn't. The self-hosting question is the eleventh ask for teams that can't use shared cloud at all.
Frequently asked questions
Does Cursor Origin have SSO and SCIM?
Not published. Origin is waitlist-only with no enterprise feature list. Cursor's editor product lists SAML/OIDC SSO on the Teams plan and SCIM seat management on Enterprise, which is precedent for what Cursor builds, but nothing on cursor.com commits Origin to either yet.
Is Cursor Origin SOC 2 compliant?
There is no Origin-specific attestation. Cursor holds a SOC 2 Type II attestation, available on request at trust.cursor.com, but attestations have scope, and whether Origin's hosting is inside that scope at launch is a question to put to the vendor in writing.
Can enterprises self-host Cursor Origin?
Nothing is published about self-hosting or on-prem deployment for Origin. Coverage has flagged it as one of the unanswered enterprise questions. Teams with air-gap or strict residency requirements should treat it as unavailable until Cursor documents otherwise.
When will Cursor publish Origin's enterprise terms?
No date. Third-party coverage points to a fall 2026 availability window, but cursor.com/origin publishes no release date, no pricing and no security terms. Watch cursor.com/origin and trust.cursor.com rather than coverage for the answers that count.
Sources & last verified
- Cursor — Origin (waitlist)
- Cursor — Pricing (Teams/Enterprise features)
- Cursor — Security
- GitHub Docs — Enterprise Cloud data residency
Cursor ships frequently. Facts verified against primary sources on July 16, 2026.