Cursor隐私与安全配置

v20260423

cursor-privacy-settings

详细介绍了Cursor的隐私保护机制，包括启用“隐私模式”实现零数据保留、配置数据流向（如嵌入和聊天记录）、使用.cursorignore排除敏感文件。内容涵盖遥测数据管理、网络安全配置以及GDPR、HIPAA等合规性要求。

隐私安全数据处理代码开发人工智能合规设置

134 次下载

概览

Cursor Privacy Settings

Configure Cursor's privacy controls to protect your code and data. Covers Privacy Mode, data handling policies, file exclusion, telemetry, and enterprise security settings.

Privacy Mode

What Privacy Mode Does

With Privacy Mode ON	With Privacy Mode OFF
Zero data retention at model providers	Providers may retain data per their policies
Code not used for training (Cursor or providers)	Code may be used to improve AI models
Embeddings computed without storing source	Same embedding behavior
Telemetry: anonymous usage only	Telemetry may include code snippets

Enabling Privacy Mode

Individual: Cursor Settings > General > Privacy Mode > ON

Team enforcement (Business/Enterprise): Admin Dashboard > Privacy > "Enforce Privacy Mode for all members"

When team-enforced:

Individual users cannot disable Privacy Mode
Client pings server every 5 minutes to verify enforcement
New members automatically have Privacy Mode enabled

Verifying Privacy Mode

Cursor Settings > General -- check Privacy Mode toggle
cursor.com/settings -- shows account-level status
For teams: Admin Dashboard shows enforcement status per member

Data Flow: Where Your Code Goes

Your Code in Editor
       │
       ├─► Tab Completion ──► Cursor's proprietary model server
       │                      (zero retention with Privacy Mode)
       │
       ├─► Chat/Composer ──► Model provider (OpenAI/Anthropic/Google)
       │                     (zero retention agreements in place)
       │
       ├─► Codebase Index ─► Cursor embedding API ─► Turbopuffer (vector DB)
       │                     (embeddings only, no plaintext code)
       │
       └─► BYOK ───────────► Your API provider directly
                             (your provider's data policy applies)

What IS Stored

Data	Stored Where	Retention
Embeddings (vectors)	Turbopuffer (cloud)	Until project re-indexed
Obfuscated file metadata	Cursor servers	Active session only
Anonymous telemetry	Cursor analytics	Aggregated, no PII
Account info	Cursor auth servers	While account active

What Is NOT Stored (Privacy Mode ON)

Plaintext source code
Chat prompts and responses
File contents sent for completion
Code snippets from Tab suggestions

Sensitive File Exclusion

.cursorignore (Best-Effort AI Exclusion)

# .cursorignore -- prevent files from AI features + indexing

# Credentials and secrets
.env
.env.*
.env.local
.env.production
**/secrets/
**/credentials/
**/*.pem
**/*.key
**/*.p12

# Regulated data
**/pii/
**/hipaa/
**/financial-data/

# Internal configuration
.cursor-config-private
infrastructure/terraform.tfvars

Important: .cursorignore is best-effort. Due to LLM unpredictability, it is not a hard security boundary. Do not rely solely on .cursorignore to protect truly sensitive data.

Defense in Depth

Layer 1: .gitignore        → Secrets never in repo
Layer 2: .env files        → Config via environment variables
Layer 3: .cursorignore     → Best-effort AI exclusion
Layer 4: Privacy Mode      → Zero data retention at providers
Layer 5: BYOK + Azure      → Route through your own infrastructure

Telemetry Configuration

What Cursor Collects

With Privacy Mode ON, telemetry is limited to:

Feature usage counts (how often Chat/Composer/Tab used)
Error reports (crashes, not code content)
Performance metrics (response times)
Extension compatibility data

Disabling Telemetry

// settings.json
{
  "telemetry.telemetryLevel": "off"
}

Or: Cursor Settings > search "telemetry" > set to "off"

Note: Disabling telemetry may reduce Cursor's ability to diagnose issues affecting your account.

Network Security

Required Domains

Allowlist these domains in corporate firewalls/proxies:

api.cursor.com           → AI API requests
api2.cursor.com          → AI API requests (fallback)
auth.cursor.com          → Authentication
*.turbopuffer.com        → Codebase indexing (embeddings)
download.cursor.com      → Updates

Proxy Configuration

// settings.json
{
  "http.proxy": "http://proxy.corp.com:8080",
  "http.proxyStrictSSL": true,
  "http.proxyAuthorization": "Basic base64-encoded-credentials"
}

TLS/SSL

All Cursor API communication uses TLS 1.2+. Certificate pinning is not supported, so corporate SSL inspection proxies work (add proxy CA to system trust store).

Compliance Mapping

SOC 2

Control	Cursor Coverage
CC6.1 Logical access	SSO, RBAC, MFA via IdP
CC6.6 System boundaries	Privacy Mode, .cursorignore
CC6.7 Data transmission	TLS 1.2+ for all API calls
CC7.2 Monitoring	Admin dashboard usage analytics

GDPR

Requirement	Cursor Coverage
Data minimization	Privacy Mode: zero retention
Right to erasure	Account deletion removes all server-side data
Data processing agreement	Available on request (Enterprise)
Sub-processor list	Published at cursor.com/privacy

HIPAA

Cursor does not have a BAA (Business Associate Agreement) as of early 2026. For HIPAA-regulated code:

Enable Privacy Mode
Use .cursorignore for PHI-containing files
Consider BYOK through Azure with BAA
Consult your compliance team before use

Enterprise Considerations

SOC 2 Type II report: Available on request for Enterprise customers
Penetration test results: Annual pen tests, results shared under NDA
Data residency: Cursor processes requests via US and EU infrastructure. No region pinning available yet
Encryption: AES-256 at rest, TLS 1.2+ in transit
Incident response: Cursor maintains a security incident response plan (details in SOC 2 report)

Resources

信息

Category 编程开发

Name cursor-privacy-settings

版本 v20260423

大小 6.67KB

Source jeremylongshore/claude-code-plugins-plus-skills

更新时间 2026-04-28