Windsurf Data Handling

Overview

Control what code and data Windsurf's AI (Cascade, Supercomplete) can access. Covers file exclusion patterns, telemetry controls, Codeium's data processing model, and compliance configuration for regulated environments.

Prerequisites

• Windsurf IDE installed
• Understanding of Codeium's data processing model
• Identified sensitive files and directories in workspace

Instructions

Step 1: Understand Codeium's Data Model

# What happens with your code in Windsurf
data_flow:
  indexed_locally:
    what: "File contents, structure, dependencies"
    where: "Local machine only"
    purpose: "Supercomplete context, Cascade awareness"
    retention: "Persists until re-indexed"

  sent_to_cloud:
    what: "Cascade prompts, code snippets around cursor"
    where: "Codeium cloud (or self-hosted for Enterprise)"
    purpose: "AI model inference"
    retention: "Zero-data retention for ALL paid plans"

  never_processed:
    what: "Files in .codeiumignore, .gitignore, node_modules"
    where: "N/A"
    purpose: "N/A"

  compliance:
    certifications: ["SOC 2 Type II", "FedRAMP High"]
    hipaa: "BAA available for Enterprise customers"
    data_retention: "Zero for paid plans, configurable for Enterprise"
    deployment: "Cloud, Hybrid, or Self-Hosted options"

Step 2: Configure .codeiumignore for Data Protection

# .codeiumignore — files Windsurf AI will NEVER see or index
# Uses gitignore syntax. Default: .gitignore and node_modules excluded.

# ===== SECRETS =====
.env
.env.*
.env.local
credentials.json
serviceAccountKey.json
*.pem
*.key
*.p12
*.pfx
.aws/
.gcloud/
.azure/
vault-config.*

# ===== CUSTOMER DATA =====
data/customers/
data/exports/
data/backups/
*.sql
*.sql.gz
*.dump
fixtures/production-*

# ===== INFRASTRUCTURE SECRETS =====
terraform.tfstate
terraform.tfstate.backup
*.tfvars
*.auto.tfvars
ansible/vault*

# ===== COMPLIANCE BOUNDARIES =====
# PCI zone — credit card processing code
src/pci/

# HIPAA zone — health data processing
src/hipaa/

# Financial data
reports/financial/

Step 3: Disable Telemetry (Regulated Environments)

// settings.json — maximum privacy configuration
{
  "codeium.enableTelemetry": false,
  "codeium.enableSnippetTelemetry": false,
  "telemetry.telemetryLevel": "off",
  "update.showReleaseNotes": false
}

Step 4: Configure Autocomplete Data Boundaries

// Disable Supercomplete for sensitive file types
{
  "codeium.autocomplete.languages": {
    "plaintext": false,
    "env": false,
    "dotenv": false,
    "properties": false,
    "ini": false,
    "yaml": false,
    "json": false
  }
}

Rationale: YAML and JSON files often contain configuration with secrets. Disabling Supercomplete for these types prevents the AI from seeing or suggesting content based on config files.

Step 5: Safe Cascade Usage with Sensitive Code

## Rules for using Cascade in regulated codebases

1. NEVER paste secrets into Cascade chat
   - BAD: "My API key is sk-abc123, why isn't it working?"
   - GOOD: "I'm getting auth errors. The key is set in .env as API_KEY."

2. NEVER ask Cascade to read excluded files
   - BAD: "Read .env and tell me what's configured"
   - GOOD: "What environment variables does src/config.ts expect?"

3. Use .windsurfrules to enforce safety patterns
   - "Always use process.env for secrets, never hardcode"
   - "Never log PII fields: email, phone, ssn, creditCard"

4. Mark compliance boundaries in .windsurfrules
   - "Files in src/pci/ handle credit card data — extra review required"
   - "Files in src/hipaa/ handle health data — never log patient info"

Step 6: Enterprise Self-Hosted Deployment

For maximum data control:

# Enterprise deployment options
deployment_modes:
  cloud:
    data_flow: "Code snippets → Codeium cloud → AI response"
    retention: "Zero-data retention (default for paid plans)"
    suitable_for: "Most teams"

  hybrid:
    data_flow: "Code stays on-prem, only prompts sent to cloud"
    retention: "Configurable"
    suitable_for: "Teams with data residency requirements"

  self_hosted:
    data_flow: "Everything on-prem or in your cloud"
    retention: "You control"
    suitable_for: "Highly regulated (finance, healthcare, government)"
    requires: "Enterprise plan + infrastructure team"

Data Privacy Audit Checklist

• .codeiumignore covers all secret files and customer data
• Telemetry disabled (if required by policy)
• Autocomplete disabled for secret-containing file types
• .windsurfrules includes data handling coding standards
• Team trained: never paste secrets into Cascade
• Enterprise: deployment mode matches compliance requirements
• Enterprise: SSO configured, personal accounts blocked
• Regular audit: verify no new sensitive files outside ignore patterns

Error Handling

Examples

Quick Privacy Audit

set -euo pipefail
echo "=== Windsurf Data Privacy Audit ==="
echo "Has .codeiumignore: $([ -f .codeiumignore ] && echo 'YES' || echo 'NO')"
echo "Potential exposed secrets:"
find . -type f \
  -not -path '*/node_modules/*' -not -path '*/.git/*' \
  \( -name '*.env*' -o -name '*.key' -o -name '*.pem' -o -name 'credentials*' \) \
  2>/dev/null | while read f; do
    grep -q "$(basename "$f")" .codeiumignore 2>/dev/null && echo "  $f: PROTECTED" || echo "  $f: EXPOSED"
  done

Resources

• Codeium Privacy Policy
• Windsurf Security
• Windsurf Ignore Docs

Next Steps

For enterprise access controls, see windsurf-enterprise-rbac.