// Trust & Security Report
Continue Dev, Inc.
Continue — an open-source IDE extension (VS Code, JetBrains) for AI-assisted coding with BYOM (bring-your-own-model) architecture. **CRITICAL: Product is being shut down effective July 15, 2026 following acquisition by Cursor (June 16, 2026).**
Certifications held
0
Maturity
Startup
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 5 unconfirmed / not-held certifications
source: continue.devNo public evidence of SOC 2 certification on vendor domains (continue.dev, GitHub documentation, or privacy/security pages)
source: continue.devNo public evidence of ISO 27001 certification on vendor domains
source: continue.devTerms of Service explicitly state users must not submit data 'subject to specific data privacy and security laws including, but not limited to, the...GDPR'
source: continue.devTerms of Service explicitly prohibit submission of 'any other information...subject to specific data privacy and security laws including, but not limited to, the...HIPAA'
source: continue.devNo public evidence of PCI DSS certification; Terms of Service state 'We do not view or store your full credit card or other Payment Method information' and prohibit submission of a 'credit card or debit card number' as Customer Content.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Not specified; vendor does not commit to any specific data residency
Continue's Terms take a 'royalty-free, sublicensable, transferable, perpetual, irrevocable, worldwide, non-exclusive license to access, use, host, store, reproduce, modify, publish, list information regarding, translate, process, copy, distribute, perform, export, display, and make derivative works of all Customer Content'. This broad grant could in principle permit model training, but the privacy notice (Last Updated Feb 5, 2026) does not disclose whether customer content is used to train or improve AI models, so training on customer data is undetermined. The Terms do explicitly prohibit users from using Output to train their own machine learning models. Under the BYOM architecture, model-side data handling is governed by whichever provider the user selects.
// Security controls
Vulnerability Reporting
Responsible disclosure via email to security@continue.dev; team commits to responding promptly. No public security advisories published.
github.comEncryption in Transit
Not explicitly documented in public security pages; standard HTTPS assumed but unverified
continue.devData Retention
Continue retains personal data 'no longer than reasonably necessary'; data derived from customer content is aggregated/anonymized for perpetual internal use. Cloud-hosted Continue data deleted July 15, 2026 per shutdown policy.
continue.devCode Availability
Apache 2.0 open-source; source available on GitHub but repository is read-only post-acquisition
github.com// Products & data scope
data: User code, chat history, completions, autocomplete logs, device/usage telemetry
BYOM architecture (users choose Claude, GPT-4, local Ollama, etc.); data residency depends on chosen AI provider. Cloud sync via continue.dev servers until July 15, 2026; thereafter local-only.
data: Same as VS Code variant
Same BYOM, data handling, and sunset timeline as VS Code version
// What to watch
- CRITICAL: Product is being shut down effective July 15, 2026 following Cursor acquisition (June 16, 2026). Cloud data will be permanently deleted. Repository is read-only. No further maintenance or support.
- Overly broad licensing terms: ToS grants Continue 'perpetual, irrevocable, worldwide, non-exclusive license' to all customer content for 'any lawful purpose,' including derivative works. Users cannot train ML models on outputs, but Continue can.
- Explicitly unsuitable for regulated industries: Terms explicitly prohibit submission of data subject to GDPR, HIPAA, FERPA, or other data privacy laws. This restriction suggests the vendor is not equipped for enterprise/healthcare/finance use.
- No enterprise certifications: No SOC 2, ISO 27001, HIPAA BAA, or GDPR adequacy determination. Startup-grade security posture only.
- Undefined encryption/security details: Public documentation does not specify encryption at rest, key management, or detailed security architecture. Open-source code available but no third-party audit referenced.
- Identity-conflation risk: Cursor (which acquired Continue) now also being acquired by SpaceX for $60B (June 2026). Ensure AIFOXX is assessing Continue Dev, Inc., not Cursor or SpaceX security posture.
// At a glance
Pricing model
Free (open-source, Apache 2.0); optional cloud sync and premium features being discontinued
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Continue Dev, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
continue.dev