This has less to do with Cursor and more to do with standard processes. Day to day use, your developers development environment should not have access to any data that comes under HIPAA (the one compliance framework I’m familiar with)
If your developer machines don’t have access to regulated data, neither will Cursor. As far as I know none of those compliance frameworks have anything to do with your code, it’s about accessing data and how you promote your code to production
I’ve never used cursor. But Claude Code gives you the option of using AWS Bedrock hosted models - including Anthropomorphic. You can sign a BAA with AWS. Notice this is using Anthropic models through an AWS account - not directly from Anthropic.
HIPAA is one of the few that makes clear the types of data (PHI and PII) that come under the frameworks purview during development which makes masking mandatory for non-production environments. Other frameworks families, NIST RMF, FedRAMP and CMMC very much care about software development practices in depth.
Copilot can be used in these situations, that's what most of our devs use. I suspect Claude Code is going to be evaluated in the near future. Personally, I have permission from the CTO to hook my custom agent up to the GCloud Vertex APIs because we know it all stays in Google, which is compliant across their portfolio. Microslop is too, which is why Copilot is available. All the frontier models are available as well between both Google and Microsoft, I have no need for OpenAI or xAI, so VertexAI has everything I personally want.
This has less to do with Cursor and more to do with standard processes. Day to day use, your developers development environment should not have access to any data that comes under HIPAA (the one compliance framework I’m familiar with)
If your developer machines don’t have access to regulated data, neither will Cursor. As far as I know none of those compliance frameworks have anything to do with your code, it’s about accessing data and how you promote your code to production
I’ve never used cursor. But Claude Code gives you the option of using AWS Bedrock hosted models - including Anthropomorphic. You can sign a BAA with AWS. Notice this is using Anthropic models through an AWS account - not directly from Anthropic.
HIPAA is one of the few that makes clear the types of data (PHI and PII) that come under the frameworks purview during development which makes masking mandatory for non-production environments. Other frameworks families, NIST RMF, FedRAMP and CMMC very much care about software development practices in depth.
But do they care whether your code was shared with a third party?
Copilot can be used in these situations, that's what most of our devs use. I suspect Claude Code is going to be evaluated in the near future. Personally, I have permission from the CTO to hook my custom agent up to the GCloud Vertex APIs because we know it all stays in Google, which is compliant across their portfolio. Microslop is too, which is why Copilot is available. All the frontier models are available as well between both Google and Microsoft, I have no need for OpenAI or xAI, so VertexAI has everything I personally want.