AI Agent Skill HUB

cursor-compliance-audit

Compliance and security auditing for Cursor IDE usage: SOC 2, GDPR, HIPAA assessment, evidence collection, and remediation. Triggers on "cursor compliance", "cursor audit", "cursor security review", "cursor soc2", "cursor gdpr", "cursor data governance".

1,868 stars
byjeremylongshore
View on GitHubInstallation ↓

Best use case

cursor-compliance-audit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Compliance and security auditing for Cursor IDE usage: SOC 2, GDPR, HIPAA assessment, evidence collection, and remediation. Triggers on "cursor compliance", "cursor audit", "cursor security review", "cursor soc2", "cursor gdpr", "cursor data governance".

Teams using cursor-compliance-audit should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/cursor-compliance-audit/SKILL.md --create-dirs "https://raw.githubusercontent.com/jeremylongshore/claude-code-plugins-plus-skills/main/plugins/saas-packs/cursor-pack/skills/cursor-compliance-audit/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/cursor-compliance-audit/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How cursor-compliance-audit Compares

Feature / Agentcursor-compliance-auditStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Compliance and security auditing for Cursor IDE usage: SOC 2, GDPR, HIPAA assessment, evidence collection, and remediation. Triggers on "cursor compliance", "cursor audit", "cursor security review", "cursor soc2", "cursor gdpr", "cursor data governance".

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

Cursor vs Codex for AI Workflows

Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.

Best AI Skills for Claude

Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.

AI Agents for Coding

Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.

SKILL.md Source

# Cursor Compliance Audit

Compliance and security auditing framework for Cursor IDE usage. Covers SOC 2, GDPR, and HIPAA assessment with audit checklists, evidence collection, and remediation guidance.

## Cursor Security Posture

### Certifications and Attestations

| Certification | Status | Notes |
|--------------|--------|-------|
| SOC 2 Type II | Certified | Annual audit, report available on request |
| Penetration testing | Annual | Results shared under NDA (Enterprise) |
| Encryption at rest | AES-256 | All stored data |
| Encryption in transit | TLS 1.2+ | All API communications |
| Zero data retention | Available | Via Privacy Mode |
| GDPR compliance | Yes | EU data processing supported |
| HIPAA BAA | Not available (as of early 2026) | See HIPAA section |

### Data Processing Architecture

```
Developer Machine
    │
    ├─► Cursor Client ──► Cursor API (US/EU) ──► Model Provider
    │   (local)           (routing + auth)        (OpenAI/Anthropic)
    │                           │
    │                           └─► Zero retention agreement
    │
    ├─► Codebase Index ──► Embedding API ──► Turbopuffer (vectors)
    │                      (no plaintext stored)
    │
    └─► Local Settings (API keys, preferences)
        (never transmitted)
```

## Audit Checklist: SOC 2

### CC6.1 — Logical Access Controls

```
[ ] SSO (SAML/OIDC) configured and enforced
[ ] MFA enabled at Identity Provider level
[ ] RBAC roles assigned: Owner, Admin, Member
[ ] Inactive users deprovisioned (SCIM or manual)
[ ] Access review completed (quarterly)

Evidence:
  - SSO configuration screenshot from admin dashboard
  - IdP MFA policy documentation
  - User list export from Cursor admin
  - SCIM sync logs (if applicable)
```

### CC6.6 — System Boundaries

```
[ ] Privacy Mode enforced at team level
[ ] .cursorignore configured for sensitive files
[ ] Data classification aligned with .cursorignore patterns
[ ] Model provider data retention agreements documented
[ ] BYOK configuration documented (if applicable)

Evidence:
  - Privacy Mode enforcement screenshot
  - .cursorignore file contents (committed to git)
  - Cursor data use policy acceptance
  - API key provider agreements
```

### CC6.7 — Data Transmission Security

```
[ ] All Cursor API calls use TLS 1.2+
[ ] Corporate proxy configured with valid certificates
[ ] No self-signed certificates or TLS bypasses
[ ] Network firewall rules documented

Evidence:
  - Network architecture diagram showing Cursor data flows
  - Firewall rules for cursor.com domains
  - Proxy configuration settings
```

### CC7.2 — Monitoring

```
[ ] Admin dashboard usage analytics reviewed monthly
[ ] Anomalous usage patterns investigated
[ ] Seat utilization tracked for access reviews

Evidence:
  - Monthly usage report screenshots
  - Incident response log for anomalies
  - User activity summary
```

## Audit Checklist: GDPR

### Data Mapping

```
Data Category: Source code snippets
Processing Purpose: AI-assisted code generation
Legal Basis: Legitimate interest (developer productivity)
Data Location: In-transit only (zero retention with Privacy Mode)
Sub-processors: OpenAI, Anthropic, Turbopuffer (embeddings)
Retention: None (Privacy Mode) or per provider policy (no Privacy Mode)
```

### Individual Rights

| Right | Cursor Support |
|-------|---------------|
| Right to access | Account settings at cursor.com/settings |
| Right to erasure | Account deletion removes all server-side data |
| Right to portability | Settings export (settings.json) |
| Right to restriction | Privacy Mode limits processing |
| Right to object | Privacy Mode + .cursorignore |

### GDPR Compliance Checklist

```
[ ] Data Processing Agreement (DPA) signed with Cursor (Enterprise)
[ ] Privacy Mode enabled for all EU team members
[ ] Sub-processor list reviewed (cursor.com/privacy)
[ ] Data protection impact assessment (DPIA) completed
[ ] Team briefed on not pasting PII into Chat/Composer

Evidence:
  - Signed DPA
  - Privacy Mode enforcement confirmation
  - DPIA document
  - Team training records
```

## HIPAA Assessment

**Current status:** Cursor does not offer a Business Associate Agreement (BAA) as of early 2026.

### Mitigations for Healthcare Organizations

```
If your organization handles PHI:

1. Enable Privacy Mode (mandatory)
2. Configure .cursorignore to exclude ALL PHI-containing files:
   .cursorignore:
     **/patient-data/
     **/medical-records/
     **/hl7/
     **/fhir-resources/
     **/*.hl7
     **/*.ccda

3. Consider BYOK through Azure with BAA:
   - Azure OpenAI has HIPAA BAA option
   - Route Cursor AI requests through Azure
   - Azure handles data governance

4. Train developers: NEVER paste PHI into Chat or Composer
5. Code review policy: verify no PHI in AI-generated code

6. CRITICAL: Consult your compliance team before any Cursor
   usage with systems that process PHI
```

## Remediation Playbook

### Finding: Privacy Mode Not Enforced

```
Severity: High
Risk: Code may be retained by model providers for training

Remediation:
1. Admin Dashboard > Privacy > Enable enforcement (immediate)
2. Notify all team members (email)
3. Verify enforcement: check each member's status in dashboard
4. Document: date of enforcement, approval authority
```

### Finding: No .cursorignore

```
Severity: Medium
Risk: Sensitive files may be included in AI context

Remediation:
1. Create .cursorignore at project root
2. Add patterns for: .env*, secrets/, credentials/, PII directories
3. Commit to git (PR review required)
4. Verify: Cursor Settings > Codebase Indexing > View included files
5. Confirm sensitive files absent from indexed list
```

### Finding: Unmanaged API Keys (BYOK)

```
Severity: Medium
Risk: Shared or unrotated API keys

Remediation:
1. Audit which team members use BYOK keys
2. Verify keys are personal (not shared team keys)
3. Implement quarterly key rotation schedule
4. Document key management policy
5. Consider centralizing through Azure gateway (Enterprise)
```

### Finding: No Access Review

```
Severity: Medium
Risk: Former employees retaining Cursor access

Remediation:
1. Export current member list from admin dashboard
2. Cross-reference with HR active employee list
3. Deactivate accounts for departed employees
4. Enable SCIM for automatic deprovisioning
5. Schedule quarterly access reviews
```

## Enterprise Considerations

- **SOC 2 report**: Request directly from Cursor (Enterprise plan) or via your account manager
- **Vendor risk assessment**: Use Cursor's security page (cursor.com/security) as starting input
- **Third-party audit**: Cursor's SOC 2 report covers their controls; your audit covers your configuration
- **Continuous monitoring**: Set calendar reminders for quarterly access reviews and annual policy updates

## Resources

- [Cursor Security](https://cursor.com/security)
- [Cursor Data Use Policy](https://cursor.com/data-use)
- [Cursor Privacy Policy](https://cursor.com/privacy)
- [Privacy and Data Governance Docs](https://docs.cursor.com/enterprise/privacy-and-data-governance)

Related Skills

assisting-with-soc2-audit-preparation

1868
from jeremylongshore/claude-code-plugins-plus-skills

Execute automate SOC 2 audit preparation including evidence gathering, control assessment, and compliance gap identification. Use when you need to prepare for SOC 2 audits, assess Trust Service Criteria compliance, document security controls, or generate readiness reports. Trigger with phrases like "SOC 2 audit preparation", "SOC 2 readiness assessment", "collect SOC 2 evidence", or "Trust Service Criteria compliance".

generating-security-audit-reports

1868
from jeremylongshore/claude-code-plugins-plus-skills

Generate comprehensive security audit reports for applications and systems. Use when you need to assess security posture, identify vulnerabilities, evaluate compliance status, or create formal security documentation. Trigger with phrases like "create security audit report", "generate security assessment", "audit security posture", or "PCI-DSS compliance report".

validating-pci-dss-compliance

1868
from jeremylongshore/claude-code-plugins-plus-skills

Validate PCI-DSS compliance for payment card data security. Use when auditing payment systems. Trigger with 'validate PCI-DSS', 'check payment security', or 'audit card data'.

checking-owasp-compliance

1868
from jeremylongshore/claude-code-plugins-plus-skills

Check compliance with OWASP Top 10 security risks and best practices. Use when performing comprehensive security audits. Trigger with 'check OWASP compliance', 'audit web security', or 'validate OWASP'.

checking-hipaa-compliance

1868
from jeremylongshore/claude-code-plugins-plus-skills

Check HIPAA compliance for healthcare data security requirements. Use when auditing healthcare applications. Trigger with 'check HIPAA compliance', 'validate health data security', or 'audit PHI protection'.

scanning-for-gdpr-compliance

1868
from jeremylongshore/claude-code-plugins-plus-skills

Scan for GDPR compliance issues in data handling and privacy practices. Use when ensuring EU data protection compliance. Trigger with 'scan GDPR compliance', 'check data privacy', or 'validate GDPR'.

generating-compliance-reports

1868
from jeremylongshore/claude-code-plugins-plus-skills

Generate comprehensive compliance reports for security standards. Use when creating compliance documentation. Trigger with 'generate compliance report', 'compliance status', or 'audit compliance'.

Auditing Access Control

1868
from jeremylongshore/claude-code-plugins-plus-skills

Audit access control implementations for security vulnerabilities and misconfigurations. Use when reviewing authentication and authorization. Trigger with 'audit access control', 'check permissions', or 'validate authorization'.

windsurf-audit-logging

1868
from jeremylongshore/claude-code-plugins-plus-skills

Configure AI interaction audit logging for compliance. Activate when users mention "audit logging", "compliance logging", "ai interaction logs", "security audit", or "activity tracking". Handles compliance and audit configuration. Use when analyzing or auditing windsurf audit logging. Trigger with phrases like "windsurf audit logging", "windsurf logging", "windsurf".

openrouter-compliance-review

1868
from jeremylongshore/claude-code-plugins-plus-skills

Review OpenRouter integration for regulatory compliance (SOC2, GDPR, HIPAA). Use when preparing for audits, evaluating data handling, or documenting compliance posture. Triggers: 'openrouter compliance', 'openrouter gdpr', 'openrouter soc2', 'openrouter data residency'.

openrouter-audit-logging

1868
from jeremylongshore/claude-code-plugins-plus-skills

Implement audit logging for OpenRouter API calls. Use when building compliance trails, debugging production issues, or tracking model usage. Triggers: 'openrouter audit', 'openrouter logging', 'audit trail openrouter', 'log openrouter requests'.

klingai-compliance-review

1868
from jeremylongshore/claude-code-plugins-plus-skills

Security and compliance review framework for Kling AI integrations. Use when preparing for audits or reviewing security posture. Trigger with phrases like 'klingai compliance', 'kling ai security review', 'klingai audit prep', 'video generation compliance'.