Implement Windsurf PII handling, data retention, and GDPR/CCPA compliance patterns.
Use when handling sensitive data, implementing data redaction, configuring retention policies,
or ensuring compliance with privacy regulations for Windsurf integrations.
Trigger with phrases like "windsurf data", "windsurf PII",
"windsurf GDPR", "windsurf data retention", "windsurf privacy", "windsurf CCPA".
Control what code and data Windsurf's AI (Cascade, Supercomplete) can access. Covers file exclusion patterns, telemetry controls, Codeium's data processing model, and compliance configuration for regulated environments.
Prerequisites
Windsurf IDE installed
Understanding of Codeium's data processing model
Identified sensitive files and directories in workspace
Instructions
Step 1: Understand Codeium's Data Model
# What happens with your code in Windsurf
data_flow:
indexed_locally:
what: "File contents, structure, dependencies"
where: "Local machine only"
purpose: "Supercomplete context, Cascade awareness"
retention: "Persists until re-indexed"
sent_to_cloud:
what: "Cascade prompts, code snippets around cursor"
where: "Codeium cloud (or self-hosted for Enterprise)"
purpose: "AI model inference"
retention: "Zero-data retention for ALL paid plans"
never_processed:
what: "Files in .codeiumignore, .gitignore, node_modules"
where: "N/A"
purpose: "N/A"
compliance:
certifications: ["SOC 2 Type II", "FedRAMP High"]
hipaa: "BAA available for Enterprise customers"
data_retention: "Zero for paid plans, configurable for Enterprise"
deployment: "Cloud, Hybrid, or Self-Hosted options"
Step 2: Configure .codeiumignore for Data Protection
# .codeiumignore — files Windsurf AI will NEVER see or index
# Uses gitignore syntax. Default: .gitignore and node_modules excluded.
# ===== SECRETS =====
.env
.env.*
.env.local
credentials.json
serviceAccountKey.json
*.pem
*.key
*.p12
*.pfx
.aws/
.gcloud/
.azure/
vault-config.*
# ===== CUSTOMER DATA =====
data/customers/
data/exports/
data/backups/
*.sql
*.sql.gz
*.dump
fixtures/production-*
# ===== INFRASTRUCTURE SECRETS =====
terraform.tfstate
terraform.tfstate.backup
*.tfvars
*.auto.tfvars
ansible/vault*
# ===== COMPLIANCE BOUNDARIES =====
# PCI zone — credit card processing code
src/pci/
# HIPAA zone — health data processing
src/hipaa/
# Financial data
reports/financial/
Rationale: YAML and JSON files often contain configuration with secrets. Disabling Supercomplete for these types prevents the AI from seeing or suggesting content based on config files.
Step 5: Safe Cascade Usage with Sensitive Code
## Rules for using Cascade in regulated codebases
1. NEVER paste secrets into Cascade chat
- BAD: "My API key is sk-abc123, why isn't it working?"
- GOOD: "I'm getting auth errors. The key is set in .env as API_KEY."
2. NEVER ask Cascade to read excluded files
- BAD: "Read .env and tell me what's configured"
- GOOD: "What environment variables does src/config.ts expect?"
3. Use .windsurfrules to enforce safety patterns
- "Always use process.env for secrets, never hardcode"
- "Never log PII fields: email, phone, ssn, creditCard"
4. Mark compliance boundaries in .windsurfrules
- "Files in src/pci/ handle credit card data — extra review required"
- "Files in src/hipaa/ handle health data — never log patient info"
Step 6: Enterprise Self-Hosted Deployment
For maximum data control:
# Enterprise deployment options
deployment_modes:
cloud:
data_flow: "Code snippets → Codeium cloud → AI response"
retention: "Zero-data retention (default for paid plans)"
suitable_for: "Most teams"
hybrid:
data_flow: "Code stays on-prem, only prompts sent to cloud"
retention: "Configurable"
suitable_for: "Teams with data residency requirements"
self_hosted:
data_flow: "Everything on-prem or in your cloud"
retention: "You control"
suitable_for: "Highly regulated (finance, healthcare, government)"
requires: "Enterprise plan + infrastructure team"
Data Privacy Audit Checklist
.codeiumignore covers all secret files and customer data
Telemetry disabled (if required by policy)
Autocomplete disabled for secret-containing file types
.windsurfrules includes data handling coding standards