Does Cursor Store, Retain, or Train on My Source Code?
Cursor can store, retain, or train on your source code, but only when Privacy Mode is off. With Privacy Mode on, Cursor does not train on your code and maintains zero data retention agreements with its model providers. For enterprises, the risk is not Cursor’s default alone. It is whether developers use a sanctioned, enforced account or an unmanaged personal one. Aurascape helps security teams verify and govern that usage in the live AI interaction path.
Last updated: June 2026.
Does Cursor train on your source code?
AI coding tools are now near universal: 84 percent of developers use or plan to use them, up from 76 percent in 2024 (Stack Overflow, 2025). For security teams, that makes one question routine. Does the assistant keep your code, and does it learn from it? For Cursor, the answer turns on one setting. With Privacy Mode off, Cursor states (Cursor, 2026) that it may store codebase data, prompts, editor actions, and code snippets, and may use them to improve its features and train its models. With Privacy Mode on, Cursor does not train on your data and maintains zero data retention (ZDR) agreements with its model providers, so those providers do not store or train on your code. Privacy Mode is available on every plan, and for teams it is enabled by default.
So the honest answer is conditional. Cursor is built to keep enterprise code out of training, but only when Privacy Mode is on. The table below shows how each kind of data is handled in each state.
| Data or behavior | Privacy Mode off | Privacy Mode on |
|---|---|---|
| Source code, prompts, editor actions | May be stored and used to improve features and train Cursor’s models | Not used for training by Cursor |
| Model provider sharing | Prompts and limited telemetry may be shared with the providers you select (for accounts created after October 15, 2025) | Providers do not store or train on your data under ZDR agreements |
| Codebase index | Code uploaded in small chunks to compute embeddings; plaintext discarded after the request; embeddings and metadata such as file names and hashes may be stored | Same indexing behavior; embeddings and metadata may be stored |
| Cached file contents | Temporarily cached, encrypted with per-request keys, never permanently stored | Temporarily cached and never used as training data |
| Abuse detection | Subject to provider policies | Data may be stored for investigation if abuse detectors trigger, then deleted per the retention policy |
What Cursor still stores, even in Privacy Mode
Privacy Mode stops training. It does not make the tool local. Even with Privacy Mode on, requests still pass through Cursor’s backend, where the final prompt is assembled, and that holds true even when you bring your own model API key. If you index your codebase, Cursor uploads it in small chunks to compute embeddings; the plaintext is discarded after the request, but the embeddings and metadata can remain in Cursor’s database. File contents are cached briefly and encrypted with keys that exist only for the life of the request.
Cursor’s privacy policy (Cursor, 2026) adds one more nuance. Cursor says it does not use your inputs or suggestions to train its models unless they are flagged for a security review, you report them as feedback, or you explicitly opt in. Read that as a clear default with named exceptions, not an absolute. For a security team, the takeaway is that source code leaves the device on every cloud request, and what happens to it next depends on the account, the route, and the settings, not on the editor alone.
How your plan and model provider change the answer
The same install behaves differently depending on plan and route. According to Cursor’s privacy documentation (Cursor, 2026), Privacy Mode is on by default for teams and enterprises, and an admin can enforce it across the organization so members cannot turn it off. With it enabled, Cursor maintains ZDR agreements with OpenAI, Anthropic, Google Vertex AI, and xAI. Three details decide the real exposure for any given developer:
- Personal API keys. ZDR does not apply when a developer uses their own provider key. The data then follows that provider’s policy, not Cursor’s agreement, and the request still routes through Cursor’s backend.
- Account age. For accounts created after October 15, 2025, prompts and limited telemetry may be shared with the providers a developer selects when Privacy Mode is off.
- Non-ZDR models. Models without a ZDR agreement are designated as such and require an admin to opt in before they can be used in a workspace.
This is why a blanket statement about Cursor and source code is usually wrong. The control that matters is whether the right plan, the right providers, and Privacy Mode enforcement are confirmed for the accounts your developers use.
What enterprise teams should verify before deploying Cursor
Approving Cursor is an evidence exercise, not a trust exercise. Cursor’s security page (Cursor, 2026) documents the controls and attestations to confirm. Walk this checklist before rollout:
- Confirm Privacy Mode is enabled and admin-enforced across the organization so individual members cannot disable it.
- Confirm which model providers are allowed, and verify that any model without a zero data retention agreement is blocked or requires explicit admin opt-in.
- Decide whether developers may use personal provider API keys, since zero data retention agreements do not apply to those keys and the data then follows the provider’s own policy.
- Set a .cursorignore policy to keep secrets, credentials, and crown-jewel files out of indexing and embeddings, and treat it as best-effort defense in depth, not a hard boundary.
- Turn on audit logging and the AI code tracking interface, and decide who reviews how AI features are used across the organization.
- Request the System and Organization Controls (SOC 2) Type II report and the subprocessor list from Cursor’s trust portal, and confirm Cursor respects model blocklists.
- Evaluate customer-managed encryption keys (CMEK) if you need to hold your own keys for embeddings and cloud agent data.
Most of these are configuration and paperwork. The harder problem is the one Cursor’s native settings do not independently prove: whether developers are using the sanctioned account in the live path rather than a personal one.
Why your security stack sees Cursor but not your code
The verification gap is architectural, not a failure of any one team. The security service edge (SSE), cloud access security broker (CASB), data loss prevention (DLP), and secure web gateway (SWG) tools most enterprises run were built to govern destinations and browser sessions. They may confirm that traffic reached cursor.com. They were not built to read the prompt, tell a sanctioned enterprise tenant from a personal account, or follow code into the integrated development environment (IDE), the command-line interface (CLI), and the agent paths Cursor uses.
That blind spot matters because source code is exactly the asset at stake. OWASP names Sensitive Information Disclosure (LLM02) among the top risks for AI applications, and proprietary code and secrets are the kind of sensitive information it describes (OWASP, 2025). The exposure compounds when usage runs outside the security team’s view: IBM found (IBM, 2025) that 97 percent of organizations with an AI-related breach lacked proper AI access controls. And the agent side is growing faster than control: Cisco found (Cisco, 2025) that 83 percent of organizations plan to deploy AI agents, while only 31 percent feel equipped to control and secure them. Cursor’s agent mode and Model Context Protocol (MCP) tool calls sit squarely inside that gap.
How Aurascape governs Cursor source code in the live path
Aurascape closes the gap by governing how developers use Cursor, not by trusting a setting. Cursor’s own privacy controls still matter; Aurascape adds the independent visibility and enforcement that confirm those controls are in use as intended. It discovers the coding assistants already running across the environment and applies control as an interaction layer across the network, endpoint, and application programming interface (API) planes, including the CLI and non-browser agent paths a coding assistant uses. It decodes prompts, responses, and tool calls with conversation-level context, distinguishes a personal account from a sanctioned enterprise one through entitlement and Intentions, and applies context-aware actions to allow, coach, warn, block, or redact (Aurascape, 2026).
For governed MCP workflows, the Zero-Bypass MCP Gateway signs approved tool calls and blocks unsigned ones, with cross-call data lineage across chained actions, while the AI Proxy inspects each model interaction for data leakage and prompt injection in real time. Because new coding assistants launch constantly, patented agents crawl the web to recognize and risk-score new AI tools early, so security teams are not left matching traffic to a static list of known destinations. Aurascape runs as an additive layer alongside the SSE, CASB, DLP, and SWG controls you already operate. It does not replace them. It adds the AI-interaction visibility and control they were not built for.
| Capability for governing a coding assistant like Cursor | Destination-based controls (SSE, CASB, DLP, SWG) | Aurascape |
|---|---|---|
| Tell a sanctioned enterprise tenant from a personal account | Built to see destinations and browser sessions, not the account in use | Distinguishes the sanctioned enterprise tenant from a personal account through entitlement and Intentions |
| Inspect source code in prompts, responses, and tool calls | Govern web and SaaS destinations, not the AI interaction inside them | Decodes prompts, responses, and tool calls with conversation-level context |
| Cover the IDE, CLI, and non-browser agent paths | Centered on browser sessions and known destinations | Applies policy across the network, endpoint, and API planes, including IDE, CLI, and agent paths |
| Govern Cursor agent and MCP tool calls before they run | Built to govern destinations, not agent tool execution | The Zero-Bypass MCP Gateway signs approved tool calls and blocks unsigned ones |
| Recognize and risk-score a new coding assistant early, not after adoption | Match traffic to a static list of known destinations | Patented agents crawl the web to recognize and risk-score new AI tools as they launch |
| Produce a record of who used AI, on what account, with what data | Log destinations and sessions | Interaction records for audit and effectiveness, governed by role-based access control for privacy |
The outcome is adoption without the guesswork. In one Aurascape deployment, a Fortune 100 insurance and financial enterprise delivered code 40 percent faster with AI coding assistants and tripled its AI agent integrations with no unauthorized data access, while protecting more than 20,000 users (Aurascape, 2026). Security became the reason the business could move on AI, not the reason it had to wait.
Frequently asked questions
Does Cursor train on my source code by default?
It depends on your plan. On free and Pro accounts, Privacy Mode is a setting you must turn on, and with it off Cursor may store and train on your code. For teams and enterprises, Privacy Mode is on by default and an admin can enforce it so members cannot disable it.
Does Privacy Mode stop all data from leaving my machine?
No. Privacy Mode stops training and enforces zero data retention with model providers, but Cursor still routes requests through its backend to build the prompt, can store codebase embeddings and metadata, and may briefly store data if abuse detectors trigger. For a stricter posture, confirm Privacy Mode is admin-enforced and your approved model routes are locked down, and weigh whether to index sensitive repositories at all.
Does using my own API key keep my code private?
Not by itself. Even with your own key, requests still pass through Cursor’s backend, and zero data retention does not apply, so your data follows your provider’s policy rather than Cursor’s agreement.
Where does Cursor’s codebase indexing send my code?
Indexing uploads your code in small chunks to Cursor’s servers to compute embeddings. The plaintext is discarded after the request, but the embeddings and metadata such as file names and hashes may be stored. A .cursorignore file can exclude sensitive files, though Cursor describes it as best-effort.
What should a security team verify before approving Cursor?
Confirm Privacy Mode is enforced organization-wide, which model providers are allowed, whether personal API keys are permitted, the .cursorignore policy, audit logging, and the SOC 2 Type II report and subprocessor list. For the full evaluation, see the guide on how to secure AI coding assistants.
Is Cursor different from Claude Code or OpenAI Codex on data retention?
The enterprise review pattern is similar; the vendor defaults differ. Each routes code to a cloud model, and what happens next depends on the plan and route. See the same question for Claude Code and for OpenAI Codex.
Aurascape answers the source-code question by governing how developers use Cursor, not by trusting a setting. It tells a sanctioned enterprise tenant from a personal account, decodes the prompts, responses, and tool calls that carry code across the IDE, CLI, and agent paths, and keeps proprietary code and secrets on approved terms. A short demo with your security team can show your real Cursor traffic decoded and governed inline, including indexing behavior and MCP tool calls that destination-based controls were not built to decode.
See how Aurascape keeps Cursor source code on approved terms →
Aurascape Solutions
- Discover and monitor AI Get a clear picture of all AI activity.
- Safeguard AI use Secure data and compliancy in AI usage.
- Secure Agentic AI Secure how your teams use AI and build AI agents.
- Copilot readiness Prepare for and monitor AI Copilot use.
- Coding assistant guardrails Accelerate development, safely.
- Frictionless AI security Keep users and admins moving.