AI Vendor Security & Compliance Brief

Claude Code logo Claude Code

Independent due-diligence summary · every fact links to the vendor's official source
10 source-cited facts
0 independently verified certs
10 legal documents tracked
Generated 2026-07-03
90/100
AI Governance Readiness

Enterprise-Ready

Claude Code is rated "Enterprise-Ready" with a score of 90 out of 100. This readiness is supported by independently verified SOC 2 Type 2 and ISO 27001 certifications, confirmed via the vendor's trust portal. A recent material change is the substantial rewrite of the Terms of Service, which touches how customer data is used or used for AI training, privacy, data sharing or retention, and liability, warranties or indemnification. Buyers should review the current Terms of Service to assess its impact on their obligations or risk.

Summarized strictly from the source-cited facts below — no outside information. Verify each point against its linked source.

Readiness Breakdown deterministic · evidence-only

  • Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
  • Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
  • Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
  • Data Processing Agreement A Data Processing Agreement is published and tracked.
  • Breach History No known breaches in Have I Been Pwned.
  • Vulnerability Exposure No known CVEs against the mapped product identity.
  • Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
  • Vulnerability Disclosure Policy No security.txt vulnerability disclosure policy found.
  • Web TLS Certificate Valid TLS certificate in place.
  • Legal Transparency 10 legal/policy documents publicly tracked.
Score is normalized over assessed components only — “unknown” items are shown but never silently counted against the vendor.

Ask This in Your Security Review 1 open items

  • Vulnerability Disclosure PolicyConfirm a coordinated vulnerability disclosure / security.txt contact.

Compliance Posture vendor-stated · cited

FrameworkStatusSource
BAA Available (HIPAA) Stated by vendor https://support.claude.com/en/articles/15455031-covered-models-under-a-business-associate-agreement-baa
GDPR Stated by vendor https://www.anthropic.com/legal/privacy
HIPAA Stated by vendor https://support.claude.com/en/articles/15455031-covered-models-under-a-business-associate-agreement-baa
ISO 27001 Stated by vendor https://trust.anthropic.com/
SOC 2 Stated by vendor https://trust.anthropic.com/
As published on the vendor's own trust/compliance pages — not independently audited. Independently verified attestations, when available, appear in the certifications section below. Request the underlying report before relying on these.

Data & Contract Facts deterministic · cited

AttributeValueSource
Arbitration / Dispute Resolution key clause True
“Any Dispute will be determined in English by final, binding arbitration according to the region-specific processes below. Judgment on any award issued through the arbitration process in this Section J.2 (Arbitration) may be entered in any court having jurisdiction. EACH PARTY AGREES THEY ARE WAIV…”vendor's exact wording
https://www.anthropic.com/legal/commercial-terms
Data Retention key clause within 30 days
“You also are able to delete individual conversations , which will be removed immediately from your conversation history and automatically deleted from our back-end within 30 days.”vendor's exact wording
https://www.anthropic.com/legal/privacy
IP / Content Ownership key clause True
“As between the parties and to the extent permitted by applicable law, Anthropic agrees that Customer (a) retains all rights to its Inputs, and (b) owns its Outputs.”vendor's exact wording
https://www.anthropic.com/legal/commercial-terms
Sub-processors (published list) View document → https://trust.anthropic.com/subprocessors
Trains on Customer Data key clause
Free / Pro: trains on data Free/Pro (claude.ai) inputs/outputs may be used to train unless you opt out. cited →
Enterprise: does not train Commercial/API terms (Claude Code via API or commercial plans): Anthropic does not train models on Customer Content. cited →
see per-tier citations

Security Posture authoritative · cited

Known Vulnerabilities (CVE / CISA KEV) No open vulnerabilities
All known vulnerabilities have been patched by the vendor.
Vulnerability Disclosure Policy (security.txt) None found
Queried the authoritative source; no records.
Email Spoofing Protection (DMARC) Protected
DMARC enforced and SPF present — spoofing well mitigated.
Web TLS Certificate Valid
Data Breach History None found
Queried the authoritative source; no records.
Supply-Chain Security (OpenSSF Scorecard) Not applicable
Closed-source service — no public source repository; OpenSSF Scorecard (open-source supply-chain) does not apply.
OFAC Sanctions Screening None found
Queried the authoritative source; no records.
SEC Cyber Incident Disclosures (8-K 1.05) Not applicable
Privately held — not a US-listed public company, so no SEC 8-K cyber-incident reporting obligation applies.

Certifications Available Under NDA / Trust Center attested · report gated

CertificationStatusTrust Center
ISO 27001 Available via Trust Center https://trust.anthropic.com/
SOC2 TYPE2 Available via Trust Center https://trust.anthropic.com/
An independent audit report exists but is gated behind an NDA or trust-center registration. Request it directly via the vendor's trust center. These count as partial assurance — stronger than a vendor claim, but not an open third-party attestation.

Common compliance questions

Each answer is grounded in the cited evidence above — with an honest "no evidence on file" where nothing is published.

Tracked Legal & Policy Documents

DocumentURL
Aup https://www.anthropic.com/aup
Cookie https://www.anthropic.com/legal/cookies
Dpa https://www.anthropic.com/legal/data-processing-addendum
Pricing https://www.anthropic.com/pricing
Privacy https://anthropic.com/privacy
Security https://trust.anthropic.com
Soc Report https://trust.anthropic.com/soc
Tos https://www.anthropic.com/legal/commercial-terms
Trust https://www.anthropic.com/research/trustworthy-agents
Vuln Mgmt https://anthropic.com/.well-known/security.txt

How to Obtain Non-Public Documents

These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.

DocumentAvailabilityHow to obtain
Sub-processor List Trust portal / on request A public sub-processor list was not found. Many vendors publish it behind a trust-portal login or send it on request. Request access through the trust center or from the vendor's privacy/security team. Trust center →
Business Associate Agreement (BAA) On request (HIPAA only) A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center →
Master Services Agreement (MSA) Negotiated per contract The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center →
Service Level Agreement (SLA) Enterprise tier A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center →

Continuous Monitoring change-tracking active

5 legal & policy documents under change-monitoring since 2026-05-31. 5 tracked changes detected since baseline.

AupCookieDpaPrivacyTos
DetectedChangeDetail
2026-06-18 ToS Clause Change The Terms of Service was substantially rewritten — 8 removed, 50 added. Review the current version.
What this means: This change to the Terms of Service touches how your data is used or used for AI training, your privacy, data sharing or retention and liability, warranties or indemnification. Read 50 added and 8 removed passages in the current Terms of Service to see whether it affects your obligations or risk.
Show exact changed text

In plain terms — verify against the exact changed text below: The document changed from "Consumer Terms of Service" for individuals using Claude.ai to "Commercial Terms of Service" for organizations using Anthropic API keys and other offerings. The new text defines terms like Customer, Services, Users, Customer Content, and outlines policies for data privacy, third-party features

@@ -1,264 +1,235 @@-Consumer Terms of Service \ Anthropic
-Welcome to Anthropic! Before you access our services, please read these User Terms of Service.
-These Terms of Service ("
+Welcome to Anthropic! Before accessing our Services, please read these Commercial Terms of Service.
+These Commercial Terms of Service (“
 Terms
-") and our
+”) are an agreement between Anthropic and you or the organization, company, or other entity that you represent (“
+Customer
+”). “
+Anthropic
+” means Anthropic Ireland, Limited if Customer resides in the European Economic Area (“
+EEA
+”), Switzerland or UK, and Anthropic, PBC if Customer resides anywhere else. They govern Customer’s use of Anthropic API keys and any other Anthropic offerings that references these Terms, as well as all related Anthropic tools, documentation and services (the “
+Services
+”). These Terms are effective on the earlier of the date that Customer first electronically consents to a version of these Terms and the date that Customer first accesses the Services (“
+”).
+Please note
+: You may not enter into these Terms on behalf of an organization, company, or other entity unless you have the legal authority to bind that entity. Services under these Terms are not for consumer use. Our consumer offerings (e.g., Claude.ai) are governed by our
+Consumer Terms of Service
+instead.
+A. Services
+A.1.
+Overview.
+Subject to these Terms, Anthropic gives Customer permission to use the Services, including to power products and services Customer makes available to its own customers and end users (“
+Users
+”).
+A.2.
+Third Party Features.
+Customer may elect (in its sole discretion) to use features, services or other content made available by third parties to Customer through the Services (“
+Third Party Features
+”). Customer acknowledges and agrees that Third Party Features are not Services and, accordingly, Anthropic is not responsible for them.
+A.3.
+Feedback.
+If Customer provides (in its sole discretion) Anthropic with feedback regarding the Services, Anthropic may use that feedback at its own risk and without obligation to Customer.
+B. Customer Content
+As between the parties and to the extent permitted by applicable law, Anthropic agrees that Customer (a) retains all rights to its Inputs, and (b) owns its Outputs. Anthropic disclaims any rights it receives to the Customer Content under these Terms. Subject to Customer’s compliance with these Terms, Anthropic hereby assigns to Customer its right, title and interest (if any) in and to Outputs. Anthropic may not train models on Customer Content from Services. “
+Inputs
+” means submissions to the Services by Customer or its Users and “
+Outputs
+” means responses generated by the Services to Inputs (Inputs and Outputs together are “
+Customer Content
+”).
+C. Data Privacy
+Data submitted through the Services will be processed in accordance with the
+Anthropic Data Processing Addendum
+(“
+DPA
+”), which is incorporated into these Terms by reference.
+D. Trust and Safety; Restrictions
+D.1.
+Compliance.
+Each party will comply with all laws applicable to the provision (for Anthropic) and use (for Customer) of the Services, including any applicable data privacy laws.
+D.2.
+Policies and Service Terms.
+Customer and its Users may only use the Services in compliance with these Terms, including (a) the
 Usage Policy
-(also referred to as our “Acceptable Use Policy” or “AUP”) set out the agreement between you and Anthropic Ireland, Limited (“
-Anthropic
-”) to use Claude.ai, Claude Pro, and other products and services that we may offer for individuals, along with any associated apps, software, and websites (together, our “
-Services
-”). Please take some time to read over them and understand them. By agreeing to these Terms, or in the absence of such agreement, by using the Services, you agree to be bound by them, including any changes made to them in accordance with the Terms. Our affiliates, licensors, distributors, and servi
2026-06-17 ToS Clause Change The Privacy Policy was re-published with only formatting changes — no clause change.
What this means: The Privacy Policy text changed, but the edit doesn't clearly touch a tracked legal concern (it may be a heading, formatting, or minor wording change) — skim the current Privacy Policy to confirm.
Show exact changed text
@@ -1,3 +1,2 @@-Privacy Policy \ Anthropic
 Anthropic is an AI safety and research company working to build reliable, interpretable, and steerable AI systems.
 This Privacy Policy explains how we collect, use, disclose, and process your personal data when you use our website, Claude.ai, or other Anthropic products and services (the “Services”). This Privacy Policy does not apply to content that we process on behalf of customers of our business offerings, such as our Enterprise accounts. Our use of that data is governed by our customer agreements covering access to and use of those offerings.
2026-06-16 ToS Clause Change The Terms of Service was substantially rewritten — 16 removed, 19 added. Review the current version.
What this means: This change to the Terms of Service touches your privacy, data sharing or retention and fees, billing or refunds. Read 19 added and 16 removed passages in the current Terms of Service to see whether it affects your obligations or risk.
Show exact changed text

In plain terms — verify against the exact changed text below: The document changed from outlining terms for a "Referral Partner Relationship" and associated referral fees to introducing "Commercial Terms of Service" for customer use of Anthropic API keys and services. It now defines Anthropic based on customer location and clarifies that the services are not for consumer use.

@@ -1,123 +1,235 @@-A. Referral Partner Relationship
+Welcome to Anthropic! Before accessing our Services, please read these Commercial Terms of Service.
+These Commercial Terms of Service (“
+Terms
+”) are an agreement between Anthropic and you or the organization, company, or other entity that you represent (“
+Customer
+”). “
+Anthropic
+” means Anthropic Ireland, Limited if Customer resides in the European Economic Area (“
+EEA
+”), Switzerland or UK, and Anthropic, PBC if Customer resides anywhere else. They govern Customer’s use of Anthropic API keys and any other Anthropic offerings that references these Terms, as well as all related Anthropic tools, documentation and services (the “
+Services
+”). These Terms are effective on the earlier of the date that Customer first electronically consents to a version of these Terms and the date that Customer first accesses the Services (“
+”).
+Please note
+: You may not enter into these Terms on behalf of an organization, company, or other entity unless you have the legal authority to bind that entity. Services under these Terms are not for consumer use. Our consumer offerings (e.g., Claude.ai) are governed by our
+Consumer Terms of Service
+instead.
+A. Services
+A.1.
 Overview.
-Partner may refer third parties interested in purchasing Anthropic’s products and services (the “
-Anthropic Services
-”) (each a
-"Referral"
-) to Anthropic. Anthropic will pay Partner a referral fee where Referrals execute a contract to use approved Anthropic Services in accordance with the requirements set out in these Referral Partner Program Terms and Conditions (the "
-Agreement
-").
-Referral Process.
-Partner will notify Anthropic in writing of any Referrals, using the notice method specified by Anthropic. Anthropic will promptly respond indicating whether it has accepted a Referral. Once Anthropic accepts the Referral, in order for a Referral to become an Eligible Referral (defined below), Partner must actively introduce Anthropic’s sales contact to the Referral, which, at a minimum, means introduction to an executive with budgetary responsibility for the department which would purchase Anthropic’s services and arrange an initial meeting with that executive.
-Eligible Referral.
-Subject to the requirements set out herein, an
-"Eligible Referral"
-is a Referral accepted by Anthropic that executes a contract for the purchase of approved Anthropic Services within 6 months of the date Partner noticed the Referral to Anthropic. Anthropic may decline to accept a Referral if: (i) the Referral is already a customer of Anthropic (or another referral partner or referral agent); (ii) the Referral was already in preliminary or advanced discussions with Anthropic for the use of Anthropic Services; (iii) the Referral has already been submitted to Anthropic as a Referral by a third party; or (iv) Anthropic concludes that payment of a Referral Fee (defined below) would result in payments of commissions to multiple parties, or reasonably determines that acceptance would otherwise be adverse to its business interests. In addition, Partner acknowledges that Anthropic is under no obligation to enter into any sales or other agreement with any Eligible Referral and the entry into any such agreement is in the sole discretion of Anthropic.
-Once a Referral becomes an Eligible Referral, all subsequent contact with the Eligible Referral with respect to the purchase of the Anthropic Services will be at the direction of Anthropic. Anthropic will set and control pricing for the Anthropic Services provided to, and will collect fees from, Referrals.
-Referral Fees.
-Anthropic will pay Referral Fees in accordance with the applicable fees described in the Referral Fee Table of the Agreement for all Eligible Referrals. Referral Fees will be payable on the Eligible Referral’s fees paid under an initial order form only; for clarity, Partner will receive no Referral Fees related to any renewals, upgrades, expansions, taxes, or dis
2026-06-15 Legal Document Unavailable The Sub-processor List's previous URL stopped responding and we could not locate a current version automatically. We're searching for its new location; this is
What this means: A tracked legal/policy document's URL stopped responding and we couldn't auto-locate a current version. We're searching for its new location and have flagged it for manual review — no action needed from you yet.
2026-06-08 CVE / Security Incident 23 new CVEs (published from 2025-08-05): CVE-2025-54794, CVE-2025-54795, CVE-2025-55284, CVE-2025-58764, CVE-2025-59041, CVE-2025-59536 (+17 more). A fix is ava
What this means: Disclosed and already fixed by the vendor — no action needed beyond confirming you run a current version. Tracked as part of the vendor's security-response cadence, not an active exposure.

View full Claude Code change history →

Search the Legal Documents verbatim · cited

Search Claude Code's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.

Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.

Monitor Claude Code — get alerted when this changes

This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Claude Code changes something that affects your risk. Built for procurement & security teams.

Free. One email per material change. Unsubscribe anytime. No sales spam.
Every data point above is extracted from the vendor's own official trust, security, or legal pages and links to its source. This brief contains no scraped sentiment, forum chatter, or AI-inferred opinion — only verifiable, deterministic facts. Verify each source before procurement decisions.