Data Processing Addendum

This Data Processing Addendum ("DPA") governs Anysphere, Inc.'s ("Anysphere" or "Vendor") processing of Personal Data provided by Customer through the Service, in accordance with the Master Services Agreement between Anysphere and Customer ("Agreement"). This DPA sets forth Customer's instructions for the processing of Personal Data and the rights and obligations of both Parties. Except as set forth in this DPA, the Agreement shall remain unmodified and in full force and effect. In the event of any conflicts between this DPA and the Agreement, this DPA will govern to the extent of the conflict.

1. Definitions. For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms used but not defined in this DPA shall have the meanings given in the Agreement. All other terms in this DPA not otherwise defined in the Agreement shall have the corresponding meanings given to them in Privacy Laws.

   1. "Controller to Processor Clauses" means: (a) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor) ("EU SCCs"); and (b) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner ("UK Addendum"), in each case as amended, updated or replaced from time to time.

   2. "EU/UK Privacy Laws" means: (a) the General Data Protection Regulation 2016/679 (the "GDPR"); (b) the Privacy and Electronic Communications Directive 2002/58/EC; (c) the UK Data Protection Act 2018, the UK General Data Protection Regulation as defined by the UK Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (together with the UK Data Protection Act 2018, the "UK GDPR"), and the Privacy and Electronic Communications Regulations 2003; and (d) any relevant law, directive, order, rule, regulation or other binding instrument which implements any of the above, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.

   3. "Personal Data" means any information Vendor processes on behalf of Customer to provide the Service that is defined as "personal data" or "personal information" under any Privacy Laws.

   4. "Privacy Laws" means, as applicable, EU/UK Privacy Laws, US Privacy Laws and any similar law of any jurisdiction which relates to data protection, privacy or the use of Personal Data, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.

   5. "Processor to Processor Clauses" means: (a) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of personal data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor); and (b) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time.

   6. "Third Country" means any country or territory outside of the scope of the data protection laws of the European Economic Area or the UK, as relevant, excluding countries or territories approved as providing adequate protection for Personal Data by the relevant competent authority from time to time.

   7. "US Privacy Laws" means, as applicable, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, and any similar law of any state which relates to data protection, privacy or the use of Personal Data.

2. Amendments. The Parties agree to negotiate in good faith modifications to this DPA if changes are required for Vendor to continue to process the Personal Data as contemplated by the Agreement or this DPA in compliance with Privacy Laws, or to address the legal interpretation of the Privacy Laws. Vendor reserves the right to update this DPA as necessary to comply with Privacy Laws or evolving legal requirements, provided that any such updates do not materially diminish Customer's rights or materially increase Customer's obligations under this DPA. Vendor shall notify Customer of any such updates in writing at least thirty (30) days prior to their effective date, unless a shorter notice period is required by law.

3. Roles of the Parties. The Parties acknowledge that for purposes of Privacy Laws, Customer is the "service recipient," "controller," "business," or any similar term provided under Privacy Laws, and Vendor is the "service provider," "processor," "contractor," or any similar term provided under Privacy Laws.

4. Details of Processing. The Parties agree that the details of processing are as described in Annex 1 attached hereto.

5. Customer Obligations. Customer shall comply with all Privacy Laws in providing Personal Data to Vendor in connection with the Service. Customer represents and warrants that: (a) the Privacy Laws applicable to Customer do not prevent Vendor from fulfilling the instructions received from Customer and performing Vendor's obligations under this DPA; (b) all Personal Data was collected and at all times processed and maintained by or on behalf of Customer in compliance with all Privacy Laws, including with respect to any obligations to provide notice to and/or obtain consent from individuals; and (c) Customer has a lawful basis for disclosing the Personal Data to Vendor and enabling Vendor to process the Personal Data as set out in this DPA. Customer shall notify Vendor without undue delay if Customer makes a determination that the processing of Personal Data under the Agreement does not or will not comply with Privacy Laws, in which case, Vendor shall not be required to continue processing such Personal Data.

6. Processing of Personal Data.

   1. Customer retains ownership of all Personal Data processed under this DPA.

   2. Vendor shall only process Personal Data (i) to perform the Service as further described in Annex 1, and in accordance with and for the purposes set out in the documented instructions from Customer from time to time, (ii) for compliance with legal obligations applicable to Vendor; and (iii) as otherwise instructed by Customer in writing.

   3. Vendor shall notify Customer without undue delay if it makes a determination that it can no longer meet its obligations under applicable Privacy Laws or cannot comply with any instruction from Customer with respect to the use of Personal Data;

   4. to the extent required by Privacy Laws, and upon reasonable written notice that Customer reasonably believes Vendor is using Personal Data in violation of Privacy Laws or this DPA, Vendor shall grant Customer the right to take reasonable and appropriate steps to help ensure that Vendor uses the Personal Data in a manner consistent with Customer's obligations under Privacy Laws, and stop and remediate any unauthorized use of the Personal Data; and

   5. Vendor shall require that each employee or other person processing Personal Data is subject to an appropriate duty of confidentiality with respect to such Personal Data in accordance with the provisions of this Agreement.

7. Prohibitions. To the extent required by applicable Privacy Laws, Vendor is prohibited from:

   1. selling the Personal Data, except in deidentified, aggregated or anonymized form;

   2. sharing the Personal Data for cross-context behavioral advertising purposes, except in deidentified, aggregated or anonymized form;

   3. retaining, using, or disclosing the Personal Data for any purpose other than (i) for the specific purpose of performing the Service, (ii) to develop, improve, or enhance the Service through the use of deidentified, aggregated or anonymized data, or (iii) as otherwise permitted under Privacy Laws;

   4. retaining, using, or disclosing the Personal Data outside of the direct business relationship between Vendor and Customer, except as described above; and

   5. combining the Personal Data received from, or on behalf of, Customer with any Personal Data that may be collected from Vendor's separate interactions with the individual(s) to whom the Personal Data relates or from any other sources, except to perform a business purpose or as otherwise permitted by Privacy Laws.

8. Use of Subcontractors. To the extent Vendor engages any subcontractors to process Personal Data on its behalf:

   1. Customer hereby grants Vendor general written authorization to engage the subcontractors set out in Annex 2, subject to the requirements of this Section 8.

   2. If Vendor appoints a new subcontractor or intends to make any changes concerning the addition or replacement of any subcontractor, it shall provide Customer with thirty (30) business days' prior written notice by posting updates at cursor.com/security during which Customer can object to the appointment or replacement on reasonable and documented grounds related to the confidentiality or security of Personal Data or the subcontractor's compliance with Privacy Laws (and if Customer does not so object, Vendor may proceed with the appointment or replacement). In urgent circumstances requiring immediate subprocessor changes (e.g., security incidents, service disruptions), Vendor may proceed with changes and provide notice within ten (10) business days thereafter. If Customer objects to the appointment or replacement of a subcontractor as described herein, Vendor shall use commercially reasonable efforts to address Customer's concerns, which may include proposing a different subcontractor or implementing additional safeguards to mitigate the identified risks. If the Parties are unable to resolve the objection within thirty (30) days of Customer's written notice of objection, Customer may terminate the affected portion of the Service upon written notice to Vendor. In the event of such termination, Vendor shall provide Customer with a pro-rated refund of any prepaid fees for the remaining unused portion of the terminated Service.

   3. Vendor shall engage subcontractors only pursuant to a written agreement that contains obligations on the subcontractor which bind them to at least the same level of data protection provided in this DPA. Vendor shall be liable to Customer for performance of such subcontractors' failure to fulfill their respective obligations.

9. Assistance. To the extent required by Privacy Laws, and taking into account the nature of the processing, Vendor shall, in relation to the processing of Personal Data and to enable Customer to comply with its obligations which arise as a result thereof, provide reasonable assistance to Customer, through appropriate technical and organizational measures, in:

   1. responding to requests from individuals pursuant to their rights under Privacy Laws, including by providing, deleting or correcting the relevant Personal Data, or by enabling Customer to do the same, insofar as this is possible;

   2. implementing reasonable security procedures and practices appropriate to the nature of the Personal Data to protect the Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure;

   3. notifying relevant competent authorities and/or affected individuals of Personal Data breaches;

   4. conducting data protection impact assessments and, if required, prior consultation with relevant competent authorities; and

   5. entering into this DPA.

10. Security Measures. Vendor shall, taking into account the state-of-the-art, the costs of implementation and the nature, scope, context and purpose of the processing, implement, and ensure that its authorized personnel comply with, appropriate technical and organizational measures designed to provide a level of security appropriate to the risk, as set out in Annex 3, or otherwise agreed and documented between Customer and Vendor from time to time. Vendor will not materially decrease the overall security of the services during the duration of processing. To the extent required by Privacy Laws, Vendor shall without undue delay, and in any event within forty-eight (48) hours, notify Customer in writing of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, with further information about the breach provided in phases as more details become available.

11. Access and Audits. Upon reasonable request of Customer, Vendor shall make available to Customer such information in its possession as is reasonably necessary to demonstrate Vendor's compliance with its obligations under this DPA, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer and reasonably accepted by Vendor, at Customer's sole expense unless a material violation is discovered. Customer shall be permitted to conduct such an assessment no more than once every twelve (12) months, upon thirty (30) days' advance written notice to Vendor, and only after the Parties come to agreement on the scope of the audit and the auditor is bound by a duty of confidentiality. Furthermore, Customer may conduct an additional audit if there are reasonable concerns about Vendor's data protection compliance following a personal data breach or request from a regulator or data protection authority. As an alternative to an audit performed by or at the direction of Customer, to the extent permitted by Privacy Laws, Vendor may arrange for a qualified and independent auditor to conduct, at Vendor's expense, an assessment of Vendor's policies and technical and organizational measures in support of its obligations under Privacy Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessment, and will provide a report of such assessment to Customer upon reasonable request. Notwithstanding the foregoing, in no event shall Vendor be required to give Customer access to information, facilities or systems to the extent doing so would cause Vendor to be in violation of confidentiality obligations owed to other customers or its legal obligations.

12. Deletion of Personal Data. At Customer's written direction, Vendor shall delete or return all Personal Data to Customer as requested at the end of the provision of the Service, within thirty (30) days of such request, unless retention of the Personal Data is required by law, and upon request shall provide written certification thereof.

13. Data Transfers. To the extent Vendor processes Personal Data subject to EU/UK Privacy Laws in a Third Country, and it is acting as data importer, Vendor shall comply with the data importer's obligations and Customer shall comply with the data exporter's obligations set out in the Controller to Processor Clauses, which are hereby incorporated into and form part of this DPA, and:

    1. for the purposes of Annex I or Part 1 (as relevant) of such Controller to Processor Clauses, Customer is a controller and Vendor is a processor, and the parties, contact person's details and processing details set out in the Agreement, this DPA and Annex 1 shall apply and the Start Date is the effective date of the Agreement, and the signature(s) (in any form) given in connection with the execution of this Agreement by a party and the dates of such signature(s) shall apply as the dated signature required from that party;

    2. if applicable, for the purposes of Part 1 of the UK Addendum, the relevant Addendum EU SCCs (as such term is defined in the UK Addendum) are the EU SCCs as incorporated into this DPA by virtue of this Section 13. In the event of any conflict or ambiguity between this DPA and the SCCs, the SCCs will control;

    3. for the purposes of Annex II or Part 1 (as relevant) of such Controller to Processor Clauses, the technical and organizational security measures, and the technical and organizational measures taken by Vendor to assist Customer, as each are set out in Annex 3, shall apply; and

    4. if applicable, for the purposes of Annex III or Part 1 (as relevant) of such Controller to Processor Clauses, the list of authorized sub-contractors set out in Schedule 4 (Authorized Sub-contractors) shall apply; and

    5. if applicable, for the purposes of: (i) Clause 9, Option 2 ("General written authorization") is deemed to be selected and the notice period specified in Section 8 shall apply; (ii) Clause 11(a), the optional wording in relation to independent dispute resolution is deemed to be omitted; (iii) Clause 13 and Annex I.C, the competent supervisory authority shall be the Ireland Data Protection Commission; (iv) Clauses 17 and 18, Option 1 is deemed to be selected and the governing law and the competent courts shall be The Republic of Ireland; (vi) Part 1, Vendor as importer may terminate the UK Addendum pursuant to Section 19 of such UK Addendum.

Additionally, Vendor may rely on an adequacy decision, the EU-US Data Privacy Framework, derogations for specific situations under Privacy Laws, or any other lawful mechanism for data transfers to ensure compliance with Privacy Laws.

Any disputes regarding cross-border transfers or compliance with applicable Privacy Laws related to such transfers shall be resolved in accordance with the governing law and jurisdiction specified in the Agreement.

Customer acknowledges and agrees that Vendor may appoint an affiliate or third-party subcontractor to process the Personal Data in a Third Country, in which case, Vendor shall execute the Processor to Processor Clauses with any relevant subcontractor (including affiliates) it appoints on behalf of Customer.

ANNEX 1

1. Nature of the processing

• Access, use, disclosure, storage, deletion and/ or other processing of Personal Data by Vendor in connection with providing Vendor's Service to Customer as set out in the Agreement.

2. Purpose(s) of the processing

• Providing the Service by Vendor to Customer as set out in the Agreement.

3. Categories of individuals whose Personal Data is processed

• Employees, contractors, and personnel of Customer.

4. Categories of Personal Data processed

• Data relating to individuals collected by Vendor on Customer's behalf or otherwise provided to Vendor by Customer.

5. Types of Personal Data subject to the processing that are considered "sensitive" or "special category" under Privacy Laws

• Customer, and/or its personnel shall not provide any sensitive or special category data under this Agreement, and Vendor is not liable for processing sensitive data provided by Customer. Vendor does not intentionally collect or Process any special categories of Personal Data.

6. Frequency (e.g. one-off or continuous) and duration of the processing

• Relevant Personal Data is processed on a continuous basis, for the duration of the term of the Agreement and any post-termination retention period as set out in the Agreement.

7. The subject matter, nature and duration of processing carried out by any sub-processors authorized pursuant to Section 8

• As set out in this Annex 1 and in Annex 2.

ANNEX 2

Vendor's list of authorized subprocessors is maintained and updated at trust.cursor.com.

ANNEX 3

This Annex 3 sets forth technical and organizational security measures implemented by Anysphere, Inc. ("Anysphere") under the Data Processing Agreement ("DPA"). Anysphere is SOC 2 Type II certified, and you may obtain a copy of our certification via our Trust Center, trust.cursor.com ("Trust Center"). Additionally, Anysphere's security practices are further described on our security page, available at cursor.com/security. Anysphere's technical and organization security measures include:

1. Access Controls: Access to personal data is restricted to authorized personnel only, with role-based access controls and strong authentication mechanisms such as multi-factor authentication to help secure access.

2. Employee Training and Awareness: Employees undergo regular training on data protection, privacy, and security best practices.

3. Data Encryption: Anysphere employs industry-standard encryption protocols to ensure that personal data is encrypted at rest and in transit. Encryption keys are managed securely and are regularly rotated.

4. Infrastructure Security: Anysphere's infrastructure framework and security protocols are described in our Trust Center.

5. Network Security: Network security is maintained through the deployment of firewalls, intrusion detection, and prevention systems, and regular vulnerability assessments and penetration testing are conducted. You may request a copy of our Penetration Test Report through our Trust Center.

6. Application Security: Secure software development practices, including code reviews and security testing, are followed, and web application firewalls are used to protect against common web exploits.

7. Privacy Mode Protection: Privacy Mode is enabled by default for all business or enterprise Customers who enter into a Master Services Agreement. With Privacy Mode enabled, zero data retention is enforced, ensuring that none of your code is ever stored or used for training by Anysphere or any third party. Even if you use your own API key, requests will still go through Anysphere's backend for final prompt building. If codebase indexing is enabled, codebase chunks are uploaded to Anysphere's server to compute embeddings; however, all plaintext code ceases to exist after the life of the request. Embeddings and metadata about your codebase (hashes, file names) may be stored, but none of your plaintext code is stored.

8. Data Backup and Recovery: Regular backups of personal data are performed and stored securely, with disaster recovery and business continuity plans in place and tested periodically.

9. Data Center Security: Data centers are protected by physical security controls, including access controls, surveillance systems, and security personnel. Access to data centers is restricted to authorized personnel only.

10. Office Security: Office premises are secured with access controls, alarm systems, and surveillance cameras, and visitors are required to sign in and are escorted by authorized personnel.

11. Security Monitoring: Anysphere conducts continuous monitoring of systems and networks to detect and respond to security incidents. Security information and event management systems are used to correlate and analyze security events.

12. Incident Response: An incident response plan is in place to handle security incidents promptly and effectively, and data breach notification procedures comply with applicable laws and regulations.

13. Privacy by Design: Data protection principles are integrated into the design and development of systems and processes through the implementation of Privacy by Design. Regular privacy impact assessments are conducted to identify and mitigate risks.

14. Data Minimization: Personal data collection and processing are limited to what is necessary for the specified purposes, and data anonymization and pseudonymization techniques are used where appropriate.

15. Continuous Monitoring and Improvement: Anysphere continuously monitors its data privacy and security policies, implementing improvements and updates as needed to ensure the highest level of protection for our users' data. We strive to stay at the forefront of industry best practices and evolving legal requirements to maintain the trust and confidence of our clients.

By implementing these measures, Anysphere is dedicated to upholding high standards of data privacy and security, enabling our users to benefit from the Service.