// Trust & Security Report

    Continue Dev, Inc. logo

    Continue Dev, Inc.

    Continue — an open-source IDE extension (VS Code, JetBrains) for AI-assisted coding with BYOM (bring-your-own-model) architecture. **CRITICAL: Product is being shut down effective July 15, 2026 following acquisition by Cursor (June 16, 2026).**

    Certifications held

    0

    Maturity

    Startup

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 5 unconfirmed / not-held certifications
    SOC 2 (Type I or II)
    NOT CONFIRMED

    No public evidence of SOC 2 certification on vendor domains (continue.dev, GitHub documentation, or privacy/security pages)

    source: continue.dev
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification on vendor domains

    source: continue.dev
    GDPR Compliance Certificate
    NOT CONFIRMED

    Terms of Service explicitly state users must not submit data 'subject to specific data privacy and security laws including, but not limited to, the...GDPR'

    source: continue.dev
    HIPAA
    NOT CONFIRMED

    Terms of Service explicitly prohibit submission of 'any other information...subject to specific data privacy and security laws including, but not limited to, the...HIPAA'

    source: continue.dev
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification; Terms of Service state 'We do not view or store your full credit card or other Payment Method information' and prohibit submission of a 'credit card or debit card number' as Customer Content.

    source: continue.dev

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Not specified; vendor does not commit to any specific data residency

    Continue's Terms take a 'royalty-free, sublicensable, transferable, perpetual, irrevocable, worldwide, non-exclusive license to access, use, host, store, reproduce, modify, publish, list information regarding, translate, process, copy, distribute, perform, export, display, and make derivative works of all Customer Content'. This broad grant could in principle permit model training, but the privacy notice (Last Updated Feb 5, 2026) does not disclose whether customer content is used to train or improve AI models, so training on customer data is undetermined. The Terms do explicitly prohibit users from using Output to train their own machine learning models. Under the BYOM architecture, model-side data handling is governed by whichever provider the user selects.

    // Security controls

    Vulnerability Reporting

    Responsible disclosure via email to security@continue.dev; team commits to responding promptly. No public security advisories published.

    github.com

    Encryption in Transit

    Not explicitly documented in public security pages; standard HTTPS assumed but unverified

    continue.dev

    Data Retention

    Continue retains personal data 'no longer than reasonably necessary'; data derived from customer content is aggregated/anonymized for perpetual internal use. Cloud-hosted Continue data deleted July 15, 2026 per shutdown policy.

    continue.dev

    Code Availability

    Apache 2.0 open-source; source available on GitHub but repository is read-only post-acquisition

    github.com

    // Products & data scope

    Continue (VS Code Extension)IDE Extension / Coding Agent

    data: User code, chat history, completions, autocomplete logs, device/usage telemetry

    BYOM architecture (users choose Claude, GPT-4, local Ollama, etc.); data residency depends on chosen AI provider. Cloud sync via continue.dev servers until July 15, 2026; thereafter local-only.

    Continue (JetBrains Plugin)IDE Extension / Coding Agent

    data: Same as VS Code variant

    Same BYOM, data handling, and sunset timeline as VS Code version

    // What to watch

    • CRITICAL: Product is being shut down effective July 15, 2026 following Cursor acquisition (June 16, 2026). Cloud data will be permanently deleted. Repository is read-only. No further maintenance or support.
    • Overly broad licensing terms: ToS grants Continue 'perpetual, irrevocable, worldwide, non-exclusive license' to all customer content for 'any lawful purpose,' including derivative works. Users cannot train ML models on outputs, but Continue can.
    • Explicitly unsuitable for regulated industries: Terms explicitly prohibit submission of data subject to GDPR, HIPAA, FERPA, or other data privacy laws. This restriction suggests the vendor is not equipped for enterprise/healthcare/finance use.
    • No enterprise certifications: No SOC 2, ISO 27001, HIPAA BAA, or GDPR adequacy determination. Startup-grade security posture only.
    • Undefined encryption/security details: Public documentation does not specify encryption at rest, key management, or detailed security architecture. Open-source code available but no third-party audit referenced.
    • Identity-conflation risk: Cursor (which acquired Continue) now also being acquired by SpaceX for $60B (June 2026). Ensure AIFOXX is assessing Continue Dev, Inc., not Cursor or SpaceX security posture.

    // At a glance

    Pricing model

    Free (open-source, Apache 2.0); optional cloud sync and premium features being discontinued

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Continue Dev, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    continue.dev

    > Browse all vendor trust reports