Defra Logo Defra Logo

Defra AI in the Tool Guidance

Guidance on the use of artificial intelligence (AI) tools within the Department for Environment, Food & Rural Affairs (Defra), covering best practices, security considerations, and implementation guidelines.

Windsurf - Detailed Guide

Approval status: Under review - this tool is not currently approved for use. We are reviewing it for potential approval, but cannot commit to if or when this might happen.

(Generated by AI, ChatGPT Deep Research, on June 23rd 2025)

What Windsurf IDE does

Windsurf IDE (accessible via windsurf.com/editor) is an AI-powered integrated development environment built by Exafunction, Inc. (the team behind Codeium). It is a full-code editor (forked from Microsoft’s Visual Studio Code) enhanced with AI features and is available on Windows, Mac, and Linux platforms. The goal of Windsurf is to “keep developers in flow state” by tightly integrating AI assistance into the coding workflow. Key features include:

  • AI Autocomplete (“Tab”): Windsurf provides rapid, context-aware code completions as you type. It offers unlimited AI autocomplete suggestions for seamless coding, similar to GitHub Copilot but without strict usage caps. In other IDEs via plugins, only basic autocomplete is available, but in the Windsurf Editor these suggestions are more powerful and multi-line.

  • In-Editor AI Chat: You can talk with an AI agent directly within the IDE to get explanations, generate code, or debug – all without context-switching. There are no restrictive message limits in the chat for pro users, enabling more open-ended assistance.

  • Cascade (Agentic AI Flow): Windsurf’s standout feature is an AI “agent” called Cascade that can perform multi-step coding tasks autonomously (with your oversight). Cascade has deep codebase understanding and can chain together actions like searching the code, making edits, running tests, and even browsing documentation. This agentic workflow lets the AI handle complex tasks (planning, writing code, fixing errors) in a collaborative manner – you can watch each step and intervene as needed. Cascade is described as a “collaborative agent” rather than fully autonomous: it thinks a few steps ahead to help with tasks like code generation, refactoring, and project setup.

  • Command Palette & Inline Actions: Windsurf introduces natural-language commands (via a Command Mode triggered with a shortcut, for example Cmd+I) to perform actions like refactoring code or executing terminal commands by describing the intent in English. For instance, you can highlight code and say “optimise this function,” and the AI will apply the change. Similarly, terminal commands can be run by describing them (for example, “create a compressed archive of this directory”). These features help automate routine tasks and reduce the need to recall exact syntax.

  • “Supercomplete” and Tab-Jump: Beyond normal code completion, Windsurf’s Supercomplete attempts to anticipate your next action (such as creating related code or files). Tab to Jump predicts the next location in the code you might navigate to (for example, jumping to a function’s definition), making navigation faster.

  • Integrated Web Preview and Deployment: Especially for web development, Windsurf can display a live preview of a web application within the IDE and allow AI-driven modifications. You can click an element in the preview and have Cascade adjust its code on the fly. Windsurf even provides a one-click “Deploy” for web apps to a preview hosting service (for example, an app hosted at a windsurf.build URL), enabling quick iteration without leaving the IDE. This is aimed at streamlining the build/test/deploy cycle during development.

  • “Memories” and Project Awareness: The AI maintains context of important details about your codebase (called Memories), so it can recall key facts or decisions made during the session. For example, if you set certain project-specific rules or notes, Cascade will remember them to influence suggestions. Windsurf also supports Rules (guidelines like “follow our internal coding style” or architectural patterns) that the AI will adhere to.

  • Model Flexibility: Windsurf supports multiple AI model backends. It comes with its own AI models and can integrate with providers like OpenAI’s GPT-4 and Anthropic’s Claude for certain features. Advanced users or enterprises can select which model to use for completions or chat. First-class support for many major model providers is advertised. (Notably, Windsurf itself was in the process of being acquired by OpenAI in 2025, which suggests future integration with OpenAI’s ecosystem).

  • VS Code Ecosystem: Since the Windsurf Editor is built on VS Code’s open-source core, it is compatible with many VS Code extensions and user settings. You can import your familiar settings, keybindings, and plugins, minimising friction in adoption. The editor’s core is regularly synced with upstream VS Code updates, including security patches, so it works as a secure, up-to-date code editor even aside from the AI features.

Windsurf has gained significant traction both with individual developers and enterprises. As of mid-2025 it has over 1 million users and thousands of organisations using it. It is positioned as a competitor to GitHub Copilot and similar tools, with an emphasis on more “autonomous” AI assistance and strong privacy options. Its blend of familiar IDE capabilities with AI “superpowers” has drawn interest from technology companies and even government agencies (for example, Windsurf is being marketed with a special focus on federal use cases as described below).

Privacy controls

Windsurf offers several settings and modes to help maintain privacy and control over data. At the core is Zero-Data Retention Mode, a privacy-focused option that you or your organisation can enable to ensure no code data is stored on Windsurf’s servers. In zero-retention mode, any code sent to the AI (for autocompletion, analysis, etc.) is processed temporarily in memory and never written to disk or database on the server side. This means once the AI has responded, the service does not retain your code or prompts. For enterprise and team plans, zero-data retention is on by default for all users. Individual users on the free/pro plan can manually opt-in to zero retention via their profile settings. When enabled, Windsurf also guarantees that code submitted in requests will not be used to train any AI models, eliminating the risk of your proprietary code ending up in future AI training data. (Even without this mode, Windsurf has a policy of not training on non-permissively licensed open-source code – see compliance section.)

Beyond zero-retention mode, administrators have detailed controls to disable or enable certain features that might transmit data externally. For example, Windsurf’s AI can optionally use third-party large language models (LLMs) like OpenAI or Anthropic for enhanced results, but enterprise admins can disable the use of specific external model providers for their team if desired. Notably, Windsurf has contractual zero-data-retention agreements with its major AI partners (OpenAI, Anthropic, Google Vertex AI, etc.), meaning those providers should not store or train on code data that Windsurf sends to them. This helps reduce privacy concerns when using non-Windsurf models. Administrators can choose which models are permitted; team members will only see the allowed models in their IDE settings.

Another optional feature is the Web Search integration, which lets the AI search the internet (via Bing) for code examples or documentation. This feature is off by default for enterprise users and requires explicit opt-in by an admin because search queries could include snippets of your code. Windsurf notes that they do not have a zero-retention guarantee with Bing (Microsoft), so if enabled, there is some risk that query data could be logged by the search provider. Organisations concerned with strict privacy will typically leave this web search tool disabled unless needed.

You also have control over account data and personal information. Windsurf’s profile settings allow viewing and deleting any saved data. The service provides a self-serve account deletion option – you can delete your account via the profile page at any time. Upon deletion, personal data and any associated records are removed in line with the company’s data retention policy. This gives you assurance you can purge your data from the platform if you discontinue use.

Finally, Windsurf maintains an Acceptable Use Policy (AUP) covering prohibited behaviour (for example, disallowing use of the AI for generating malware or hate speech). If your input is flagged as violating the AUP, Windsurf may retain that input data even under zero-retention mode – this is done for the purpose of investigating abuse or improving the filters. Aside from such rare exceptions, Windsurf’s default behaviour in privacy mode is not to store user-provided code or prompts. Overall, these settings (zero-retention, feature toggles, account controls) allow organisations to configure the IDE in a way that meets stringent privacy requirements.

Terms of use and privacy policy

Windsurf is governed by a standard Terms of Service and a detailed Privacy Policy, both readily available on its website. The Terms of Service were last updated in June 2025. Notably, Windsurf provides separate terms for different user categories: there is a Terms of Service for Individual/Pro users and a distinct Terms for Teams/Enterprise plans. This distinction means that enterprise customers likely have supplementary provisions (for example, covering service levels, admin controls, and compliance commitments) in addition to the general terms.

Key points from the Terms of Service include: you retain ownership of any code you write or the AI generates to the extent permitted by law. Windsurf (Exafunction, Inc.) does not claim ownership of your code; it acts as a service provider. The terms require users to be at least 13 years old and to comply with all applicable laws when using the service. There are clauses addressing intellectual property and third-party code: Windsurf emphasises respect for software licences and states that it has taken steps to filter out code suggestions that match non-permissive licences (see compliance section). The Terms also limit liability and include standard clauses (there is an arbitration clause for dispute resolution in the individual terms).

Windsurf’s Privacy Policy (last updated June 9, 2025) describes how user data is collected, used, and protected. It covers both website visitors and users of the Windsurf application/IDE. The Privacy Policy outlines what Personal Information is collected (for example, account details like name, email; usage telemetry; cookies, etc.) and the purposes for which it’s used. For instance, basic telemetry such as IDE usage patterns or error logs may be collected to improve the service. Crucially for enterprise use, the policy clarifies scenarios where Windsurf acts as a data processor on behalf of a customer. If you use Windsurf through your employer or a team account, your organisation is the data controller and Windsurf will process code and data under that organisation’s directives. In such cases, the enterprise’s own privacy policies may apply to code handled via Windsurf, and Windsurf’s role is to safeguard it according to the contract with that customer.

The Privacy Policy also addresses data residency and international transfers. As the service is operated by a US-based company, data may be transferred to or processed in the United States or other countries where Windsurf or its subprocessors operate. For EU/UK users, this means personal data could leave the EEA, but Windsurf would presumably use appropriate legal mechanisms (standard contractual clauses, etc.) to legitimise such transfers. The policy affirms that personal data is kept only “as long as necessary” to fulfil services or as required by law and that they employ organisational and technical measures to protect data. These measures include encryption (discussed below), access controls, and routine security assessments.

For full details, the Windsurf Terms and Privacy documents are available on the official site: the Terms of Service can be found at windsurf.com/terms-of-service and the Privacy Policy at windsurf.com/privacy-policy. Both documents provide transparency into user rights (such as how to contact Windsurf about data, how to opt out or delete information) and the obligations of users and the company. Prospective government adopters would likely review these policies to ensure they align with public sector requirements (for example, GDPR compliance, data processing agreements, etc.). Windsurf has indicated willingness to sign supplemental agreements (like a HIPAA Business Associate Agreement for healthcare clients) to address specific legal needs.

Where your data goes

Server location and data residency

Windsurf offers multiple deployment options which impact where data is processed and stored. In the Standard cloud deployment, all AI requests are handled on servers managed by Windsurf in the United States. This would typically mean data is processed in US cloud data centres (the platform runs on Google Cloud Platform for its core infrastructure). For customers with data residency concerns, Windsurf provides region-specific environments. Notably, Windsurf has an EU cluster with servers located in Frankfurt, Germany. Enterprise customers in Europe (or UK government bodies concerned about EU/UK data location) can choose to have their AI inference and storage happen on the EU servers, keeping code data within European jurisdiction.

For US federal use, Windsurf has a FedRAMP High authorised environment: this deployment runs on AWS GovCloud (a segregated AWS region for US government) via Palantir’s FedStart programme. FedRAMP High implies a very high level of security controls and that the service is authorised for US federal agencies handling sensitive (up to Controlled Unclassified) data. In that environment, servers are located in a US GovCloud region and comply with strict federal security standards. Windsurf’s government-focused marketing notes compliance not only with FedRAMP but also DoD Impact Level 5 and ITAR, meaning it can handle defence-related unclassified data and export-controlled data under proper controls.

Beyond cloud options, Windsurf offers an Enterprise Hybrid and Enterprise Self-Hosted model. In a hybrid deployment, some components (particularly any that store data) are placed within your environment (for example, a private cloud or on-premise server) while the heavy AI compute remains in Windsurf’s cloud. In this setup, code indices or logs reside on a server controlled by you (which could be in the UK or any chosen region), whereas AI model calls go out to Windsurf’s servers (in US or EU cloud, depending on choice). Communication between the customer-managed node and Windsurf’s cloud is done through a secure outbound tunnel (Cloudflare Tunnel) so that you do not need to open inbound ports. The Self-Hosted option goes further – it allows an organisation to deploy the entire Windsurf stack in its own private infrastructure (on-premises data centre or private cloud account). In a self-hosted deployment, all data processing (including AI model inference) happens within your network, and no code data ever leaves to Windsurf’s servers. The self-hosted package can integrate with your own AI model endpoint (for example, Azure OpenAI Service, AWS Bedrock, etc.), and no internet connectivity is required during normal operation (aside from optional updates). This is the optimal solution for agencies requiring strict on-premise data residency (for example, certain UK government departments could use this to keep all code and data within UK sovereign infrastructure). The trade-off is that the self-hosted tier may not support some of Windsurf’s latest features (the Windsurf Editor’s agent and other cloud-reliant capabilities) due to the complexity of deploying those at the customer end.

In summary, Windsurf can meet a range of data residency requirements: US (default), Europe (Frankfurt data centre for EU clients), US GovCloud (for US federal), and on-prem/private cloud (for maximum control). UK Government users would likely either use the EU deployment option (to keep data in Europe, aligning with GDPR and UK adequacy frameworks) or pursue a self-hosted/hybrid deployment within the UK if absolute sovereignty is required. It’s important to note that as of 2025, there is no dedicated UK data centre mentioned; however, the flexibility of hybrid/self-host means a UK data centre could be used by you in those modes. Windsurf’s team also invites organisations with special compliance needs to contact them, suggesting they are open to tailored arrangements.

Data protection in transit

Data in transit between the Windsurf client (IDE) and the backend servers is protected by encryption. All network communication from the IDE (or plugin) to Windsurf’s cloud is encrypted via TLS (Transport Layer Security). This includes code snippets, prompts, and AI responses moving over the internet. By using TLS (with modern versions/protocols), Windsurf ensures that data is not readable by third parties while in transit. This is a standard security measure, but critical for government use, as it protects against eavesdropping or man-in-the-middle attacks on sensitive code.

In enterprise scenarios, additional transit protections are available. As noted, the Hybrid deployment uses an outbound-only Cloudflare Tunnel for all communications. This means that from your network, the Windsurf component initiates an encrypted tunnel to Windsurf’s cloud, and all traffic flows within that tunnel. The tunnel is authenticated and end-to-end encrypted, which adds an extra layer beyond basic TLS and also avoids the need to punch holes in firewalls.

Within the cloud infrastructure, Windsurf likely also secures data flows. For example, if requests are routed to third-party model APIs (OpenAI, etc.), those connections are made over HTTPS/TLS as well. The Windsurf security documentation explicitly mentions using secure channels for any data leaving the platform toward subprocessors.

It’s worth noting that the Windsurf client–server protocol is designed such that only minimal necessary context is sent in each request, which indirectly reduces risk. The client breaks up the code context before sending (no entire files are transmitted in one go, unless required). For instance, for autocompletion, it might send the relevant few lines or an AST-based snippet rather than the whole file. This design means that even if transit encryption were somehow broken, an attacker would not easily obtain large contiguous sections of code from a single request. (Of course, repeated requests could be intercepted to rebuild data, but TLS makes that scenario extremely unlikely.)

In summary, data in transit is well-protected via industry-standard encryption. UK government standards (such as the Security Policy Framework) require protective measures for OFFICIAL information in transit; Windsurf’s use of TLS meets those requirements. Agencies would still need to ensure their developers use the IDE over trusted networks and possibly inspect the domains accessed. Windsurf provides a list of domains (for example, *.codeium.com, *.windsurf.com) that the client contacts so that organisations can whitelist them on corporate networks or monitor traffic accordingly.

Data protection at rest

Data at rest refers to data stored on disk/databases either on Windsurf’s side or your side. Windsurf’s philosophy (with zero-retention mode) is to minimise any storage of code data on their servers. In the default enterprise configuration, no code snippets or conversation content are retained on Windsurf’s cloud storage. The only data that might be stored in Windsurf’s cloud in that scenario are usage analytics and metadata. For example, Windsurf does log some usage metrics (like counts of requests, feature usage, etc.) to BigQuery on GCP, but these logs do not include the actual code sent or generated – only non-sensitive metadata. This is used for analytics and service improvement. If an enterprise user has zero-retention on, their code will not appear in any stored logs or datasets on Windsurf’s side.

When certain features are enabled that do require storing code-derived data, Windsurf handles those carefully. For instance, Remote Codebase Indexing (allowing AI to index a repository for better suggestions) will store an index of the code. If an enterprise enables this on the cloud deployment, Windsurf’s servers will hold an embedding index that contains representations of the code. Windsurf clarifies that when they do store such information, it is securely encrypted at rest on their infrastructure. This means any database or storage containing code indices or cached data is encrypted (likely using cloud provider encryption keys or Windsurf’s own keys). In a Hybrid deployment, the remote index would reside on the customer-managed component, so it would be under your control (and typically within your network/storage, for example, an EC2 volume or on-prem disk). That effectively keeps code index data at rest on premises. Windsurf highlights that this is a major advantage of the hybrid approach: you can get personalisation features like code indexing or “memories” without any snippets being retained on Windsurf’s cloud.

For data that Windsurf does store in the cloud (for example, user account information, preferences, team settings), industry-standard protections are in place. The security page indicates all stored sensitive data is encrypted at rest. We can infer that includes personal information and possibly tokens or credentials (for example, if you connect a GitHub repository for indexing, the read token provided is likely stored encrypted).

Retention differences by plan: On the Individual (free/pro) plan, if you have not enabled zero-retention, Windsurf may store some request logs that include code fragments and AI outputs, primarily to improve the service or for troubleshooting. These could be retained for a period (the exact retention duration isn’t specified publicly, but likely for a few weeks or months for analysis). Enterprise and Team plans, however, default to no such retention – they value privacy over gathering extra data, unless the enterprise explicitly opts into it for a feature.

One exception to mention is if inputs or outputs are flagged for abuse (violating the Acceptable Use Policy). In such cases, Windsurf may retain that data even if retention is off, as part of enforcement. This would be a rare event and for security/legal purposes.

Data stored on the client side: Windsurf, being an IDE, also stores some data on your machine. For example, local indexing (for code context) stores an index on your disk for quick reference. Also, any AI-generated changes or chat transcripts are visible in the IDE and could be saved in project files or history. These are within your IT boundary (your computer), so standard endpoint security would apply (disk encryption, etc., as per your agency’s policy).

In summary, when using Windsurf with privacy features enabled, very little code data rests on Windsurf’s servers long-term. If your organisation enables additional features that involve storage, you can choose a hybrid/self-hosted mode to ensure that data “at rest” remains on UK soil or under your control. Windsurf’s internal policies, such as encrypting data at rest on GCP and not retaining data unnecessarily, complement these choices. UK government adopters should verify contractual terms around data handling – likely through a Data Processing Agreement – to ensure any data at rest in cloud aligns with government rules (for OFFICIAL data, UK guidance typically requires assured encryption and if outside UK, perhaps an assessment under UK GDPR for adequacy). Windsurf’s EU hosting option and encryption practices would be points in its favour here.

Data retention

Windsurf’s approach to data retention is unusually strict for a cloud service, due to the zero-data retention mode described earlier. By default, enterprise users’ code data is not retained at all on the service: once an AI request is processed and the result delivered, the code snippet or prompt is not stored on disk/database by Windsurf. This zero-retention stance is a key promise to enterprise customers, including those in regulated industries – Windsurf cites it as a reason Fortune 500 companies and highly regulated firms trust the platform.

For individual users who do not opt into zero-retention, Windsurf might keep certain logs. The exact retention period for those logs isn’t publicly specified, but presumably they are kept only as long as needed to improve models or monitor the service. The Privacy Policy notes that personal data is kept as long as necessary for the purposes collected, which implies code logs (if collected) are not stored indefinitely. Furthermore, Windsurf explicitly states any code data from zero-retention users will never be used to train models, and by extension, code from users who haven’t enabled zero-retention is also not used to train external models without permission (the exception being that Windsurf runs its own models and may improve them, but they have taken care to sanitise training data as discussed in compliance).

One feature that involves retention is “Memories” – the AI’s recall of conversation context or important notes. For zero-retention users, this memory exists only in the running session (and temporary cache) and is not persisted between sessions on the server. However, Windsurf’s enterprise offering allows an opt-in memory (or “organisational best practices”) feature which, if enabled, would store some data (like resolved Q&A pairs or tips) to benefit the organisation. Such data retention features are off unless explicitly enabled, and if enabled on hybrid deployment, that data stays in your environment.

Windsurf’s security page also mentions prompt caching: code data may reside in cache for a short duration (minutes to hours) to optimise performance. This cache is temporary and likely in-memory or in encrypted form, and it expires. This doesn’t constitute long-term retention but is noted for completeness.

Regarding account data: user account information (name, email, etc.) is retained while the account is active and deleted upon account deletion. Windsurf provides the ability for you to delete your account, which will purge personal data and any associated stored content as per the Privacy Policy. The Privacy Policy also likely outlines retention of certain records for legal compliance (for example, billing records or support communications might be retained for a period as required by law). There is no indication of dark-pattern data retention; on the contrary, Windsurf appears to lean toward minimal retention especially for code.

In conclusion, Windsurf’s data retention policy is highly accommodating for security-conscious users: by default nothing is kept, and any retention of code (for additional features) is opt-in and can be isolated. This approach aligns well with UK government data minimisation principles. It means that if you use Windsurf to write code, the government agency can be confident that Windsurf is not storing that code beyond the immediate need. Agencies should still get written assurances of this policy in any contract (perhaps via a Data Processing Agreement or the service contract) and confirm whether any metadata (like telemetry) that is retained could contain sensitive information. Based on documentation, telemetry does not include source code, and any stored snippets (if retention were on) are encrypted and discarded by default after processing.

Audit logs

For organisations that require oversight of AI-assisted changes (which is often the case in regulated environments), Windsurf provides audit logging features in its enterprise editions. In particular, when using the Enterprise Hybrid or Self-Hosted deployments, Windsurf can record a log of AI suggestions and interactions. According to Windsurf, in these modes “every accepted autocomplete suggestion and every chat conversation is logged to a database” for audit purposes. This means that if you accept an AI-generated code completion or use the AI chat to produce code, there will be a record of exactly what the AI provided. Such audit logs allow an organisation to later review AI contributions to the codebase, which is crucial for traceability (for example, to ensure no intellectual property violations, or to investigate issues introduced by AI code).

Importantly, the audit logs do not get stored on Windsurf’s cloud servers – they are kept entirely within your environment in hybrid or self-hosted deployments. For Hybrid, the logging database resides on the customer-managed component (which could be a server in your cloud or data centre). For Self-Hosted, it would naturally be within the deployed instance. This design ensures that even though detailed logs exist, they remain under your control, aligning with zero-retention principles on Windsurf’s side. Windsurf confirms that even with audit logging and attribution logging turned on, they maintain “zero data retention of code snippets or code-derived data” in Windsurf’s own cloud – all that sensitive log data stays within the customer-controlled part of the system.

The audit logs likely include timestamps, the content of suggestions, which file it was for, and which user accepted them. They may also log when an AI chat was invoked and its responses. This can be invaluable for compliance audits or just internal review, especially if questions arise like “Who wrote this piece of code? Was it human or AI?”.

In addition to audit logs, Windsurf offers Attribution logs in the same enterprise deployments. The attribution logging will record any snippets of generated code that closely matched known open-source code (even permissively licensed). This allows compliance officers to review if any generated code might inadvertently include external copyrighted content. These attribution logs, like audit logs, are stored locally in the enterprise’s environment.

From a UK government perspective, the availability of audit logs means Windsurf can be used in environments that require strict change control and traceability (for example, some government software projects need to demonstrate who authored each change and whether proper code review was done). With Windsurf, even though an AI might help in coding, the agency can maintain a record of that assistance. It’s comparable to having logs for decisions an AI suggested – useful for accountability. Government security standards often call for audit logging of system actions; Windsurf’s feature addresses that for the AI agent’s actions.

One should note that audit logging is currently tied to the non-Cloud (hybrid/self-host) deployments. Pure cloud (SaaS) customers may not get this detailed logging by default, because Windsurf does not store the data needed to provide it. However, an enterprise could choose a hybrid deployment specifically to gain logging while still using Windsurf’s cloud for compute. Windsurf’s documentation indicates the hybrid model is popular to strike this balance.

Access controls

Windsurf supports several access control mechanisms to ensure that only authorised users can use the tool and that organisations can manage who does what.

User Authentication: Windsurf uses account-based access – each user has to log in (using email/password or SSO) to access the AI features of the IDE. For enterprise teams, Windsurf supports Single Sign-On (SSO) integration via SAML, including compatibility with providers like Microsoft Entra ID (Azure AD), Okta, Google Workspace, etc. This allows government organisations to tie Windsurf access to their existing identity management and enforce policies like multi-factor authentication and conditional access. In fact, Windsurf’s enterprise setup guide suggests configuring SSO (and even SCIM for user provisioning) so that adding/removing users is handled through your identity provider. SSO can typically be coupled with 2-factor authentication as per your policies (Windsurf notes integration with Duo and PingID, which implies support for MFA solutions in the SSO flow).

Team Management: In a team or enterprise account, there are admin roles that can manage the team’s settings. An admin can invite or remove members, assign roles, and configure settings via a management dashboard. Windsurf allows creating User Groups within an enterprise team. Groups can be used, for example, to segment users by project or department. Each group can have its own administrator and you can view analytics per group, which is useful in larger organisations to delegate oversight. Group admins can’t change global settings but can monitor usage for their teams. This hierarchical control aligns with how government projects often segregate access.

Model and Feature Access Controls: As mentioned in Privacy controls, an enterprise admin can control which AI models are available to their users. For instance, an admin might disable GPT-4 and only allow Windsurf’s internal model and Anthropic, or vice versa, depending on trust and cost considerations. They can also enable/disable features like the web search tool or experimental functions. These controls ensure that individual developers cannot unilaterally send data to an external service if the organisation has disallowed it. All such settings are found in the Team Settings panel where admins can “Select and approve models, configure MCP servers, SSO, service keys, role management, and more”.

Permissions within the IDE: Windsurf (being based on VSCode) inherits some permission controls for extensions and tasks. By design, the AI agent Cascade operates within safe boundaries. Notably, Cascade will not execute potentially dangerous actions without your approval. The agent can suggest running terminal commands, but it requires you to explicitly confirm each suggested command before it runs. By default, no terminal command will auto-execute for enterprise users – auto-execution (“Turbo Mode”) is an opt-in that is actually unavailable for Teams or Enterprise tiers altogether. This is a deliberate safety measure; it prevents any accidental or malicious code execution. Similarly, any code changes made by the AI agent (Cascade) are not automatically saved or committed to version control without your review. The changes appear in the editor for you to inspect and accept. This ensures you remain in control of the codebase. In effect, even though the AI has the ability to edit files, it’s as if it’s operating in a “draft” mode pending human approval. This addresses concerns like the example given – the IDE/AI will not directly commit to Git repositories on its own. You still use your standard Git workflow to stage and commit changes (which gives an opportunity for code review of AI contributions).

External Access: Windsurf does not expose your code to other users by default – each account’s data and sessions are isolated. There is no cloud sharing of code unless you explicitly use a feature to do so (and none is noted; Windsurf doesn’t provide an online repository service itself). For enterprise, all users are under the organisation’s account, and an admin could remove a user to revoke their access to the AI service. With SSO and SCIM, when an employee leaves, access can be centrally revoked.

API Keys and Integration: For those integrating Windsurf into CI pipelines or other tools, service keys can be generated (the Teams settings mentions “service keys”). These likely allow headless use of the AI (though documentation is sparse here). If so, those keys act as credentials and can be managed by admins.

Physical and Personnel Access: As part of access control in a broader sense, Windsurf (Exafunction) has company-level measures too. Their SOC 2 and FedRAMP compliance means they maintain controls like background checks for staff, role-based access to production systems, etc. While not described in detail on the site, one can infer these from the certifications (SOC 2 Type II covers access control principles). The Security page mentions company MDM on all employee devices and a zero-trust VPN for internal access, which indicates a mature stance on restricting who can access customer data internally.

In summary, Windsurf provides the mechanisms needed for an enterprise to manage access to the tool consistent with their policies. SSO integration means government users can use existing identity frameworks (for example, a department’s Azure AD) to manage who uses Windsurf. The product’s design keeps you in control of changes (no surprise automated commits or actions), which reduces risk. Admins have oversight of settings and can enforce restrictions on AI usage as needed. This combination of identity management, admin controls, and AI-specific safety switches makes Windsurf align with typical government IT access control requirements.

Compliance and regulation

Windsurf (Exafunction, Inc.) has taken steps to comply with common security and privacy standards, which is crucial for government adoption. Below is a summary of the relevant compliance credentials and practices:

  • SOC 2 Type II: Windsurf is SOC 2 Type II certified. This certification (audited by a third party) attests that Windsurf’s processes and systems meet security, availability, and confidentiality criteria over time. A SOC 2 report is often required by enterprise customers; Windsurf makes this available under NDA via their Trust Centre. UK government architects will recognise SOC 2 as a widely used standard for cloud service security (though not a UK-specific one, it indicates strong internal controls).

  • FedRAMP High Authorisation: Windsurf has achieved FedRAMP High accreditation. FedRAMP is a US government cloud security programme; “High” is the highest baseline, typically required for sensitive data types (like law enforcement or health data). This is significant because it involves rigorous assessment of Windsurf’s security controls by government authorities. FedRAMP compliance includes areas like continuous monitoring, incident response, and vulnerability management. For non-US customers, FedRAMP High is still an indicator of a very robust security posture. It also suggests Windsurf’s cloud can be trusted with data up to OFFICIAL-SENSITIVE (roughly equivalent) given the DoD IL5 alignment.

  • DoD IL5 and ITAR Compliance: On the Government page, Windsurf claims compliance with Department of Defense Impact Level 5 and ITAR. IL5 means the system can handle Controlled Unclassified Information with moderate to high impact (including National Security Systems information). Achieving IL5 is usually done through the FedRAMP+ requirements on GovCloud. ITAR compliance means Windsurf has controls to handle defence-related technical data that cannot be exposed to foreign nationals. Likely, they enforce US Persons only handling data in the FedRAMP environment and maintain proper access logs and export control policies. For a UK audience, ITAR compliance is relevant if any code is subject to US export controls. It indicates Windsurf knows how to segregate and protect such data. While UK government data wouldn’t be ITAR, this shows Windsurf’s maturity in handling regulated data.

  • HIPAA: Windsurf’s platform is maintained as HIPAA compliant for handling Protected Health Information in the US. They note that typically code is not PHI, but for healthcare software clients they will sign a Business Associate Agreement. HIPAA compliance implies strong data protection and privacy controls which align with handling personal data safely. For UK (NHS or healthcare agencies), this is a comforting sign that the product can meet health data standards similarly to UK’s Data Protection Act requirements.

  • Data Protection (GDPR etc.): Although not explicitly stated on the site, Windsurf’s Privacy Policy and practices indicate compliance with major data protection laws. They reference US state privacy laws and provide a California privacy notice. For GDPR (and UK GDPR), Exafunction would be a data processor for customer code data and a controller for account data. They likely offer Data Processing Agreements (including EU Standard Contractual Clauses) upon contract to ensure lawful data transfer from UK/EU to US if needed. The availability of an EU hosting option (Frankfurt) also supports GDPR compliance by keeping personal data in Europe. UK government would still conduct its own DPIA (Data Protection Impact Assessment), but nothing in Windsurf’s described practices seems incompatible with UK data protection requirements. The company provides contact information for privacy inquiries and supports data deletion, fulfilling data subject rights aspects.

  • Indemnity and IP Compliance: Recognising concerns about AI coding tools introducing licensed code, Windsurf has implemented technical measures to avoid copyright issues (as noted under Attribution in the audit logs section). Moreover, they mention offering indemnity clauses for enterprises. This likely means in enterprise agreements, they are willing to indemnify (protect) you against legal claims arising from the AI’s outputs (for example, if a snippet slipped through that infringed copyright). Such indemnification is a key requirement in many government contracts to reduce third-party IP risk.

  • Vulnerability Disclosure and Testing: Windsurf invites security researchers to report any vulnerabilities (via a dedicated email) and commits to addressing them promptly. They conduct annual third-party penetration tests (last noted was Feb 13, 2025). This shows an active stance on security best practices. For government, it means the product is being continuously evaluated for weaknesses. The quick adoption of VS Code security patches is also noteworthy for compliance with secure development practices.

  • Compliance with Coding Standards: While not a formal certification, it’s relevant that Windsurf aligns with coding licence standards. They filter out non-permissive open-source code from training data and generation. This proactive compliance measure reduces legal risk and would be looked upon favourably by public sector lawyers concerned with intellectual property.

In summary, Windsurf checks many boxes for enterprise security compliance: SOC 2 Type II for general controls, FedRAMP High (which encompasses NIST 800-53 High baseline controls) for rigorous cloud security, and special considerations for health data and defence data. UK government policy-makers will likely map these to UK frameworks such as the NHS DSP Toolkit, Cyber Essentials, or ISO 27001. While we did not see an ISO 27001 certification mentioned, the controls overlap significantly with SOC2 and FedRAMP. Also, Exafunction’s funding and recent high-profile acquisition by OpenAI indicate it will continue to invest in compliance (OpenAI itself has been pursuing SOC certifications and regulatory engagement). For any deployment, UK authorities would ensure a proper contract with Data Protection terms and perhaps an assessment by their cyber security team, but based on available information, Windsurf IDE appears to adhere to high standards of security and privacy suitable for government use.

What to do next

  1. Review Windsurf’s Terms of Service and Privacy Policy with your legal team
  2. Decide if US data processing (standard cloud) or EU processing (Frankfurt cluster) meets your requirements
  3. Consider whether hybrid or self-hosted deployment is needed for data sovereignty
  4. Assess if the audit logging capabilities (hybrid/self-hosted only) meet your compliance needs
  5. Evaluate the zero-data retention mode for your security requirements
  6. Contact Windsurf for enterprise discussions if considering adoption

References

  • Exafunction (Windsurf) – Security Overview, Windsurf Documentation (Mar 11, 2025)
  • Exafunction (Windsurf) – Windsurf Editor Product Page, Windsurf Website
  • Exafunction (Windsurf) – Windsurf for Government, Windsurf Website (enterprise/government page)
  • Exafunction (Windsurf) – Terms of Service (Individual & Pro, June 9, 2025)
  • Exafunction (Windsurf) – Privacy Policy (June 9, 2025)
  • Exafunction (Windsurf) – Getting Started with Teams/Enterprise, Windsurf Docs
  • Exafunction (Windsurf) – Windsurf Editor Features, Windsurf Website
  • Exafunction (Windsurf) – Cascade and Agentic AI, Windsurf Website
  • Exafunction (Windsurf) – Attribution & Compliance details, Windsurf Security page
  • Exafunction (Windsurf) – Audit Logging details, Windsurf Security page
  • Reuters – “OpenAI agrees to buy Windsurf for about $3 billion”, Reuters Technology News
  • Dev Community (M. Amachree) – User review: Windsurf features and privacy (Nov 2024, updated May 2025) (Factual details on features & policies)
  • Windsurf Official Blog – Windsurf for Enterprise and Compliance (examples from case studies and announcements) (HIPAA, indemnity information)

Support links

All content is available under the Open Government Licence v3.0, except where otherwise stated