Detailed Security and Enterprise Readiness Report: Cursor AI IDE

~ Harini Kannan

Prepared for: Enterprise AI Teams and AI/Security Leadership

Based on: Publicly available information and Cursor’s provided documentation from:
https://www.cursor.com/security, https://trust.cursor.com/faq and https://trust.cursor.com/

Table of Contents

  1. Executive Summary
  2. Introduction to Cursor
  3. Core Security Architecture and Practices
  4. AI Request Processing and Data Handling
  5. Codebase Indexing: Functionality and Security
  6. Privacy Mode: Guarantees and Implementation
  7. Enterprise-Specific Features and Considerations
  8. Potential Risks and Mitigation Strategies
  9. Subprocessor Overview
  10. Conclusion and Key Recommendations for Enterprise AI Leadership
  11. Key Recommendations

1. Executive Summary

Cursor is an AI-powered Integrated Development Environment (IDE), forked from Microsoft’s open-source Visual Studio Code (VS Code). It aims to accelerate software development through AI-driven code generation, chat-based assistance, and codebase-aware context. For enterprises, Cursor offers features like SAML 2.0 SSO, a “Privacy Mode” designed to prevent code storage, and SOC 2 Type II certification, indicating a commitment to security.

Key considerations for enterprise adoption include its cloud-only deployment model, current lack of on-premise or VPC options, and specific differences from VS Code regarding extension signature verification and Workspace Trust defaults. While Privacy Mode offers strong guarantees against code persistence, AI requests (even with user-owned LLM keys) are routed through Cursor’s AWS infrastructure for prompt engineering. Codebase indexing (which one can turn off in Settings) creates embeddings and obfuscated file paths stored on Cursor’s servers.

This report provides a detailed analysis of Cursor’s security posture, data handling practices, enterprise features, and potential risks to help AI leadership make informed decisions.

2. Introduction to Cursor

Cursor positions itself as a modern IDE for engineering organizations, enhancing the development lifecycle with AI capabilities. Built upon the familiar foundation of VS Code, it integrates AI assistance directly into the coding workflow. Its primary value proposition lies in improving developer productivity by:

  • Providing intelligent code suggestions and autocompletions (Cursor Tab).
  • Allowing developers to chat with an AI about their codebase.
  • Enabling AI-assisted code generation and modifications.
  • Offering semantic indexing of codebases for deeper contextual understanding by the AI.

Cursor aims to be a comprehensive AI-first coding environment, trusted by a growing number of companies.

3. Core Security Architecture and Practices

Cursor has implemented several security measures, many inherited from its VS Code base, with additional layers relevant to its AI functionalities.

  • VS Code Foundation and Upstream Patching:
    • Cursor is a fork of microsoft/vscode and merges the upstream codebase every other mainline VS Code release.
    • High-severity security patches from upstream VS Code are cherry-picked and released immediately if they fall between regular merge cycles.
    • Users can check the underlying VS Code version via “Cursor > About Cursor”.
  • Network Security and Required Domains:
    • Corporate proxies must whitelist specific domains for Cursor to function correctly:
      • api2.cursor.sh: Most API requests.
      • api3.cursor.sh: Cursor Tab requests (HTTP/2 only).
      • repo42.cursor.sh: Codebase indexing (HTTP/2 only).
      • api4.cursor.sh, us-asia.gcpp.cursor.sh, us-eu.gcpp.cursor.sh, us-only.gcpp.cursor.sh: Cursor Tab requests (location-dependent, HTTP/2 only).
      • marketplace.cursorapi.com, cursor-cdn.com: Extension marketplace downloads.
  • Data Encryption:
    • In Transit: Minimum of TLS 1.2 encryption.
    • At Rest: AES-256 encryption for all data stored by Cursor.
  • Infrastructure:
    • Cursor’s infrastructure runs on Amazon Web Services (AWS).
    • Primary region: United States.
    • Secondary regions: Tokyo and London.
    • Cursor states that none of its infrastructure is in China, nor does it directly use Chinese companies as subprocessors.
  • Authentication and Access Controls:
    • Default authentication: Email or GitHub login.
    • Enterprise (Business plan customers): SAML 2.0 SSO integration with Just-in-Time (JIT) authentication. SCIM protocol is not currently supported.
  • Notable Differences from VS Code:
    • Workspace Trust: Disabled by default in Cursor (security.workspace.trust.enabled is false).
      • Reasoning: To prevent confusion with Cursor’s “Privacy Mode” and due to the nuanced trust properties of Workspace Trust (e.g., it doesn’t protect from malicious extensions, only malicious folders).
      • Can be manually enabled by users.
    • Extension Code Signatures: Cursor does not verify signatures of extensions from its marketplace (extensions.verifySignature defaults to false).
      • VS Code defaults this to true. Setting it to true in Cursor will result in signature verification failure pop-ups for all extensions.
      • Cursor hopes to support this in the medium-term future.

4. AI Request Processing and Data Handling

AI is central to Cursor’s functionality, leading to frequent communication with its backend servers.

  • Mechanism of AI Requests:
    • Triggered by various actions: chat questions, keystrokes for Cursor Tab suggestions, background context building, bug identification.
    • Requests generally include:
      • Recently viewed files.
      • Conversation history.
      • Relevant code snippets based on language server information.
  • Data Flow:
    • Code data and context are sent from the Cursor app to Cursor’s infrastructure on AWS.
    • Cursor’s server-side performs prompt-building.
    • The request is then sent to the appropriate Large Language Model (LLM) inference provider (e.g., Fireworks, OpenAI, Anthropic, Google).
    • Important Note: Requests always hit Cursor’s AWS infrastructure first, even if an enterprise has configured its own API key for a provider like OpenAI. This is because Cursor’s prompt-building and custom models (e.g., on Fireworks) are server-side and considered critical for user experience.
  • No Direct Routing to Enterprise LLM Deployments:
    • Cursor currently does not support direct routing from the Cursor app to an enterprise’s private deployment of OpenAI, Azure OpenAI, or Anthropic.
  • Ownership of Generated Code:
    • Cursor states that “You own all the code generated by Cursor.”
  • Data Collection (If Privacy Mode is OFF):
    • Cursor collects telemetry and usage data.
    • This may include prompts, editor actions, code snippets, and edits made to this code. This data is used to evaluate and improve AI features.
    • If using autocomplete, Fireworks (an inference provider) may also collect prompts to improve inference speed.

5. Codebase Indexing: Functionality and Security

Cursor offers semantic indexing of codebases to provide more relevant AI assistance. This feature is enabled by default but can be turned off.

  • Purpose and Functionality:
    • Allows Cursor to answer questions with the context of the entire codebase.
    • Helps write better code by referencing existing implementations.
  • Indexing Process:
    • When enabled, Cursor scans the opened folder.
    • It computes a Merkle tree of hashes for all files (respecting .gitignore and .cursorignore).
    • The Merkle tree is synced to Cursor’s server.
    • Every 10 minutes, Cursor checks for hash mismatches and uses the Merkle tree to identify and upload only changed files.
    • On the server, files are chunked and embedded. Embeddings are stored in Turbopuffer.
    • Embeddings are also cached in AWS (indexed by chunk hash) for faster re-indexing, especially for teams.
  • Data Stored by Cursor for Indexing:
    • Vector Embeddings: Stored in Turbopuffer.
    • Obfuscated Relative File Paths: Stored with each vector to allow filtering search results. The obfuscation involves splitting paths by / and . and encrypting each segment with a client-stored secret key and a deterministic 6-byte nonce. This leaks directory hierarchy information and may have nonce collisions but hides most segment names.
    • Line Ranges: Corresponding to the code chunk.
    • Git History (if in a Git repo): Commit SHAs, parent information, and obfuscated file names (using a secret key derived from recent commit contents for team sharing). Commit messages, file contents, or diffs are not indexed as part of Git history.
  • Inference Time with Indexed Code:
    • An embedding is computed for the query.
    • Turbopuffer performs a nearest neighbor search.
    • Obfuscated file paths and line ranges are sent back to the client.
    • The client reads these file chunks locally.
    • These local chunks are then sent back up to the Cursor server to answer the user’s question.
    • Privacy Implication: For Privacy Mode users, this process means no plaintext code from the indexed files is stored persistently on Cursor’s servers or in Turbopuffer as part of the index.
  • Security Considerations for Indexing:
    • .cursorignore file: Can be added to a codebase to list files/directories to be excluded from indexing and, by best effort, from AI requests. However, recently viewed files listed in .cursorignore might still be included in AI chat requests. Cursor is considering a .cursorban file for stricter exclusion.
    • File Path Obfuscation: As described above, it hides most information but not directory structure.
    • Embedding Reversal: Cursor acknowledges academic work showing embedding reversal is possible in some cases. They believe current attack methods (requiring model access and embedding short strings into big vectors) make it somewhat difficult in their scenario but state it’s “definitely possible for an adversary who breaks into our vector database to learn things about the indexed codebases.”
    • Performance and Load: The indexing feature can experience heavy load, potentially causing request failures and requiring multiple uploads for full indexing. This might manifest as higher-than-expected bandwidth usage to repo42.cursor.sh.

6. Privacy Mode: Guarantees and Implementation

Privacy Mode is a critical feature for users and enterprises concerned about code confidentiality. Approximately 50% of Cursor users have Privacy Mode enabled.

  • Core Guarantee:
    • When Privacy Mode is enabled, Cursor guarantees that code data is not stored in plaintext at their servers or by their subprocessors.
    • Code data submitted by Privacy Mode users will never be trained on.
    • Business plan users (and thus enterprise teams) have Privacy Mode enforced by default.
  • Implementation Details:
    • Can be enabled during onboarding or in settings.
    • The user’s Privacy Mode setting is stored on the client.
    • Each request to Cursor’s server includes an x-ghost-mode header. If missing, the server defaults to assuming Privacy Mode.
    • Parallel Infrastructure:
      • Requests hit a proxy that routes to logical services (e.g., “chat service,” “Cursor Tab service”).
      • Each logical service has two near-identical replicas: one for Privacy Mode requests and one for non-Privacy Mode requests.
      • The proxy and the replicas themselves check the x-ghost-mode header.
      • By default, all log functions from Privacy Mode replicas are no-ops unless explicitly suffixed (e.g., infoUnrestricted), which undergo careful review to ensure no code data/prompts are logged.
      • Background tasks also use parallel queues and worker replicas.
  • Data Visibility in Privacy Mode:
    • Code data is still visible to Cursor’s servers in memory for the lifetime of the request.
    • It may exist for a slightly longer period (minutes to hours) for:
      • Long-running background jobs.
      • KV caching.
      • Temporary file caching (all data encrypted with client-generated keys retained only for the request duration).
    • Zero Data Retention of Code: Raw code data is not persisted.
  • Team-Level Enforcement:
    • Privacy Mode is forcibly enabled by default for any user who is a member of a team.
    • Clients ping the server every 5 minutes to check if team-enforced Privacy Mode is active and override local settings if necessary.
    • The server also checks team membership in the hot path and treats requests as Privacy Mode if the user is part of such a team, even if the header indicates otherwise (with a 5-minute cache for this check, defaulting to Privacy Mode on cache miss).
    • This ensures a user joining a team will be in Privacy Mode at the latest 5 minutes after joining.

7. Enterprise-Specific Features and Considerations

  • Deployment Options:
    • Cloud-Only: Cursor’s solution is currently available only through cloud deployment on AWS.
    • Local Installation: The Cursor application itself is installed on local machines.
    • No On-Premise/Hybrid/VPC: Cursor does not currently support on-premises installations, hybrid deployments, or VPC configurations.
    • Sandbox/Testing: No dedicated sandbox environment, but a free tier is available for testing and evaluation.
  • Compliance and Certifications:
    • SOC 2 Type II Certified: Cursor maintains this certification, indicating adherence to established security and availability principles. Reports can be requested via trust.cursor.com.
    • Penetration Testing: Commits to at-least-annual penetration testing by third parties. Executive summaries can be requested.
    • Internal Controls: Mature internal controls, annual security training for employees, and regular account access reviews comply with SOC 2 standards.
    • Vendor Contracts: Custom enterprise contracts with AI vendors, reviewed annually.
  • Tenant Structure:
    • Operates with separate tenants for privacy and non-privacy modes within a multi-tenant AWS environment using logical segregation.
    • No Individually Isolated Tenants: Not currently offered for customers.
  • Logging and Monitoring:
    • Implements basic logging for system performance and collects limited telemetry data.
    • No Client-Exposed Audit Logging: Currently, Cursor does not expose audit logging capabilities directly to clients.
    • Admin Dashboard: Admins can access basic log and usage information.
    • Regular security scanning is conducted, but the specific frequency is still being determined.
  • Data Retention Policies (General User Information):
    • Anysphere (Cursor’s parent company) retains information as long as an account is active or as needed for contractual obligations, service provision, legal compliance, dispute resolution, etc.
    • Retention periods depend on the type of information and its purpose.
    • Users can access, update, alter, or delete basic user profile information.
    • For specific retention queries: hi@cursor.com with the subject “Privacy Concern”.
    • Limited personal information (e.g., related to community posts, GitHub issues) may be retained indefinitely due to the open-source nature of some interactions.
  • International Data Transfers:
    • Apps are hosted in the US; personal information is stored and processed on US servers.
    • Employees, contractors, and affiliated organizations may be in the US or other countries.
    • For personal information transferred outside EEA, Switzerland, and UK to non-adequate countries, Cursor uses safeguards like Standard Contractual Clauses (SCCs). Copies can be requested (hi@cursor.com, subject “Data Transfers”).
  • Business Associate Agreements (BAAs):
    • Cursor does not currently sign BAAs, which is a critical consideration for entities handling Protected Health Information (PHI) under HIPAA.
  • Support:
    • Extensive documentation at docs.cursor.com.
    • Email support: hi@cursor.com.
    • Enterprise Customers: Access to additional support, including a shared Slack channel and dedicated support representatives.

8. Potential Risks and Mitigation Strategies

While Cursor offers robust features, enterprises should be aware of potential risks:

  • AI-Generated Code Vulnerabilities:
    • Risk: AI models, including those used by Cursor, can generate code that contains security vulnerabilities, is non-optimal, or doesn’t adhere to best practices.
    • Mitigation:
      • Mandate rigorous code reviews for all AI-generated or AI-assisted code.
      • Utilize static analysis security testing (SAST) and dynamic analysis security testing (DAST) tools.
      • Provide ongoing security training for developers on secure coding practices and the limitations of AI tools.
      • Explore and enforce secure coding patterns using Cursor’s “Rules” feature if applicable to your security policies.
      • Maintain a “trust but verify” approach to all AI outputs.
  • Data Privacy with Cloud Dependency:
    • Risk: All AI processing, including prompt engineering with potentially sensitive code snippets, occurs on Cursor’s cloud infrastructure (AWS) before reaching LLMs.
    • Mitigation:
      • Enforce Privacy Mode for all enterprise users. This is the strongest mitigation to prevent persistent storage of code.
      • Ensure clear understanding and internal communication about Cursor’s data flow, even with Privacy Mode enabled (data is still processed in memory).
      • Rely on Cursor’s SOC 2 Type II compliance as an indicator of their security practices.
      • Regularly review Cursor’s security and privacy documentation for any changes.
  • Supply Chain Risks (e.g., “Rules File Backdoor”):
    • Risk: Research (e.g., from Pillar Security) highlights potential attack vectors where malicious instructions could be hidden in configuration files (like Cursor Rules) to manipulate AI code generation, potentially bypassing human review.
    • Mitigation:
      • Treat Cursor Rules files (if used) as critical code, subject to strict review and version control.
      • Consider automated validation of rule files for suspicious patterns.
      • Store rule files in secure repositories with controlled access.
      • Educate developers on these newer, more subtle attack vectors.
  • Over-reliance, Complacency, and Skill Atrophy:
    • Risk: Developers might become overly reliant on AI suggestions, reducing critical thinking, code scrutiny, and potentially leading to skill degradation in fundamental coding.
    • Mitigation:
      • Foster a culture where AI is a tool to augment, not replace, developer expertise.
      • Emphasize continuous learning and understanding of core programming principles.
      • Incorporate AI tool usage guidelines into development best practices.
  • Extension Security:
    • Risk: Cursor currently does not verify the signatures of extensions downloaded from its marketplace. This could expose users to malicious or compromised extensions.
    • Mitigation:
      • Exercise caution when installing third-party extensions.
      • Limit the number of installed extensions to only those essential for workflow.
      • Await Cursor’s planned implementation of extension signature verification.
      • If Workspace Trust is enabled, understand it only mitigates risks from malicious folders, not extensions.
  • Limited Control (No On-Premise/VPC):
    • Risk: Enterprises with strict data residency or network isolation requirements may find the cloud-only model unsuitable.
    • Mitigation:
      • This is a fundamental limitation. If on-premise is a hard requirement, Cursor may not be a fit.
      • Evaluate if Privacy Mode and SOC 2 compliance provide sufficient assurance for your data sensitivity levels.

9. Subprocessor Overview

Cursor relies on several subprocessors to deliver its services. The key ones and data handling (especially concerning Privacy Mode where specified by Cursor) include:

  • Amazon Web Services (AWS): Primary cloud infrastructure provider. Handles code data in memory during AI request processing, even in Privacy Mode. Stores embeddings and obfuscated file paths for codebase indexing.
  • OpenAI: LLM provider. Receives code data for AI responses. Cursor maintains a zero-data retention agreement with OpenAI. Data sent to OpenAI is subject to Privacy Mode guarantees (i.e., not persisted by OpenAI via Cursor’s flow if Privacy Mode is on).
  • Anthropic: LLM provider. Similar to OpenAI, receives code data for AI responses. Zero-data retention agreement in place. Subject to Privacy Mode guarantees.
  • Google (Cloud Platform & Vertex AI): Some secondary infrastructure and LLM provider. Subject to Privacy Mode guarantees and zero-data retention agreements for relevant services.
  • Fireworks: Custom models and LLM inference provider. May store some code data if Privacy Mode is disabled, to speed up inference. Zero-data retention agreement for Privacy Mode users.
  • Turbopuffer: Stores (vector) embeddings of indexed codebases and obfuscated file paths. No plaintext code is stored here for Privacy Mode users.
  • Databricks: Used for training some of Cursor’s custom models (from non-privacy mode data). Data from privacy mode users never reaches Databricks.
  • Foundry: Used for training some custom models. Data from privacy mode users never reaches Foundry.
  • Sentry: Error and performance monitoring. Code data is never explicitly sent, but may show up in reported errors. Data from privacy mode users never reaches Sentry.
  • Other Subprocessors (for operational aspects, typically not handling code data directly or less critically): Exa, MongoDB (analytics for non-privacy mode users), Pinecone (embeddings of some indexed docs from public web), Amplitude (analytics), HashiCorp (infrastructure management), Stripe (payment processing), Vercel (website deployment), WorkOS (SSO).

Cursor’s Stance on Chinese Infrastructure/Subprocessors:

  • None of Cursor’s infrastructure is in China.
  • They do not directly use any Chinese company as a subprocessor.
  • To their knowledge, none of their subprocessors use Chinese infrastructure for Cursor’s data.

10. Conclusion and Key Recommendations for Enterprise AI Leadership

Cursor presents a compelling AI-enhanced development environment with a strong emphasis on developer productivity. Its foundation on VS Code offers familiarity, while its AI features are deeply integrated. For enterprises, the commitment to security, evidenced by SOC 2 Type II certification and the robust Privacy Mode, are significant positives.

11. Key Recommendations:

  1. Mandate Privacy Mode: For any enterprise use, especially involving proprietary or sensitive codebases, Privacy Mode should be universally enforced for all developers. This is the primary mechanism to align with Cursor’s “zero data retention of code” promise.
  2. Understand Data Flow: Ensure all stakeholders understand that even with Privacy Mode and user-owned LLM keys, AI request data (including code snippets) is processed in memory on Cursor’s AWS infrastructure for prompt engineering.
  3. Address Deployment Limitations: Acknowledge that Cursor is cloud-only. If on-premise or VPC deployment is a non-negotiable requirement, Cursor may not be suitable at this time.
  4. Develop Clear Internal Usage Policies:
    • Establish guidelines for appropriate use of AI assistance.
    • Emphasize the need for rigorous code review of AI-generated outputs.
    • Provide guidance on the use (and potential risks) of third-party extensions, given the current lack of signature verification.
    • Educate developers on secure use of features like Codebase Indexing and Cursor Rules.
  5. Evaluate Risk Appetite: Carefully weigh the benefits of Cursor against the identified risks, such as the lack of BAA support (if relevant), the current extension security model, and the implications of a cloud-based AI processing pipeline.
  6. Monitor Cursor’s Security Evolution: Stay informed about Cursor’s roadmap, particularly regarding planned enhancements like extension signature verification and any future changes to deployment options or security features.
  7. Pilot Program: Consider a controlled pilot program with a subset of developers working on non-critical projects to assess productivity gains and identify any practical integration challenges before broader rollout.
  8. SSO Integration: Leverage SAML 2.0 SSO for streamlined and secure user management.
  9. Review Subprocessor List: Periodically review Cursor’s list of subprocessors and their roles, especially concerning data handling practices.

Cursor offers a potentially transformative tool for software development. By understanding its security architecture, privacy features, and inherent risks, enterprise AI leadership can make a well-informed decision about its adoption and integration into their development workflows.

One thought on “Detailed Security and Enterprise Readiness Report: Cursor AI IDE

  1. Pingback: Ship Code 10× Faster: Guide, Don’t Grind—With AI Coding Assistants – Infinite Couch

Leave a comment