Cursor DPA and GDPR review for teams in Germany
tools

Cursor DPA 2026: Where to Find It and What It Covers

Where is the Cursor DPA and which plan fits Germany?

Cursor publishes its Data Processing Addendum at cursor.com/terms/dpa. For German business use, the practical baseline is usually Teams or Enterprise, because the DPA still needs a company contract path, team-wide Privacy Mode, transfer review, and admin controls before personal data can be handled safely.

  • The public Cursor DPA references the agreement between Anysphere and the customer and includes SCC language for EU and UK transfers.
  • Privacy Mode is available on free and Pro accounts, but team-wide enforcement and admin controls sit on Teams and Enterprise.
  • The DPA says customers should not provide sensitive or special-category personal data under the agreement.
  • German teams still need an internal policy for source code, prompts, telemetry, and subprocessor review.

The Cursor DPA is publicly available at cursor.com/terms/dpa, and the current 2026 answer for German buyers is this: use Teams or Enterprise for real company rollout, enable Privacy Mode, and treat the DPA as only one part of the GDPR file. Cursor now makes Privacy Mode available broadly, including free and Pro accounts, but the practical procurement baseline for businesses is still the plans with team-wide controls, centralized administration, and a clearer contractual path. If you need the Article 28 framework first, also see our guide to data processing agreements under GDPR. For the engineering-governance layer, see AI code generation compliance and our comparison pages for GitHub Copilot and Replit.

This page provides general legal information, not legal advice for a specific deployment. The legal result depends on your plan, settings, data types, and workflow.

Where to find the Cursor DPA

Cursor publishes its Data Processing Addendum (DPA) publicly at cursor.com/terms/dpa. That is useful because a German procurement team can review the contract text before rollout rather than waiting for a sales process.

The more important legal detail is what the DPA says about scope:

  • it governs Anysphere’s processing of personal data under the agreement between Anysphere and the customer
  • it includes transfer language for EU SCCs and the UK Addendum
  • it says customers should not provide sensitive or special-category personal data under the agreement

That last point matters. If your intended workflow includes HR files, health data, criminal-offence data, or similarly sensitive material, the public DPA already signals that Cursor is not the routine default channel.

Which Cursor plan is the realistic GDPR starting point?

Cursor’s public pricing as of June 29, 2026 lists Hobby, Pro, Teams, and Enterprise. Cursor’s Security page says Privacy Mode is available to anyone, including free and Pro users. That does not mean all plans are equally suitable for company use.

Our legal assessment is:

PlanWhat Cursor says publiclyPractical GDPR view for Germany
HobbyFree plan with limited usageNot a serious basis for company personal-data workflows
ProIndividual paid plan; Privacy Mode availableCan fit solo low-risk use, but weak for company governance and procurement
TeamsTeam billing, admin, analytics, SSO, and team-wide Privacy ModeBest default starting point for most German startups and software teams
EnterpriseAdds pooled usage, SCIM, access controls, audit logs, and account managementBetter fit for larger or more regulated organizations

That conclusion is partly an inference from Cursor’s public plan pages and admin features. The key point is practical rather than semantic: a company needs a plan that lets it enforce settings, document responsibility, and govern a team rollout.

What Privacy Mode changes in 2026

Cursor’s current public materials are clearer than they used to be. The Terms of Service say Anysphere will not use content to train models unless the customer explicitly agrees. The Security page says Privacy Mode can be enabled in settings or by a team or enterprise admin and is available to anyone. The Data Use & Privacy Overview adds that, when Privacy Mode is enabled, Cursor states that customer data will not be used for training and that its model providers will not store or train on that data.

That is a meaningful improvement, but it is not the end of the legal analysis.

Cursor also says:

  • prompts or conversations that trigger abuse detection may still be stored for investigation
  • non-ZDR models may require admin opt-in or be marked separately
  • requests still go through Cursor’s backend, even when you use your own API key
  • codebase indexing uploads code in chunks to compute embeddings, while embeddings and metadata may remain stored

For German teams, that means Privacy Mode reduces risk, but does not erase transfer, retention, or governance questions.

What the Cursor DPA does and does not solve

The DPA helps with the classic Article 28 GDPR processor-contract question. It gives you a contractual baseline, SCC language, and some structure for data subject rights, security, and subprocessor obligations.

It does not solve these points on its own:

  • whether your chosen plan actually gives your organization the right contractual setup
  • whether your developers are sending unnecessary source code, client data, or secrets into prompts
  • whether your internal documentation properly records transfers, subprocessors, and retention assumptions
  • whether your workflow involves data that the DPA itself discourages or excludes in practice

If your review is mainly contractual, the DPA is the first document. If your review is operational, the real work starts after that document is downloaded.

Cursor plan comparison for data handling

For legal and procurement teams, the operational differences matter more than the marketing labels.

PlanPrivacy ModeAdmin controlsRecommended use case
HobbyAvailableNone worth relying on for a teamPersonal testing only
ProAvailableIndividual settings onlySolo developer, low-risk internal work
TeamsTeam-wide Privacy ModeTeam admin, billing, analytics, SSOStandard company rollout
EnterpriseTeam-wide Privacy ModeSCIM, access controls, audit logs, account managementRegulated or scaled rollout

This is why many German buyers asking for the Cursor DPA are really asking a broader question: “Which Cursor plan lets us defend the deployment if legal, security, or a customer asks later?” In most cases, that answer starts at Teams.

Source code, telemetry, and confidentiality

The main legal risk is not whether Cursor has a DPA PDF-equivalent. The main risk is what leaves the development environment.

Teams should assume the relevant exposure points include:

  • prompts entered by developers
  • code snippets and surrounding repository context
  • embeddings and metadata generated during indexing
  • usage analytics and admin-visible activity data

That drives the internal policy question. Before rollout, a German company should define at least these rules:

  1. no raw customer datasets, HR files, or support logs in Cursor by default
  2. no secrets, keys, tokens, or incident data in prompts
  3. no routine use for Article 9 GDPR data or professional-secrecy material
  4. human review before AI-generated code is merged into production

If the team cannot keep those boundaries in practice, Cursor is the wrong default tool for that workflow.

Transfers, subprocessors, and Germany-specific review

Cursor’s Security page says its list of subprocessors is published on the trust portal and re-reviewed annually. That is helpful, but German buyers still need to save the current list into the procurement file and assess whether the vendor chain is acceptable for the intended use.

The minimum review usually covers:

  • the current DPA version and date
  • the current subprocessor list
  • the transfer mechanism and countries involved
  • the chosen Privacy Mode configuration
  • the internal rule set for allowed and prohibited use

For many startups and software teams, that package can be enough for low-risk internal coding support. For client-confidential, employment, regulated-sector, or public-sector use, additional review is usually required. For a broader procurement checklist, see our GDPR AI vendor assessment checklist and our GDPR AI procurement guide.

Our assessment

Cursor’s DPA is real, public, and useful, but it is not a one-click answer to GDPR compliance. The 2026 improvement is that Cursor now states more clearly where the DPA lives, how Privacy Mode changes training and retention, and which team controls sit on Teams and Enterprise. For German companies, the safer position is to treat Teams as the minimum normal rollout plan and Enterprise as the stronger option where auditability, access control, or regulated workflows matter.

If your question is only “Does Cursor have a DPA?” the answer is yes. If your question is “Can we now use Cursor for any business data?” the answer is no. The deployment still needs plan selection, settings control, transfer review, and a strict internal policy.

Compound Law advises companies in Germany and the DACH region on AI procurement, DPA review, transfer assessments, and engineering-tool governance. If you want us to review your Cursor setup, contact us.

FAQ

Where can I find the Cursor DPA?

Cursor publishes the DPA publicly at cursor.com/terms/dpa. Your team should download the current version and document which customer agreement and plan govern your actual deployment.

Which Cursor plan is best for GDPR-compliant team use?

For most German companies, Teams is the practical minimum and Enterprise is the stronger option. Free and Pro accounts can use Privacy Mode, but they are weaker from a governance and procurement perspective because they lack the same team-wide controls.

Does Cursor use our code to train AI models?

Cursor’s current Terms say Anysphere will not use content to train models unless the customer explicitly agrees. Cursor’s public Privacy Mode pages add that model providers also will not store or train on customer data in that mode, subject to abuse-detection and policy-enforcement handling.

Does the Cursor DPA allow special-category personal data?

The public DPA says customers should not provide sensitive or special-category personal data under the agreement. German teams should read that as a strong warning against routine use for HR, health, or similarly sensitive datasets.

What is the GDPR transfer basis for Cursor?

Cursor’s public DPA includes the EU Standard Contractual Clauses and the UK Addendum. That is the baseline transfer mechanism, but German companies still need to document the countries involved, review the subprocessor list, and assess whether the intended workflow fits that transfer setup.

Is Privacy Mode enough for German compliance?

No. Privacy Mode is important, but you still need the right plan, a documented transfer review, the current subprocessor list, and internal rules on code, prompts, and data handling.

Does the DPA by itself protect code confidentiality?

No. The DPA solves part of the GDPR contract layer, but code confidentiality still depends on internal usage rules, repository scoping, prompt discipline, admin controls, and the confidentiality commitments in your customer and vendor contracts.

Related Tool Guides

Claude ZDR zero data retention guide for Anthropic API and Claude Code enterprise use
tools

Claude ZDR: Zero Data Retention for Enterprise and Claude Code

Claude ZDR is available only on qualified Anthropic API and Claude Code enterprise paths. Learn scope, exclusions, retention exceptions, and procurement steps.

DeepL DPA and GDPR approval guide for companies in Germany
tools

DeepL DPA and GDPR in Germany: Approval Guide for Buyers

DeepL can usually be approved in Germany only on paid business plans with a signed DPA, feature review, and confidentiality checks. DeepL Free is not approved.

DeepSeek GDPR compliance analysis for German companies
tools

Is DeepSeek GDPR Compliant? What German Companies Need to Know

Hosted DeepSeek still creates GDPR and procurement risk for German companies. Self-hosted deployments can work with EU infrastructure and proper controls.

Zapier GDPR 2026 Germany — DPA, Article 28, SCCs and EU data transfers for German companies
tools

Is Zapier GDPR Compliant? Germany Guide 2026

Is Zapier GDPR compliant for German companies? DPA, SCCs, EU data residency, and when Zapier is too risky for personal data workflows.

Claude Code GDPR compliance — DPA, data retention and EU hosting guide
tools

Claude Code Data Privacy: GDPR, DPA & No Training Policy

Claude Code's data privacy policy: no training on your code by default, GDPR DPA included via Anthropic API, zero data retention for Enterprise.

HubSpot privacy and GDPR compliance for German businesses
tools

HubSpot Privacy in Germany: GDPR, DPA, and Works Council Risks

HubSpot privacy and GDPR compliance in Germany require a DPA, transfer review, EU data hosting assessment, and works council analysis.

Tool Library

Browse More AI Tools by Topic

Compare more tools, privacy issues, and deployment scenarios in the full AI tool library.

View all AI tools

Frequently asked questions

Cursor publishes its Data Processing Addendum publicly at cursor.com/terms/dpa. That page is the right starting point for procurement, but your team still needs to confirm which customer agreement and plan actually govern your deployment.

For a company rollout in Germany, Teams or Enterprise is usually the safer baseline. Privacy Mode also exists on free and Pro, but those individual plans do not give the same centralized admin, team-wide enforcement, SSO, or audit-oriented controls.

According to Cursor's current Terms, Security page, and Data Use page, enabling Privacy Mode means Cursor will not train on your data and its model providers will not store or train on that data. Abuse-detection review and limited policy-enforcement handling can still apply.

No, not comfortably. The public DPA says customers should not provide sensitive or special-category personal data under the agreement. That is a strong signal against using Cursor as a routine channel for HR, health, or similarly sensitive material.

Cursor's public DPA includes EU Standard Contractual Clauses and the UK Addendum. For German companies, that is the starting transfer mechanism, but the company still needs to document the countries involved, review the current subprocessor chain, and assess whether the planned workflow is appropriate for that transfer setup.

Sometimes, but only with strict boundaries. Low-risk internal coding support is easier to justify than client repositories, support logs, regulated secrets, or live production data. Those cases need a deeper legal and security review.

No. The DPA helps with Article 28 GDPR, but source-code confidentiality still depends on internal usage rules, restricted repositories, prompt discipline, plan-level admin controls, and whether your contracts with customers allow this vendor chain at all.

Book Free Call