Ask HN: How do companies that use Cursor handle compliance?

I'm trying to decide whether to adopt Cursor for our company, but we're in a heavily regulated industry and our compliance team is flagging concerns about HIPAA/SOC2/audit trails.

The thing is, there are companies in regulated industries using it [1][2]. But Cursor has no HIPAA BAA, no FedRAMP certification, and is cloud-only with all requests routing through their AWS infrastructure. (This is probably true for Claude and other coding assistants, though I've only looked seriously at Cursor.)

So how are regulated companies actually making this work? Or do most just avoid Cursor and other AI coding tools altogether?

[1] 165 healthcare companies use Cursor according to Bloomberry: https://bloomberry.com/data/cursor/

[2] Cursor's customers include Sanofi, Johnson & Johnson, and Neuralink: https://cursor.com/customers

6 points | by Poomba 4 hours ago

3 comments

  • raw_anon_1111 2 hours ago
    This has less to do with Cursor and more to do with standard processes. Day to day use, your developers development environment should not have access to any data that comes under HIPAA (the one compliance framework I’m familiar with)

    If your developer machines don’t have access to regulated data, neither will Cursor. As far as I know none of those compliance frameworks have anything to do with your code, it’s about accessing data and how you promote your code to production

    I’ve never used cursor. But Claude Code gives you the option of using AWS Bedrock hosted models - including Anthropomorphic. You can sign a BAA with AWS. Notice this is using Anthropic models through an AWS account - not directly from Anthropic.

  • verdverm 4 hours ago
    Copilot can be used in these situations, that's what most of our devs use. I suspect Claude Code is going to be evaluated in the near future. Personally, I have permission from the CTO to hook my custom agent up to the GCloud Vertex APIs because we know it all stays in Google, which is compliant across their portfolio. Microslop is too, which is why Copilot is available. All the frontier models are available as well between both Google and Microsoft, I have no need for OpenAI or xAI, so VertexAI has everything I personally want.
  • pearlos 3 hours ago
    [dead]