Learn more about Cognition's acquisition of Windsurf

Data Processing Statement

last updated: September 18, 2025

On this page:

    Data Processing Agreement (DPA) Policy

    General Statement

    Cognition does not generally enter into Data Processing Agreements (“DPAs”) with customers in connection with their use of our platform. Our active platform is not intended for the processing of personal data. Although we collect only limited account-level information about customers (e.g., email address, username) for purposes of billing, support, and, in the case of customers who do not implement Single Sign-On (“SSO”), authentication, Cognition acts as an independent data controller for such data, and not as a processor. Accordingly, Article 28 of the GDPR and equivalent provisions under other data protection laws do not apply, and a DPA is not legally required.

    Scope of Services

    1. Use of Data Our platform is designed to support customer code. The active platform is not intended or designed for the processing of personal data and product prompts should not include personal data.

    Although we do need to collect limited customer account-level information that customers provide when they register an account (such as email addresses and usernames, such information is used exclusively for the purposes of billing, customer support, and access management (where applicable). For further information about the data that we collect and how we use and disclose it, please see our Privacy Policy, which is further limited by our Terms of Services or Enterprise customer agreements, as applicable.

    1. Our Role With respect to the limited account data collected, we determine the purposes and means of processing and therefore act as a controller. We do not process personal data on behalf of our customers and we assume no role as a processor within the meaning of applicable data protection laws.

    Our Position

    Because we do not process personal data on behalf of customers, the statutory requirements for data processing agreements under GDPR Article 28 and similar laws are inapplicable. Consequently, we are not required to enter into a DPA with our customers.

    If, notwithstanding the foregoing, and in certain circumstances such as when a significant customer requires execution of a DPA to satisfy internal compliance or procurement obligations, we may consider a Controller-to-Controller DPA, where execution of such a DPA confirms our role as a controller. For example, for customers subject to the GDPR, upon request we can offer a Controller-to-Controller DPA that incorporates valid data transfer mechanisms.

    Regardless, the content above should not be considered or construed as legal advice. Customers should consult their own legal counsel regarding their specific obligations under applicable data protection laws.

    Last updated: September 12, 2025

    Follow us on: