Cursor DPA 2026: Where to Find It and What It Covers
Where is the Cursor DPA and which plan fits Germany?
Cursor publishes its Data Processing Addendum at cursor.com/terms/dpa. For German business use, the practical baseline is usually Teams or Enterprise, because the DPA still needs a company contract path, team-wide Privacy Mode, transfer review, and admin controls before personal data can be handled safely.
- The public Cursor DPA references the agreement between Anysphere and the customer and includes SCC language for EU and UK transfers.
- Privacy Mode is available on free and Pro accounts, but team-wide enforcement and admin controls sit on Teams and Enterprise.
- The DPA says customers should not provide sensitive or special-category personal data under the agreement.
- German teams still need an internal policy for source code, prompts, telemetry, and subprocessor review.
The Cursor DPA is publicly available at cursor.com/terms/dpa, and the current 2026 answer for German buyers is this: use Teams or Enterprise for real company rollout, enable Privacy Mode, and treat the DPA as only one part of the GDPR file. Cursor now makes Privacy Mode available broadly, including free and Pro accounts, but the practical procurement baseline for businesses is still the plans with team-wide controls, centralized administration, and a clearer contractual path. If you need the Article 28 framework first, also see our guide to data processing agreements under GDPR. For the engineering-governance layer, see AI code generation compliance and our comparison pages for GitHub Copilot and Replit.
This page provides general legal information, not legal advice for a specific deployment. The legal result depends on your plan, settings, data types, and workflow.
Where to find the Cursor DPA
Cursor publishes its Data Processing Addendum (DPA) publicly at cursor.com/terms/dpa. That is useful because a German procurement team can review the contract text before rollout rather than waiting for a sales process.
The more important legal detail is what the DPA says about scope:
- it governs Anysphere’s processing of personal data under the agreement between Anysphere and the customer
- it includes transfer language for EU SCCs and the UK Addendum
- it says customers should not provide sensitive or special-category personal data under the agreement
That last point matters. If your intended workflow includes HR files, health data, criminal-offence data, or similarly sensitive material, the public DPA already signals that Cursor is not the routine default channel.
Which Cursor plan is the realistic GDPR starting point?
Cursor’s public pricing as of June 29, 2026 lists Hobby, Pro, Teams, and Enterprise. Cursor’s Security page says Privacy Mode is available to anyone, including free and Pro users. That does not mean all plans are equally suitable for company use.
Our legal assessment is:
| Plan | What Cursor says publicly | Practical GDPR view for Germany |
|---|---|---|
| Hobby | Free plan with limited usage | Not a serious basis for company personal-data workflows |
| Pro | Individual paid plan; Privacy Mode available | Can fit solo low-risk use, but weak for company governance and procurement |
| Teams | Team billing, admin, analytics, SSO, and team-wide Privacy Mode | Best default starting point for most German startups and software teams |
| Enterprise | Adds pooled usage, SCIM, access controls, audit logs, and account management | Better fit for larger or more regulated organizations |
That conclusion is partly an inference from Cursor’s public plan pages and admin features. The key point is practical rather than semantic: a company needs a plan that lets it enforce settings, document responsibility, and govern a team rollout.
What Privacy Mode changes in 2026
Cursor’s current public materials are clearer than they used to be. The Terms of Service say Anysphere will not use content to train models unless the customer explicitly agrees. The Security page says Privacy Mode can be enabled in settings or by a team or enterprise admin and is available to anyone. The Data Use & Privacy Overview adds that, when Privacy Mode is enabled, Cursor states that customer data will not be used for training and that its model providers will not store or train on that data.
That is a meaningful improvement, but it is not the end of the legal analysis.
Cursor also says:
- prompts or conversations that trigger abuse detection may still be stored for investigation
- non-ZDR models may require admin opt-in or be marked separately
- requests still go through Cursor’s backend, even when you use your own API key
- codebase indexing uploads code in chunks to compute embeddings, while embeddings and metadata may remain stored
For German teams, that means Privacy Mode reduces risk, but does not erase transfer, retention, or governance questions.
What the Cursor DPA does and does not solve
The DPA helps with the classic Article 28 GDPR processor-contract question. It gives you a contractual baseline, SCC language, and some structure for data subject rights, security, and subprocessor obligations.
It does not solve these points on its own:
- whether your chosen plan actually gives your organization the right contractual setup
- whether your developers are sending unnecessary source code, client data, or secrets into prompts
- whether your internal documentation properly records transfers, subprocessors, and retention assumptions
- whether your workflow involves data that the DPA itself discourages or excludes in practice
If your review is mainly contractual, the DPA is the first document. If your review is operational, the real work starts after that document is downloaded.
Cursor plan comparison for data handling
For legal and procurement teams, the operational differences matter more than the marketing labels.
| Plan | Privacy Mode | Admin controls | Recommended use case |
|---|---|---|---|
| Hobby | Available | None worth relying on for a team | Personal testing only |
| Pro | Available | Individual settings only | Solo developer, low-risk internal work |
| Teams | Team-wide Privacy Mode | Team admin, billing, analytics, SSO | Standard company rollout |
| Enterprise | Team-wide Privacy Mode | SCIM, access controls, audit logs, account management | Regulated or scaled rollout |
This is why many German buyers asking for the Cursor DPA are really asking a broader question: “Which Cursor plan lets us defend the deployment if legal, security, or a customer asks later?” In most cases, that answer starts at Teams.
Source code, telemetry, and confidentiality
The main legal risk is not whether Cursor has a DPA PDF-equivalent. The main risk is what leaves the development environment.
Teams should assume the relevant exposure points include:
- prompts entered by developers
- code snippets and surrounding repository context
- embeddings and metadata generated during indexing
- usage analytics and admin-visible activity data
That drives the internal policy question. Before rollout, a German company should define at least these rules:
- no raw customer datasets, HR files, or support logs in Cursor by default
- no secrets, keys, tokens, or incident data in prompts
- no routine use for Article 9 GDPR data or professional-secrecy material
- human review before AI-generated code is merged into production
If the team cannot keep those boundaries in practice, Cursor is the wrong default tool for that workflow.
Transfers, subprocessors, and Germany-specific review
Cursor’s Security page says its list of subprocessors is published on the trust portal and re-reviewed annually. That is helpful, but German buyers still need to save the current list into the procurement file and assess whether the vendor chain is acceptable for the intended use.
The minimum review usually covers:
- the current DPA version and date
- the current subprocessor list
- the transfer mechanism and countries involved
- the chosen Privacy Mode configuration
- the internal rule set for allowed and prohibited use
For many startups and software teams, that package can be enough for low-risk internal coding support. For client-confidential, employment, regulated-sector, or public-sector use, additional review is usually required. For a broader procurement checklist, see our GDPR AI vendor assessment checklist and our GDPR AI procurement guide.
Our assessment
Cursor’s DPA is real, public, and useful, but it is not a one-click answer to GDPR compliance. The 2026 improvement is that Cursor now states more clearly where the DPA lives, how Privacy Mode changes training and retention, and which team controls sit on Teams and Enterprise. For German companies, the safer position is to treat Teams as the minimum normal rollout plan and Enterprise as the stronger option where auditability, access control, or regulated workflows matter.
If your question is only “Does Cursor have a DPA?” the answer is yes. If your question is “Can we now use Cursor for any business data?” the answer is no. The deployment still needs plan selection, settings control, transfer review, and a strict internal policy.
Compound Law advises companies in Germany and the DACH region on AI procurement, DPA review, transfer assessments, and engineering-tool governance. If you want us to review your Cursor setup, contact us.
FAQ
Where can I find the Cursor DPA?
Cursor publishes the DPA publicly at cursor.com/terms/dpa. Your team should download the current version and document which customer agreement and plan govern your actual deployment.
Which Cursor plan is best for GDPR-compliant team use?
For most German companies, Teams is the practical minimum and Enterprise is the stronger option. Free and Pro accounts can use Privacy Mode, but they are weaker from a governance and procurement perspective because they lack the same team-wide controls.
Does Cursor use our code to train AI models?
Cursor’s current Terms say Anysphere will not use content to train models unless the customer explicitly agrees. Cursor’s public Privacy Mode pages add that model providers also will not store or train on customer data in that mode, subject to abuse-detection and policy-enforcement handling.
Does the Cursor DPA allow special-category personal data?
The public DPA says customers should not provide sensitive or special-category personal data under the agreement. German teams should read that as a strong warning against routine use for HR, health, or similarly sensitive datasets.
What is the GDPR transfer basis for Cursor?
Cursor’s public DPA includes the EU Standard Contractual Clauses and the UK Addendum. That is the baseline transfer mechanism, but German companies still need to document the countries involved, review the subprocessor list, and assess whether the intended workflow fits that transfer setup.
Is Privacy Mode enough for German compliance?
No. Privacy Mode is important, but you still need the right plan, a documented transfer review, the current subprocessor list, and internal rules on code, prompts, and data handling.
Does the DPA by itself protect code confidentiality?
No. The DPA solves part of the GDPR contract layer, but code confidentiality still depends on internal usage rules, repository scoping, prompt discipline, admin controls, and the confidentiality commitments in your customer and vendor contracts.