Claude Code
Enterprise-Ready
Claude Code is rated "Enterprise-Ready" with a score of 90 out of 100. This readiness is supported by independently verified SOC 2 Type 2 and ISO 27001 certifications, confirmed via the vendor's trust portal. A recent material change is the substantial rewrite of the Terms of Service, which touches how customer data is used or used for AI training, privacy, data sharing or retention, and liability, warranties or indemnification. Buyers should review the current Terms of Service to assess its impact on their obligations or risk.
Readiness Breakdown deterministic · evidence-only
- Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
- Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
- Data Processing Agreement A Data Processing Agreement is published and tracked.
- Breach History No known breaches in Have I Been Pwned.
- Vulnerability Exposure No known CVEs against the mapped product identity.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy No security.txt vulnerability disclosure policy found.
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 10 legal/policy documents publicly tracked.
Ask This in Your Security Review 1 open items
- Vulnerability Disclosure PolicyConfirm a coordinated vulnerability disclosure / security.txt contact.
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| BAA Available (HIPAA) | Stated by vendor | https://support.claude.com/en/articles/15455031-covered-models-under-a-business-associate-agreement-baa |
| GDPR | Stated by vendor | https://www.anthropic.com/legal/privacy |
| HIPAA | Stated by vendor | https://support.claude.com/en/articles/15455031-covered-models-under-a-business-associate-agreement-baa |
| ISO 27001 | Stated by vendor | https://trust.anthropic.com/ |
| SOC 2 | Stated by vendor | https://trust.anthropic.com/ |
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| Arbitration / Dispute Resolution key clause |
True
“Any Dispute will be determined in English by final, binding arbitration according to the region-specific processes below. Judgment on any award issued through the arbitration process in this Section J.2 (Arbitration) may be entered in any court having jurisdiction. EACH PARTY AGREES THEY ARE WAIV…”vendor's exact wording |
https://www.anthropic.com/legal/commercial-terms |
| Data Retention key clause |
within 30 days
“You also are able to delete individual conversations , which will be removed immediately from your conversation history and automatically deleted from our back-end within 30 days.”vendor's exact wording |
https://www.anthropic.com/legal/privacy |
| IP / Content Ownership key clause |
True
“As between the parties and to the extent permitted by applicable law, Anthropic agrees that Customer (a) retains all rights to its Inputs, and (b) owns its Outputs.”vendor's exact wording |
https://www.anthropic.com/legal/commercial-terms |
| Sub-processors (published list) | View document → | https://trust.anthropic.com/subprocessors |
| Trains on Customer Data key clause |
Free / Pro:
trains on data
Free/Pro (claude.ai) inputs/outputs may be used to train unless you opt out.
cited →
Enterprise:
does not train
Commercial/API terms (Claude Code via API or commercial plans): Anthropic does not train models on Customer Content.
cited →
|
see per-tier citations |
Security Posture authoritative · cited
Certifications Available Under NDA / Trust Center attested · report gated
| Certification | Status | Trust Center |
|---|---|---|
| ISO 27001 | Available via Trust Center | https://trust.anthropic.com/ |
| SOC2 TYPE2 | Available via Trust Center | https://trust.anthropic.com/ |
Common compliance questions
Tracked Legal & Policy Documents
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Sub-processor List | Trust portal / on request | A public sub-processor list was not found. Many vendors publish it behind a trust-portal login or send it on request. Request access through the trust center or from the vendor's privacy/security team. Trust center → |
| Business Associate Agreement (BAA) | On request (HIPAA only) | A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center → |
| Master Services Agreement (MSA) | Negotiated per contract | The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center → |
| Service Level Agreement (SLA) | Enterprise tier | A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center → |
Continuous Monitoring change-tracking active
5 legal & policy documents under change-monitoring since 2026-05-31. 5 tracked changes detected since baseline.
| Detected | Change | Detail |
|---|---|---|
| 2026-06-18 | ToS Clause Change |
The Terms of Service was substantially rewritten — 8 removed, 50 added. Review the current version.
What this means: This change to the Terms of Service touches how your data is used or used for AI training, your privacy, data sharing or retention and liability, warranties or indemnification. Read 50 added and 8 removed passages in the current Terms of Service to see whether it affects your obligations or risk.
Show exact changed textIn plain terms — verify against the exact changed text below: The document changed from "Consumer Terms of Service" for individuals using Claude.ai to "Commercial Terms of Service" for organizations using Anthropic API keys and other offerings. The new text defines terms like Customer, Services, Users, Customer Content, and outlines policies for data privacy, third-party features @@ -1,264 +1,235 @@-Consumer Terms of Service \ Anthropic
-Welcome to Anthropic! Before you access our services, please read these User Terms of Service.
-These Terms of Service ("
+Welcome to Anthropic! Before accessing our Services, please read these Commercial Terms of Service.
+These Commercial Terms of Service (“
Terms
-") and our
+”) are an agreement between Anthropic and you or the organization, company, or other entity that you represent (“
+Customer
+”). “
+Anthropic
+” means Anthropic Ireland, Limited if Customer resides in the European Economic Area (“
+EEA
+”), Switzerland or UK, and Anthropic, PBC if Customer resides anywhere else. They govern Customer’s use of Anthropic API keys and any other Anthropic offerings that references these Terms, as well as all related Anthropic tools, documentation and services (the “
+Services
+”). These Terms are effective on the earlier of the date that Customer first electronically consents to a version of these Terms and the date that Customer first accesses the Services (“
+”).
+Please note
+: You may not enter into these Terms on behalf of an organization, company, or other entity unless you have the legal authority to bind that entity. Services under these Terms are not for consumer use. Our consumer offerings (e.g., Claude.ai) are governed by our
+Consumer Terms of Service
+instead.
+A. Services
+A.1.
+Overview.
+Subject to these Terms, Anthropic gives Customer permission to use the Services, including to power products and services Customer makes available to its own customers and end users (“
+Users
+”).
+A.2.
+Third Party Features.
+Customer may elect (in its sole discretion) to use features, services or other content made available by third parties to Customer through the Services (“
+Third Party Features
+”). Customer acknowledges and agrees that Third Party Features are not Services and, accordingly, Anthropic is not responsible for them.
+A.3.
+Feedback.
+If Customer provides (in its sole discretion) Anthropic with feedback regarding the Services, Anthropic may use that feedback at its own risk and without obligation to Customer.
+B. Customer Content
+As between the parties and to the extent permitted by applicable law, Anthropic agrees that Customer (a) retains all rights to its Inputs, and (b) owns its Outputs. Anthropic disclaims any rights it receives to the Customer Content under these Terms. Subject to Customer’s compliance with these Terms, Anthropic hereby assigns to Customer its right, title and interest (if any) in and to Outputs. Anthropic may not train models on Customer Content from Services. “
+Inputs
+” means submissions to the Services by Customer or its Users and “
+Outputs
+” means responses generated by the Services to Inputs (Inputs and Outputs together are “
+Customer Content
+”).
+C. Data Privacy
+Data submitted through the Services will be processed in accordance with the
+Anthropic Data Processing Addendum
+(“
+DPA
+”), which is incorporated into these Terms by reference.
+D. Trust and Safety; Restrictions
+D.1.
+Compliance.
+Each party will comply with all laws applicable to the provision (for Anthropic) and use (for Customer) of the Services, including any applicable data privacy laws.
+D.2.
+Policies and Service Terms.
+Customer and its Users may only use the Services in compliance with these Terms, including (a) the
Usage Policy
-(also referred to as our “Acceptable Use Policy” or “AUP”) set out the agreement between you and Anthropic Ireland, Limited (“
-Anthropic
-”) to use Claude.ai, Claude Pro, and other products and services that we may offer for individuals, along with any associated apps, software, and websites (together, our “
-Services
-”). Please take some time to read over them and understand them. By agreeing to these Terms, or in the absence of such agreement, by using the Services, you agree to be bound by them, including any changes made to them in accordance with the Terms. Our affiliates, licensors, distributors, and servi
|
| 2026-06-17 | ToS Clause Change |
The Privacy Policy was re-published with only formatting changes — no clause change.
What this means: The Privacy Policy text changed, but the edit doesn't clearly touch a tracked legal concern (it may be a heading, formatting, or minor wording change) — skim the current Privacy Policy to confirm.
Show exact changed text@@ -1,3 +1,2 @@-Privacy Policy \ Anthropic Anthropic is an AI safety and research company working to build reliable, interpretable, and steerable AI systems. This Privacy Policy explains how we collect, use, disclose, and process your personal data when you use our website, Claude.ai, or other Anthropic products and services (the “Services”). This Privacy Policy does not apply to content that we process on behalf of customers of our business offerings, such as our Enterprise accounts. Our use of that data is governed by our customer agreements covering access to and use of those offerings. |
| 2026-06-16 | ToS Clause Change |
The Terms of Service was substantially rewritten — 16 removed, 19 added. Review the current version.
What this means: This change to the Terms of Service touches your privacy, data sharing or retention and fees, billing or refunds. Read 19 added and 16 removed passages in the current Terms of Service to see whether it affects your obligations or risk.
Show exact changed textIn plain terms — verify against the exact changed text below: The document changed from outlining terms for a "Referral Partner Relationship" and associated referral fees to introducing "Commercial Terms of Service" for customer use of Anthropic API keys and services. It now defines Anthropic based on customer location and clarifies that the services are not for consumer use. @@ -1,123 +1,235 @@-A. Referral Partner Relationship +Welcome to Anthropic! Before accessing our Services, please read these Commercial Terms of Service. +These Commercial Terms of Service (“ +Terms +”) are an agreement between Anthropic and you or the organization, company, or other entity that you represent (“ +Customer +”). “ +Anthropic +” means Anthropic Ireland, Limited if Customer resides in the European Economic Area (“ +EEA +”), Switzerland or UK, and Anthropic, PBC if Customer resides anywhere else. They govern Customer’s use of Anthropic API keys and any other Anthropic offerings that references these Terms, as well as all related Anthropic tools, documentation and services (the “ +Services +”). These Terms are effective on the earlier of the date that Customer first electronically consents to a version of these Terms and the date that Customer first accesses the Services (“ +”). +Please note +: You may not enter into these Terms on behalf of an organization, company, or other entity unless you have the legal authority to bind that entity. Services under these Terms are not for consumer use. Our consumer offerings (e.g., Claude.ai) are governed by our +Consumer Terms of Service +instead. +A. Services +A.1. Overview. -Partner may refer third parties interested in purchasing Anthropic’s products and services (the “ -Anthropic Services -”) (each a -"Referral" -) to Anthropic. Anthropic will pay Partner a referral fee where Referrals execute a contract to use approved Anthropic Services in accordance with the requirements set out in these Referral Partner Program Terms and Conditions (the " -Agreement -"). -Referral Process. -Partner will notify Anthropic in writing of any Referrals, using the notice method specified by Anthropic. Anthropic will promptly respond indicating whether it has accepted a Referral. Once Anthropic accepts the Referral, in order for a Referral to become an Eligible Referral (defined below), Partner must actively introduce Anthropic’s sales contact to the Referral, which, at a minimum, means introduction to an executive with budgetary responsibility for the department which would purchase Anthropic’s services and arrange an initial meeting with that executive. -Eligible Referral. -Subject to the requirements set out herein, an -"Eligible Referral" -is a Referral accepted by Anthropic that executes a contract for the purchase of approved Anthropic Services within 6 months of the date Partner noticed the Referral to Anthropic. Anthropic may decline to accept a Referral if: (i) the Referral is already a customer of Anthropic (or another referral partner or referral agent); (ii) the Referral was already in preliminary or advanced discussions with Anthropic for the use of Anthropic Services; (iii) the Referral has already been submitted to Anthropic as a Referral by a third party; or (iv) Anthropic concludes that payment of a Referral Fee (defined below) would result in payments of commissions to multiple parties, or reasonably determines that acceptance would otherwise be adverse to its business interests. In addition, Partner acknowledges that Anthropic is under no obligation to enter into any sales or other agreement with any Eligible Referral and the entry into any such agreement is in the sole discretion of Anthropic. -Once a Referral becomes an Eligible Referral, all subsequent contact with the Eligible Referral with respect to the purchase of the Anthropic Services will be at the direction of Anthropic. Anthropic will set and control pricing for the Anthropic Services provided to, and will collect fees from, Referrals. -Referral Fees. -Anthropic will pay Referral Fees in accordance with the applicable fees described in the Referral Fee Table of the Agreement for all Eligible Referrals. Referral Fees will be payable on the Eligible Referral’s fees paid under an initial order form only; for clarity, Partner will receive no Referral Fees related to any renewals, upgrades, expansions, taxes, or dis |
| 2026-06-15 | Legal Document Unavailable |
The Sub-processor List's previous URL stopped responding and we could not locate a current version automatically. We're searching for its new location; this is
What this means: A tracked legal/policy document's URL stopped responding and we couldn't auto-locate a current version. We're searching for its new location and have flagged it for manual review — no action needed from you yet.
|
| 2026-06-08 | CVE / Security Incident |
23 new CVEs (published from 2025-08-05): CVE-2025-54794, CVE-2025-54795, CVE-2025-55284, CVE-2025-58764, CVE-2025-59041, CVE-2025-59536 (+17 more). A fix is ava
What this means: Disclosed and already fixed by the vendor — no action needed beyond confirming you run a current version. Tracked as part of the vendor's security-response cadence, not an active exposure.
|
Search the Legal Documents verbatim · cited
Search Claude Code's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.
Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.
Monitor Claude Code — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Claude Code changes something that affects your risk. Built for procurement & security teams.