Story

I'm trying to decide whether to adopt Cursor for our company, but we're in a heavily regulated industry and our compliance team is flagging concerns about HIPAA/SOC2/audit trails.

The thing is, there are companies in regulated industries using it [1][2]. But Cursor has no HIPAA BAA, no FedRAMP certification, and is cloud-only with all requests routing through their AWS infrastructure. (This is probably true for Claude and other coding assistants, though I've only looked seriously at Cursor.)

So how are regulated companies actually making this work? Or do most just avoid Cursor and other AI coding tools altogether?

[1] 165 healthcare companies use Cursor according to Bloomberry: https://bloomberry.com/data/cursor/

[2] Cursor's customers include Sanofi, Johnson & Johnson, and Neuralink: https://cursor.com/customers