Privacy and Data Governance
Indexing, LLM requests and Cloud Agents have different data paths.
Use the right surface
After this you can pick Privacy and governance for the right job and define done.
Done means you can distinguish each data flow and avoid overclaiming controls.

Enterprise rollout work needs identity, controls, privacy and usage evidence in one operating view.
Use Privacy and governance when Security asks what code leaves the machine and where it is stored. Keep the boundary narrow.
Start small. Name the job, attach the context that proves the point and decide what evidence would make the output trustworthy.
Read the loop before touching the controls. The first beat frames the work, the second uses Cursor, the third checks the result and the fourth leaves a handoff someone else can inspect.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Run this loop in a real repo.
- Entry point
- Privacy/data governance docs and team privacy settings
- Source
- Privacy and data governance docs, trust.cursor.com and the enterprise security one-pager
Use the source as the product reference.
Ask Cursor for an output you can inspect.
If the output cannot be checked, narrow the task before you continue.
A good run leaves a file, setting, screenshot, command result or written claim you can verify.
Takeaway. Done means you can distinguish each data flow and avoid overclaiming controls.
Self-check
QWhen should you reach for Privacy and governance?
Run it
After this you can do the task with clear scope and one proof point.
Treat this as a short practice loop, not a product tour. The task should be small enough that you can inspect the result without trusting the summary.
- 1Separate indexing, LLM requests and Cloud Agent execution.
- 2State the posture: Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. is on by default and non-disableable, providers run under zero data retention, the company holds SOC 2 Type 2, and data stays US-only.
- 3Explain indexing storage honestly: embeddings are hashed and raw code is held ephemerally, with the vector store as the only durable artifact.
- 4Map enterprise controls like MDM enforcement, DPAData Processing Agreement. A contract spelling out how a vendor is allowed to handle your data., encryption and CMEK.
The exercise is complete only when the proof matches the requested outcome. If the proof is weak, reduce the scope or fix the context instead of adding more instructions.
Keep the task small enough to review.
The answer notes that legacy privacy mode blocks Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop., unlike current Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code..
Takeaway. Stop when you have proof: Each data flow is described separately and Cloud Agent storage is not hidden..
Self-check
QWhich habit makes this workflow safe to use on a real project?
Check it
After this you can find the first failed check before changing tools.
Verification decides the next move.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Pick a row to see what to look for.
Use the first failure signal as the next prompt. Broad retries usually make the run noisier; a narrow retry gives Cursor a concrete repair target.
No proof means more checking.
Use a real repo or admin setting. Save the prompt, context and proof.
Takeaway. If it fails, find the first failed check.
Self-check
QThe workflow failed. What is the best first move?