CtrlK
BlogDocsLog inGet started
Tessl Logo

cursor-compliance-audit

Compliance and security auditing for Cursor IDE usage: SOC 2, GDPR, HIPAA assessment, evidence collection, and remediation. Triggers on "cursor compliance", "cursor audit", "cursor security review", "cursor soc2", "cursor gdpr", "cursor data governance".

89

Quality

88%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Cursor Compliance Audit

Compliance and security auditing framework for Cursor IDE usage. Covers SOC 2, GDPR, and HIPAA assessment with audit checklists, evidence collection, and remediation guidance.

Cursor Security Posture

Certifications and Attestations

CertificationStatusNotes
SOC 2 Type IICertifiedAnnual audit, report available on request
Penetration testingAnnualResults shared under NDA (Enterprise)
Encryption at restAES-256All stored data
Encryption in transitTLS 1.2+All API communications
Zero data retentionAvailableVia Privacy Mode
GDPR complianceYesEU data processing supported
HIPAA BAANot available (as of early 2026)See HIPAA section

Data Processing Architecture

Developer Machine
    │
    ├─► Cursor Client ──► Cursor API (US/EU) ──► Model Provider
    │   (local)           (routing + auth)        (OpenAI/Anthropic)
    │                           │
    │                           └─► Zero retention agreement
    │
    ├─► Codebase Index ──► Embedding API ──► Turbopuffer (vectors)
    │                      (no plaintext stored)
    │
    └─► Local Settings (API keys, preferences)
        (never transmitted)

Audit Checklist: SOC 2

CC6.1 — Logical Access Controls

[ ] SSO (SAML/OIDC) configured and enforced
[ ] MFA enabled at Identity Provider level
[ ] RBAC roles assigned: Owner, Admin, Member
[ ] Inactive users deprovisioned (SCIM or manual)
[ ] Access review completed (quarterly)

Evidence:
  - SSO configuration screenshot from admin dashboard
  - IdP MFA policy documentation
  - User list export from Cursor admin
  - SCIM sync logs (if applicable)

CC6.6 — System Boundaries

[ ] Privacy Mode enforced at team level
[ ] .cursorignore configured for sensitive files
[ ] Data classification aligned with .cursorignore patterns
[ ] Model provider data retention agreements documented
[ ] BYOK configuration documented (if applicable)

Evidence:
  - Privacy Mode enforcement screenshot
  - .cursorignore file contents (committed to git)
  - Cursor data use policy acceptance
  - API key provider agreements

CC6.7 — Data Transmission Security

[ ] All Cursor API calls use TLS 1.2+
[ ] Corporate proxy configured with valid certificates
[ ] No self-signed certificates or TLS bypasses
[ ] Network firewall rules documented

Evidence:
  - Network architecture diagram showing Cursor data flows
  - Firewall rules for cursor.com domains
  - Proxy configuration settings

CC7.2 — Monitoring

[ ] Admin dashboard usage analytics reviewed monthly
[ ] Anomalous usage patterns investigated
[ ] Seat utilization tracked for access reviews

Evidence:
  - Monthly usage report screenshots
  - Incident response log for anomalies
  - User activity summary

Audit Checklist: GDPR

Data Mapping

Data Category: Source code snippets
Processing Purpose: AI-assisted code generation
Legal Basis: Legitimate interest (developer productivity)
Data Location: In-transit only (zero retention with Privacy Mode)
Sub-processors: OpenAI, Anthropic, Turbopuffer (embeddings)
Retention: None (Privacy Mode) or per provider policy (no Privacy Mode)

Individual Rights

RightCursor Support
Right to accessAccount settings at cursor.com/settings
Right to erasureAccount deletion removes all server-side data
Right to portabilitySettings export (settings.json)
Right to restrictionPrivacy Mode limits processing
Right to objectPrivacy Mode + .cursorignore

GDPR Compliance Checklist

[ ] Data Processing Agreement (DPA) signed with Cursor (Enterprise)
[ ] Privacy Mode enabled for all EU team members
[ ] Sub-processor list reviewed (cursor.com/privacy)
[ ] Data protection impact assessment (DPIA) completed
[ ] Team briefed on not pasting PII into Chat/Composer

Evidence:
  - Signed DPA
  - Privacy Mode enforcement confirmation
  - DPIA document
  - Team training records

HIPAA Assessment

Current status: Cursor does not offer a Business Associate Agreement (BAA) as of early 2026.

Mitigations for Healthcare Organizations

If your organization handles PHI:

1. Enable Privacy Mode (mandatory)
2. Configure .cursorignore to exclude ALL PHI-containing files:
   .cursorignore:
     **/patient-data/
     **/medical-records/
     **/hl7/
     **/fhir-resources/
     **/*.hl7
     **/*.ccda

3. Consider BYOK through Azure with BAA:
   - Azure OpenAI has HIPAA BAA option
   - Route Cursor AI requests through Azure
   - Azure handles data governance

4. Train developers: NEVER paste PHI into Chat or Composer
5. Code review policy: verify no PHI in AI-generated code

6. CRITICAL: Consult your compliance team before any Cursor
   usage with systems that process PHI

Remediation Playbook

Finding: Privacy Mode Not Enforced

Severity: High
Risk: Code may be retained by model providers for training

Remediation:
1. Admin Dashboard > Privacy > Enable enforcement (immediate)
2. Notify all team members (email)
3. Verify enforcement: check each member's status in dashboard
4. Document: date of enforcement, approval authority

Finding: No .cursorignore

Severity: Medium
Risk: Sensitive files may be included in AI context

Remediation:
1. Create .cursorignore at project root
2. Add patterns for: .env*, secrets/, credentials/, PII directories
3. Commit to git (PR review required)
4. Verify: Cursor Settings > Codebase Indexing > View included files
5. Confirm sensitive files absent from indexed list

Finding: Unmanaged API Keys (BYOK)

Severity: Medium
Risk: Shared or unrotated API keys

Remediation:
1. Audit which team members use BYOK keys
2. Verify keys are personal (not shared team keys)
3. Implement quarterly key rotation schedule
4. Document key management policy
5. Consider centralizing through Azure gateway (Enterprise)

Finding: No Access Review

Severity: Medium
Risk: Former employees retaining Cursor access

Remediation:
1. Export current member list from admin dashboard
2. Cross-reference with HR active employee list
3. Deactivate accounts for departed employees
4. Enable SCIM for automatic deprovisioning
5. Schedule quarterly access reviews

Enterprise Considerations

  • SOC 2 report: Request directly from Cursor (Enterprise plan) or via your account manager
  • Vendor risk assessment: Use Cursor's security page (cursor.com/security) as starting input
  • Third-party audit: Cursor's SOC 2 report covers their controls; your audit covers your configuration
  • Continuous monitoring: Set calendar reminders for quarterly access reviews and annual policy updates

Resources

  • Cursor Security
  • Cursor Data Use Policy
  • Cursor Privacy Policy
  • Privacy and Data Governance Docs
Repository
jeremylongshore/claude-code-plugins-plus-skills
Commit

3e83543

Last updated
Created

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill