TL;DR

Until ownership and policy documents stabilize, verify Windsurf’s current owner, privacy policy, and subprocessors before sending sensitive data.

Scope

This page covers verification steps for ownership and data handling. It is a checklist, not legal advice.

How to use this page

  1. Confirm the current legal entity controlling the product.
  2. Verify the latest privacy policy effective date and subprocessor list.
  3. Re-check after any ownership or policy update.
  4. Return to the Windsurf terms hub for plan comparisons.

How the confusion happens

Acquisitions and licensing deals can split product ownership from data handling obligations. The UI stays the same, but legal control can change.

Signals to check

  • Updated owner name in the privacy policy and terms.
  • A current subprocessor list and retention window.
  • Enterprise addenda or DPA availability.
  • Any public statement about model provider usage.

Evidence / signals

  • Official terms/privacy policy with an effective date and controller entity.
  • Subprocessor list or DPA document provided by the current owner.
  • Public statement or press release about ownership or licensing changes.

How to verify legitimacy

  • Check the latest privacy policy and terms for owner and controller details.
  • Request the subprocessor list from sales/support.
  • Confirm whether data is stored, logged, or used for training.

What to do if you already onboarded

  • Get written confirmation of the current data controller.
  • Re-evaluate approvals with legal/security if ownership changed.

What would invalidate this

If the current owner publishes stable terms, a subprocessor list, and a clear retention policy with a recent effective date, use that documentation as the primary reference.