Ask HN: How do companies that use Cursor handle compliance?

[Poomba]

I'm trying to decide whether to adopt Cursor for our company, but we're in a heavily regulated industry and our compliance team is flagging concerns about HIPAA/SOC2/audit trails.

The thing is, there are companies in regulated industries using it [1][2]. But Cursor has no HIPAA BAA, no FedRAMP certification, and is cloud-only with all requests routing through their AWS infrastructure. (This is probably true for Claude and other coding assistants, though I've only looked seriously at Cursor.)

So how are regulated companies actually making this work? Or do most just avoid Cursor and other AI coding tools altogether?

[1] 165 healthcare companies use Cursor according to Bloomberry: https://bloomberry.com/data/cursor/

[2] Cursor's customers include Sanofi, Johnson & Johnson, and Neuralink: https://cursor.com/customers

[raw_anon_1111]

This has less to do with Cursor and more to do with standard processes. Day to day use, your developers development environment should not have access to any data that comes under HIPAA (the one compliance framework I’m familiar with)

If your developer machines don’t have access to regulated data, neither will Cursor. As far as I know none of those compliance frameworks have anything to do with your code, it’s about accessing data and how you promote your code to production

I’ve never used cursor. But Claude Code gives you the option of using AWS Bedrock hosted models - including Anthropomorphic. You can sign a BAA with AWS. Notice this is using Anthropic models through an AWS account - not directly from Anthropic.

[notesinthefield]

HIPAA is one of the few that makes clear the types of data (PHI and PII) that come under the frameworks purview during development which makes masking mandatory for non-production environments. Other frameworks families, NIST RMF, FedRAMP and CMMC very much care about software development practices in depth.

[raw_anon_1111]

But do they care whether your code was shared with a third party?

[notesinthefield]

Of course, is this a serious question?

[cap11235]

Is code personal information?

[notesinthefield]

My statement wasnt a literal reflection of software and data protection controls. Youre free to explore those mentioned.

[verdverm]

Copilot can be used in these situations, that's what most of our devs use. I suspect Claude Code is going to be evaluated in the near future. Personally, I have permission from the CTO to hook my custom agent up to the GCloud Vertex APIs because we know it all stays in Google, which is compliant across their portfolio. Microslop is too, which is why Copilot is available. All the frontier models are available as well between both Google and Microsoft, I have no need for OpenAI or xAI, so VertexAI has everything I personally want.