AI Vendor Security & Compliance Brief

Claude logo Claude

Independent due-diligence summary · every fact links to the vendor's official source
8 source-cited facts
0 independently verified certs
10 legal documents tracked
Generated 2026-07-03
94/100
AI Governance Readiness

Enterprise-Ready

The vendor is rated Enterprise-Ready with a score of 94 out of 100. Strongest verified evidence includes SOC 2 Type 2 and ISO 27001 certifications, confirmed via the vendor's trust portal, and no known breaches or CVEs against the product. A recent change to the Terms of Service, involving 62 added and 2 removed passages, touches how your data is used or used for AI training, your privacy, data sharing or retention, liability, warranties, or indemnification. Buyers should review the current Terms of Service to assess whether these changes affect their obligations or risk.

Summarized strictly from the source-cited facts below — no outside information. Verify each point against its linked source.

Readiness Breakdown deterministic · evidence-only

  • Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
  • Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
  • Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
  • Data Processing Agreement A Data Processing Agreement is published and tracked.
  • Breach History No known breaches in Have I Been Pwned.
  • Vulnerability Exposure No known CVEs against the mapped product identity.
  • Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
  • Vulnerability Disclosure Policy Publishes a security.txt disclosure policy (RFC 9116).
  • Web TLS Certificate Valid TLS certificate in place.
  • Legal Transparency 10 legal/policy documents publicly tracked.
Score is normalized over assessed components only — “unknown” items are shown but never silently counted against the vendor.

Compliance Posture vendor-stated · cited

FrameworkStatusSource
BAA Available (HIPAA) Stated by vendor https://support.claude.com/en/articles/8114513-business-associate-agreements-baa-for-commercial-customers
GDPR Stated by vendor https://www.anthropic.com/legal/privacy
HIPAA Stated by vendor https://support.claude.com/en/articles/13296973-hipaa-ready-enterprise-plans
ISO 27001 Stated by vendor https://trust.anthropic.com/
SOC 2 Stated by vendor https://trust.anthropic.com/
As published on the vendor's own trust/compliance pages — not independently audited. Independently verified attestations, when available, appear in the certifications section below. Request the underlying report before relying on these.

Data & Contract Facts deterministic · cited

AttributeValueSource
Data Retention key clause for as long as reasonably necessary for the purposes and criteria outlined in this Notice.
“Anthropic retains your personal data for as long as reasonably necessary for the purposes and criteria outlined in this Notice.”vendor's exact wording
https://www.anthropic.com/legal/non-user-privacy-policy
Sub-processors (published list) View document → https://trust.anthropic.com/subprocessors
Trains on Customer Data key clause
Free / Pro: trains on data Free/Pro (claude.ai): inputs/outputs may be used to train unless you opt out. cited →
Enterprise: does not train Commercial/API terms: Anthropic may not train models on Customer Content. cited →
see per-tier citations

Security Posture authoritative · cited

Known Vulnerabilities (CVE / CISA KEV) No open vulnerabilities
All known vulnerabilities have been patched by the vendor.
Vulnerability Disclosure Policy (security.txt) Found 1
Email Spoofing Protection (DMARC) Protected
DMARC enforced and SPF present — spoofing well mitigated.
Web TLS Certificate Valid
Data Breach History None found
Queried the authoritative source; no records.
Supply-Chain Security (OpenSSF Scorecard) Not applicable
Closed-source service — no public source repository; OpenSSF Scorecard (open-source supply-chain) does not apply.
OFAC Sanctions Screening None found
Queried the authoritative source; no records.
SEC Cyber Incident Disclosures (8-K 1.05) Not applicable
Privately held — not a US-listed public company, so no SEC 8-K cyber-incident reporting obligation applies.

Certifications Available Under NDA / Trust Center attested · report gated

CertificationStatusTrust Center
ISO 27001 Available via Trust Center https://trust.anthropic.com/
SOC2 TYPE2 Available via Trust Center https://trust.anthropic.com/
An independent audit report exists but is gated behind an NDA or trust-center registration. Request it directly via the vendor's trust center. These count as partial assurance — stronger than a vendor claim, but not an open third-party attestation.

Common compliance questions

Each answer is grounded in the cited evidence above — with an honest "no evidence on file" where nothing is published.

Tracked Legal & Policy Documents

DocumentURL
Aup https://www.anthropic.com/legal/aup
Cookie https://www.anthropic.com/legal/cookies
Dpa https://www.anthropic.com/legal/data-processing-addendum
Pricing https://www.anthropic.com/pricing
Privacy https://www.anthropic.com/legal/privacy
Security https://trust.anthropic.com
Soc Report https://trust.anthropic.com
Tos https://www.anthropic.com/legal/commercial-terms
Trust https://www.anthropic.com/research/trustworthy-agents
Vuln Mgmt https://anthropic.com/.well-known/security.txt

How to Obtain Non-Public Documents

These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.

DocumentAvailabilityHow to obtain
Sub-processor List Trust portal / on request A public sub-processor list was not found. Many vendors publish it behind a trust-portal login or send it on request. Request access through the trust center or from the vendor's privacy/security team. Trust center →
Business Associate Agreement (BAA) On request (HIPAA only) A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center →
Master Services Agreement (MSA) Negotiated per contract The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center →
Service Level Agreement (SLA) Enterprise tier A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center →

Continuous Monitoring change-tracking active

5 legal & policy documents under change-monitoring since 2026-06-11. 5 tracked changes detected since baseline.

AupCookieDpaPrivacyTos
DetectedChangeDetail
2026-06-18 ToS Clause Change The Terms of Service changed — 62 added, 2 removed passages. Review the current version.
What this means: This change to the Terms of Service touches how your data is used or used for AI training, your privacy, data sharing or retention and liability, warranties or indemnification. Read 62 added and 2 removed passages in the current Terms of Service to see whether it affects your obligations or risk.
Show exact changed text

In plain terms — verify against the exact changed text below: The document changed from an introduction to a "Non-User Privacy Policy" to a "Welcome to Anthropic" message followed by detailed "Commercial Terms of Service" that define terms, outline service usage, data privacy, and trust and safety policies.

@@ -1,128 +1,235 @@-Non-User Privacy Policy \ Anthropic
-Anthropic is an AI safety and research company, building reliable, interpretable, and steerable AI systems.
-We’ve prepared this notice (“
+Welcome to Anthropic! Before accessing our Services, please read these Commercial Terms of Service.
+These Commercial Terms of Service (“
+Terms
+”) are an agreement between Anthropic and you or the organization, company, or other entity that you represent (“
+Customer
+”). “
+Anthropic
+” means Anthropic Ireland, Limited if Customer resides in the European Economic Area (“
+EEA
+”), Switzerland or UK, and Anthropic, PBC if Customer resides anywhere else. They govern Customer’s use of Anthropic API keys and any other Anthropic offerings that references these Terms, as well as all related Anthropic tools, documentation and services (the “
+Services
+”). These Terms are effective on the earlier of the date that Customer first electronically consents to a version of these Terms and the date that Customer first accesses the Services (“
+”).
+Please note
+: You may not enter into these Terms on behalf of an organization, company, or other entity unless you have the legal authority to bind that entity. Services under these Terms are not for consumer use. Our consumer offerings (e.g., Claude.ai) are governed by our
+Consumer Terms of Service
+instead.
+A. Services
+A.1.
+Overview.
+Subject to these Terms, Anthropic gives Customer permission to use the Services, including to power products and services Customer makes available to its own customers and end users (“
+Users
+”).
+A.2.
+Third Party Features.
+Customer may elect (in its sole discretion) to use features, services or other content made available by third parties to Customer through the Services (“
+Third Party Features
+”). Customer acknowledges and agrees that Third Party Features are not Services and, accordingly, Anthropic is not responsible for them.
+A.3.
+Feedback.
+If Customer provides (in its sole discretion) Anthropic with feedback regarding the Services, Anthropic may use that feedback at its own risk and without obligation to Customer.
+B. Customer Content
+As between the parties and to the extent permitted by applicable law, Anthropic agrees that Customer (a) retains all rights to its Inputs, and (b) owns its Outputs. Anthropic disclaims any rights it receives to the Customer Content under these Terms. Subject to Customer’s compliance with these Terms, Anthropic hereby assigns to Customer its right, title and interest (if any) in and to Outputs. Anthropic may not train models on Customer Content from Services. “
+Inputs
+” means submissions to the Services by Customer or its Users and “
+Outputs
+” means responses generated by the Services to Inputs (Inputs and Outputs together are “
+Customer Content
+”).
+C. Data Privacy
+Data submitted through the Services will be processed in accordance with the
+Anthropic Data Processing Addendum
+(“
+DPA
+”), which is incorporated into these Terms by reference.
+D. Trust and Safety; Restrictions
+D.1.
+Compliance.
+Each party will comply with all laws applicable to the provision (for Anthropic) and use (for Customer) of the Services, including any applicable data privacy laws.
+D.2.
+Policies and Service Terms.
+Customer and its Users may only use the Services in compliance with these Terms, including (a) the
+Usage Policy
+(“
+Usage Policy
+”, which was previously referred to as the Acceptable Use Policy), (b) our policy on the
+countries and regions Anthropic currently supports
+(“
+Supported Regions Policy
+”) and (c) our
+Service Specific Terms
+, each of which is incorporated by reference into these Terms. Customer must cooperate with reasonable requests for information from Anthropic to support compliance with its Usage Policy, including to verify Customer’s identity and use of the Services.
+D.3.
+Limitations of Outputs; Notice to Users.
+It is Customer’s responsibility to evaluate whether Outputs are appropriate for Custom
2026-06-15 ToS Clause Change The Terms of Service was substantially rewritten — 30 removed, 26 added. Review the current version.
What this means: This change to the Terms of Service touches your privacy, data sharing or retention and licensing or ownership of content/IP. Read 26 added and 30 removed passages in the current Terms of Service to see whether it affects your obligations or risk.
Show exact changed text

In plain terms — verify against the exact changed text below: The document's initial content was entirely replaced. The previous text, which was a "Data Processing Addendum" defining terms related to data processing and privacy, was removed and replaced with a "Welcome to Anthropic!" message introducing "Commercial Terms of Service" and defining terms related to the agreement, cu

@@ -1,311 +1,235 @@-Data Processing Addendum \ Anthropic
-This Data Processing Addendum (
-“DPA”
-) is incorporated into and forms part of the Anthropic Commercial Terms of Service or other agreement between Customer and Anthropic that references this DPA and governs Customer’s use of the Services (the
-“Agreement”
-), and applies to Anthropic’s processing of Customer Data (defined below). Capitalized terms used but not otherwise defined in this DPA will have the meaning set forth in the Agreement. Anthropic may amend this DPA from time to time on reasonable notice to Customer to the extent such changes are required due to changes in Applicable Data Protection Laws. If there is any conflict between the terms of this DPA and the Agreement, the conflicting terms in this DPA will govern.
-A. Definitions
+Welcome to Anthropic! Before accessing our Services, please read these Commercial Terms of Service.
+These Commercial Terms of Service (“
+Terms
+”) are an agreement between Anthropic and you or the organization, company, or other entity that you represent (“
+Customer
+”). “
+Anthropic
+” means Anthropic Ireland, Limited if Customer resides in the European Economic Area (“
+EEA
+”), Switzerland or UK, and Anthropic, PBC if Customer resides anywhere else. They govern Customer’s use of Anthropic API keys and any other Anthropic offerings that references these Terms, as well as all related Anthropic tools, documentation and services (the “
+Services
+”). These Terms are effective on the earlier of the date that Customer first electronically consents to a version of these Terms and the date that Customer first accesses the Services (“
+”).
+Please note
+: You may not enter into these Terms on behalf of an organization, company, or other entity unless you have the legal authority to bind that entity. Services under these Terms are not for consumer use. Our consumer offerings (e.g., Claude.ai) are governed by our
+Consumer Terms of Service
+instead.
+A. Services
 A.1.
-"Applicable Data Protection Laws"
-means all applicable privacy or data protection laws and regulations relating to the processing of personal data, as may be amended from time to time.
+Overview.
+Subject to these Terms, Anthropic gives Customer permission to use the Services, including to power products and services Customer makes available to its own customers and end users (“
+Users
+”).
 A.2.
-"Customer Personal Data"
-means personal data submitted through the Services by or for Customer or a Customer Affiliate.
+Third Party Features.
+Customer may elect (in its sole discretion) to use features, services or other content made available by third parties to Customer through the Services (“
+Third Party Features
+”). Customer acknowledges and agrees that Third Party Features are not Services and, accordingly, Anthropic is not responsible for them.
 A.3.
-"Customer Affiliate"
-means an affiliate of Customer that (a) is permitted to use the Services pursuant to the Agreement between Anthropic and Customer, and (b) directly or indirectly controls, is controlled by, or is under common control with the subject entity.
-“Control,”
-for purposes of this definition, means direct or indirect ownership or control of more than 50% of voting interests.
-A.4.
-“Customer Data”
-means all data or other information submitted through the Services by or for Customer or a Customer Affiliate.
-A.5.
-“Data Subject Request”
-means a request from a data subject to exercise their personal data-related rights under Applicable Data Protection Laws, such as rights to access, correct, or delete their personal data.
-A.6.
-"GDPR"
-means Regulation (EU) 2016/679.
-A.7.
-"Security Breach"
-means a breach of Anthropic’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Personal Data.
-A.8.
-"Standard Contractual Clauses"
-or
-“SCCs”
-means Module Two (controller to processor) or Module Three (processor to pro
2026-06-14 ToS Clause Change The Privacy Policy was re-published with only formatting changes — no clause change.
What this means: The Privacy Policy text changed, but the edit doesn't clearly touch a tracked legal concern (it may be a heading, formatting, or minor wording change) — skim the current Privacy Policy to confirm.
Show exact changed text
@@ -1,3 +1,2 @@-Privacy Policy \ Anthropic
 Anthropic is an AI safety and research company working to build reliable, interpretable, and steerable AI systems.
 This Privacy Policy explains how we collect, use, disclose, and process your personal data when you use our website, Claude.ai, or other Anthropic products and services (the “Services”). This Privacy Policy does not apply to content that we process on behalf of customers of our business offerings, such as our Enterprise accounts. Our use of that data is governed by our customer agreements covering access to and use of those offerings.
2026-06-13 ToS Clause Change The Terms of Service changed — 26 passages removed. Review the current version.
What this means: This change to the Terms of Service touches your privacy, data sharing or retention and termination, suspension or account closure. Read 26 removed passages in the current Terms of Service to see whether it affects your obligations or risk.
Show exact changed text
@@ -1,246 +1,235 @@-Claude Partner Network Agreement \ Anthropic
-This Claude Partner Network Agreement (this “
-CPNA
-”) governs your participation in the Claude Partner Network Program (the “
-Program
-”) and is an agreement between Anthropic (as defined below, and also referred to herein as “
-we
-,” “
-us
-,” or “
-our
-”) and you or the entity you represent (“
-you
-” or “
-your
-”). This CPNA also incorporates by reference, and is deemed to include the terms and conditions contained in, our Partner Program Guide, the Anthropic Policies, and any exhibits or other documents or terms (including any Program Specific Terms) that are incorporated by reference in any of the foregoing, each of which forms an integral part of this CPNA. Please see Section J for definitions of certain capitalized terms used in this CPNA.
-This CPNA takes effect on the day you electronically agree to these terms by any method made available by Anthropic for such purpose (the “
-”). By doing so, you acknowledge that you have read and understand this CPNA and agree to be bound by its terms and conditions. You also hereby represent to us that you are lawfully able to enter into contracts (e.g., you are not a minor) and, if you are entering into this CPNA for an entity, such as the company you work for, you represent to us that you have legal authority to bind that entity.
-A. Program.
-Participation.
-To participate in the Program and utilize any of its benefits, you must (a) submit a complete Program application through the Claude Partner Hub portal, (b) receive written approval from Anthropic to join the Program, which shall be granted in Anthropic’s sole discretion (including, if accepted, as to your Program level or tier), and (c) enter into this CPNA (and this CPNA must not have been terminated).
-Affiliate Participation
-. Your Affiliates may participate in the Program, subject to their compliance with this CPNA and separate execution of any applicable Program Specific Terms;
-provided
-, you remain fully liable to us for your Affiliates’ actions or omissions under, and their compliance with, this CPNA. Any breach of the CPNA by your Affiliates will be deemed a breach by you, and we reserve the right to terminate any Affiliate’s participation in the Program upon written notice.
-Account.
-If you are accepted into the Program, you may register a Program account where you can manage your participation in the Program. Anthropic may use your Program Account Information to send you information about Anthropic, the Program or other relevant information. Program Account Information and any other personal information Anthropic or any of its Affiliates receive from you or otherwise collect to maintain and facilitate your participation in the Program will be processed in accordance with our Privacy Policy. You are solely responsible for all activity under your Program account. You will promptly notify Anthropic if you believe your account has been compromised or is subject to a denial of service or similar malicious attack.
-Benefits.
-As part of the Program, we may invite you to participate in opportunities or provide you with funding or other benefits related to your activities that support usage, promotion, or knowledge of the Anthropic Services. Any benefits, or their continued availability to you, are not guaranteed and may be subject to change as further described in this CPNA. If you receive benefits for which we determine you are not eligible, you will return such benefits upon our request, or we may cancel such benefits or make corresponding reductions to any of your future benefits. You may not use any benefits for any purpose other than for their intended use as set forth in the Partner Program Guide or otherwise communicated to you by Anthropic. Benefits may not be used by your employees for their personal benefit. All Program benefits and details thereof are set forth in the Partner Program Guide and may be subject to additional Program Speci
2026-06-08 CVE / Security Incident 1 new CVE (published from 2026-03-31): CVE-2026-22561. A fix is available from the vendor for all of these.
What this means: Disclosed and already fixed by the vendor — no action needed beyond confirming you run a current version. Tracked as part of the vendor's security-response cadence, not an active exposure.

View full Claude change history →

Search the Legal Documents verbatim · cited

Search Claude's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.

Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.

Monitor Claude — get alerted when this changes

This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Claude changes something that affects your risk. Built for procurement & security teams.

Free. One email per material change. Unsubscribe anytime. No sales spam.
Every data point above is extracted from the vendor's own official trust, security, or legal pages and links to its source. This brief contains no scraped sentiment, forum chatter, or AI-inferred opinion — only verifiable, deterministic facts. Verify each source before procurement decisions.