Claude
Enterprise-Ready
The vendor is rated Enterprise-Ready with a score of 94 out of 100. Strongest verified evidence includes SOC 2 Type 2 and ISO 27001 certifications, confirmed via the vendor's trust portal, and no known breaches or CVEs against the product. A recent change to the Terms of Service, involving 62 added and 2 removed passages, touches how your data is used or used for AI training, your privacy, data sharing or retention, liability, warranties, or indemnification. Buyers should review the current Terms of Service to assess whether these changes affect their obligations or risk.
Readiness Breakdown deterministic · evidence-only
- Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
- Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
- Data Processing Agreement A Data Processing Agreement is published and tracked.
- Breach History No known breaches in Have I Been Pwned.
- Vulnerability Exposure No known CVEs against the mapped product identity.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy Publishes a security.txt disclosure policy (RFC 9116).
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 10 legal/policy documents publicly tracked.
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| BAA Available (HIPAA) | Stated by vendor | https://support.claude.com/en/articles/8114513-business-associate-agreements-baa-for-commercial-customers |
| GDPR | Stated by vendor | https://www.anthropic.com/legal/privacy |
| HIPAA | Stated by vendor | https://support.claude.com/en/articles/13296973-hipaa-ready-enterprise-plans |
| ISO 27001 | Stated by vendor | https://trust.anthropic.com/ |
| SOC 2 | Stated by vendor | https://trust.anthropic.com/ |
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| Data Retention key clause |
for as long as reasonably necessary for the purposes and criteria outlined in this Notice.
“Anthropic retains your personal data for as long as reasonably necessary for the purposes and criteria outlined in this Notice.”vendor's exact wording |
https://www.anthropic.com/legal/non-user-privacy-policy |
| Sub-processors (published list) | View document → | https://trust.anthropic.com/subprocessors |
| Trains on Customer Data key clause |
Free / Pro:
trains on data
Free/Pro (claude.ai): inputs/outputs may be used to train unless you opt out.
cited →
Enterprise:
does not train
Commercial/API terms: Anthropic may not train models on Customer Content.
cited →
|
see per-tier citations |
Security Posture authoritative · cited
Certifications Available Under NDA / Trust Center attested · report gated
| Certification | Status | Trust Center |
|---|---|---|
| ISO 27001 | Available via Trust Center | https://trust.anthropic.com/ |
| SOC2 TYPE2 | Available via Trust Center | https://trust.anthropic.com/ |
Common compliance questions
Tracked Legal & Policy Documents
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Sub-processor List | Trust portal / on request | A public sub-processor list was not found. Many vendors publish it behind a trust-portal login or send it on request. Request access through the trust center or from the vendor's privacy/security team. Trust center → |
| Business Associate Agreement (BAA) | On request (HIPAA only) | A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center → |
| Master Services Agreement (MSA) | Negotiated per contract | The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center → |
| Service Level Agreement (SLA) | Enterprise tier | A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center → |
Continuous Monitoring change-tracking active
5 legal & policy documents under change-monitoring since 2026-06-11. 5 tracked changes detected since baseline.
| Detected | Change | Detail |
|---|---|---|
| 2026-06-18 | ToS Clause Change |
The Terms of Service changed — 62 added, 2 removed passages. Review the current version.
What this means: This change to the Terms of Service touches how your data is used or used for AI training, your privacy, data sharing or retention and liability, warranties or indemnification. Read 62 added and 2 removed passages in the current Terms of Service to see whether it affects your obligations or risk.
Show exact changed textIn plain terms — verify against the exact changed text below: The document changed from an introduction to a "Non-User Privacy Policy" to a "Welcome to Anthropic" message followed by detailed "Commercial Terms of Service" that define terms, outline service usage, data privacy, and trust and safety policies. @@ -1,128 +1,235 @@-Non-User Privacy Policy \ Anthropic -Anthropic is an AI safety and research company, building reliable, interpretable, and steerable AI systems. -We’ve prepared this notice (“ +Welcome to Anthropic! Before accessing our Services, please read these Commercial Terms of Service. +These Commercial Terms of Service (“ +Terms +”) are an agreement between Anthropic and you or the organization, company, or other entity that you represent (“ +Customer +”). “ +Anthropic +” means Anthropic Ireland, Limited if Customer resides in the European Economic Area (“ +EEA +”), Switzerland or UK, and Anthropic, PBC if Customer resides anywhere else. They govern Customer’s use of Anthropic API keys and any other Anthropic offerings that references these Terms, as well as all related Anthropic tools, documentation and services (the “ +Services +”). These Terms are effective on the earlier of the date that Customer first electronically consents to a version of these Terms and the date that Customer first accesses the Services (“ +”). +Please note +: You may not enter into these Terms on behalf of an organization, company, or other entity unless you have the legal authority to bind that entity. Services under these Terms are not for consumer use. Our consumer offerings (e.g., Claude.ai) are governed by our +Consumer Terms of Service +instead. +A. Services +A.1. +Overview. +Subject to these Terms, Anthropic gives Customer permission to use the Services, including to power products and services Customer makes available to its own customers and end users (“ +Users +”). +A.2. +Third Party Features. +Customer may elect (in its sole discretion) to use features, services or other content made available by third parties to Customer through the Services (“ +Third Party Features +”). Customer acknowledges and agrees that Third Party Features are not Services and, accordingly, Anthropic is not responsible for them. +A.3. +Feedback. +If Customer provides (in its sole discretion) Anthropic with feedback regarding the Services, Anthropic may use that feedback at its own risk and without obligation to Customer. +B. Customer Content +As between the parties and to the extent permitted by applicable law, Anthropic agrees that Customer (a) retains all rights to its Inputs, and (b) owns its Outputs. Anthropic disclaims any rights it receives to the Customer Content under these Terms. Subject to Customer’s compliance with these Terms, Anthropic hereby assigns to Customer its right, title and interest (if any) in and to Outputs. Anthropic may not train models on Customer Content from Services. “ +Inputs +” means submissions to the Services by Customer or its Users and “ +Outputs +” means responses generated by the Services to Inputs (Inputs and Outputs together are “ +Customer Content +”). +C. Data Privacy +Data submitted through the Services will be processed in accordance with the +Anthropic Data Processing Addendum +(“ +DPA +”), which is incorporated into these Terms by reference. +D. Trust and Safety; Restrictions +D.1. +Compliance. +Each party will comply with all laws applicable to the provision (for Anthropic) and use (for Customer) of the Services, including any applicable data privacy laws. +D.2. +Policies and Service Terms. +Customer and its Users may only use the Services in compliance with these Terms, including (a) the +Usage Policy +(“ +Usage Policy +”, which was previously referred to as the Acceptable Use Policy), (b) our policy on the +countries and regions Anthropic currently supports +(“ +Supported Regions Policy +”) and (c) our +Service Specific Terms +, each of which is incorporated by reference into these Terms. Customer must cooperate with reasonable requests for information from Anthropic to support compliance with its Usage Policy, including to verify Customer’s identity and use of the Services. +D.3. +Limitations of Outputs; Notice to Users. +It is Customer’s responsibility to evaluate whether Outputs are appropriate for Custom |
| 2026-06-15 | ToS Clause Change |
The Terms of Service was substantially rewritten — 30 removed, 26 added. Review the current version.
What this means: This change to the Terms of Service touches your privacy, data sharing or retention and licensing or ownership of content/IP. Read 26 added and 30 removed passages in the current Terms of Service to see whether it affects your obligations or risk.
Show exact changed textIn plain terms — verify against the exact changed text below: The document's initial content was entirely replaced. The previous text, which was a "Data Processing Addendum" defining terms related to data processing and privacy, was removed and replaced with a "Welcome to Anthropic!" message introducing "Commercial Terms of Service" and defining terms related to the agreement, cu @@ -1,311 +1,235 @@-Data Processing Addendum \ Anthropic -This Data Processing Addendum ( -“DPA” -) is incorporated into and forms part of the Anthropic Commercial Terms of Service or other agreement between Customer and Anthropic that references this DPA and governs Customer’s use of the Services (the -“Agreement” -), and applies to Anthropic’s processing of Customer Data (defined below). Capitalized terms used but not otherwise defined in this DPA will have the meaning set forth in the Agreement. Anthropic may amend this DPA from time to time on reasonable notice to Customer to the extent such changes are required due to changes in Applicable Data Protection Laws. If there is any conflict between the terms of this DPA and the Agreement, the conflicting terms in this DPA will govern. -A. Definitions +Welcome to Anthropic! Before accessing our Services, please read these Commercial Terms of Service. +These Commercial Terms of Service (“ +Terms +”) are an agreement between Anthropic and you or the organization, company, or other entity that you represent (“ +Customer +”). “ +Anthropic +” means Anthropic Ireland, Limited if Customer resides in the European Economic Area (“ +EEA +”), Switzerland or UK, and Anthropic, PBC if Customer resides anywhere else. They govern Customer’s use of Anthropic API keys and any other Anthropic offerings that references these Terms, as well as all related Anthropic tools, documentation and services (the “ +Services +”). These Terms are effective on the earlier of the date that Customer first electronically consents to a version of these Terms and the date that Customer first accesses the Services (“ +”). +Please note +: You may not enter into these Terms on behalf of an organization, company, or other entity unless you have the legal authority to bind that entity. Services under these Terms are not for consumer use. Our consumer offerings (e.g., Claude.ai) are governed by our +Consumer Terms of Service +instead. +A. Services A.1. -"Applicable Data Protection Laws" -means all applicable privacy or data protection laws and regulations relating to the processing of personal data, as may be amended from time to time. +Overview. +Subject to these Terms, Anthropic gives Customer permission to use the Services, including to power products and services Customer makes available to its own customers and end users (“ +Users +”). A.2. -"Customer Personal Data" -means personal data submitted through the Services by or for Customer or a Customer Affiliate. +Third Party Features. +Customer may elect (in its sole discretion) to use features, services or other content made available by third parties to Customer through the Services (“ +Third Party Features +”). Customer acknowledges and agrees that Third Party Features are not Services and, accordingly, Anthropic is not responsible for them. A.3. -"Customer Affiliate" -means an affiliate of Customer that (a) is permitted to use the Services pursuant to the Agreement between Anthropic and Customer, and (b) directly or indirectly controls, is controlled by, or is under common control with the subject entity. -“Control,” -for purposes of this definition, means direct or indirect ownership or control of more than 50% of voting interests. -A.4. -“Customer Data” -means all data or other information submitted through the Services by or for Customer or a Customer Affiliate. -A.5. -“Data Subject Request” -means a request from a data subject to exercise their personal data-related rights under Applicable Data Protection Laws, such as rights to access, correct, or delete their personal data. -A.6. -"GDPR" -means Regulation (EU) 2016/679. -A.7. -"Security Breach" -means a breach of Anthropic’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Personal Data. -A.8. -"Standard Contractual Clauses" -or -“SCCs” -means Module Two (controller to processor) or Module Three (processor to pro |
| 2026-06-14 | ToS Clause Change |
The Privacy Policy was re-published with only formatting changes — no clause change.
What this means: The Privacy Policy text changed, but the edit doesn't clearly touch a tracked legal concern (it may be a heading, formatting, or minor wording change) — skim the current Privacy Policy to confirm.
Show exact changed text@@ -1,3 +1,2 @@-Privacy Policy \ Anthropic Anthropic is an AI safety and research company working to build reliable, interpretable, and steerable AI systems. This Privacy Policy explains how we collect, use, disclose, and process your personal data when you use our website, Claude.ai, or other Anthropic products and services (the “Services”). This Privacy Policy does not apply to content that we process on behalf of customers of our business offerings, such as our Enterprise accounts. Our use of that data is governed by our customer agreements covering access to and use of those offerings. |
| 2026-06-13 | ToS Clause Change |
The Terms of Service changed — 26 passages removed. Review the current version.
What this means: This change to the Terms of Service touches your privacy, data sharing or retention and termination, suspension or account closure. Read 26 removed passages in the current Terms of Service to see whether it affects your obligations or risk.
Show exact changed text@@ -1,246 +1,235 @@-Claude Partner Network Agreement \ Anthropic -This Claude Partner Network Agreement (this “ -CPNA -”) governs your participation in the Claude Partner Network Program (the “ -Program -”) and is an agreement between Anthropic (as defined below, and also referred to herein as “ -we -,” “ -us -,” or “ -our -”) and you or the entity you represent (“ -you -” or “ -your -”). This CPNA also incorporates by reference, and is deemed to include the terms and conditions contained in, our Partner Program Guide, the Anthropic Policies, and any exhibits or other documents or terms (including any Program Specific Terms) that are incorporated by reference in any of the foregoing, each of which forms an integral part of this CPNA. Please see Section J for definitions of certain capitalized terms used in this CPNA. -This CPNA takes effect on the day you electronically agree to these terms by any method made available by Anthropic for such purpose (the “ -”). By doing so, you acknowledge that you have read and understand this CPNA and agree to be bound by its terms and conditions. You also hereby represent to us that you are lawfully able to enter into contracts (e.g., you are not a minor) and, if you are entering into this CPNA for an entity, such as the company you work for, you represent to us that you have legal authority to bind that entity. -A. Program. -Participation. -To participate in the Program and utilize any of its benefits, you must (a) submit a complete Program application through the Claude Partner Hub portal, (b) receive written approval from Anthropic to join the Program, which shall be granted in Anthropic’s sole discretion (including, if accepted, as to your Program level or tier), and (c) enter into this CPNA (and this CPNA must not have been terminated). -Affiliate Participation -. Your Affiliates may participate in the Program, subject to their compliance with this CPNA and separate execution of any applicable Program Specific Terms; -provided -, you remain fully liable to us for your Affiliates’ actions or omissions under, and their compliance with, this CPNA. Any breach of the CPNA by your Affiliates will be deemed a breach by you, and we reserve the right to terminate any Affiliate’s participation in the Program upon written notice. -Account. -If you are accepted into the Program, you may register a Program account where you can manage your participation in the Program. Anthropic may use your Program Account Information to send you information about Anthropic, the Program or other relevant information. Program Account Information and any other personal information Anthropic or any of its Affiliates receive from you or otherwise collect to maintain and facilitate your participation in the Program will be processed in accordance with our Privacy Policy. You are solely responsible for all activity under your Program account. You will promptly notify Anthropic if you believe your account has been compromised or is subject to a denial of service or similar malicious attack. -Benefits. -As part of the Program, we may invite you to participate in opportunities or provide you with funding or other benefits related to your activities that support usage, promotion, or knowledge of the Anthropic Services. Any benefits, or their continued availability to you, are not guaranteed and may be subject to change as further described in this CPNA. If you receive benefits for which we determine you are not eligible, you will return such benefits upon our request, or we may cancel such benefits or make corresponding reductions to any of your future benefits. You may not use any benefits for any purpose other than for their intended use as set forth in the Partner Program Guide or otherwise communicated to you by Anthropic. Benefits may not be used by your employees for their personal benefit. All Program benefits and details thereof are set forth in the Partner Program Guide and may be subject to additional Program Speci |
| 2026-06-08 | CVE / Security Incident |
1 new CVE (published from 2026-03-31): CVE-2026-22561. A fix is available from the vendor for all of these.
What this means: Disclosed and already fixed by the vendor — no action needed beyond confirming you run a current version. Tracked as part of the vendor's security-response cadence, not an active exposure.
|
Search the Legal Documents verbatim · cited
Search Claude's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.
Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.
Monitor Claude — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Claude changes something that affects your risk. Built for procurement & security teams.