Anthropic Data Processing Addendum: Where to Find the Official DPA
Where is the Anthropic Data Processing Addendum?
Anthropic's Data Processing Addendum is the DPA built into the Commercial Terms for paid Claude products. API and Enterprise customers access it through Anthropic channels, while free Claude.ai users do not get a separate DPA. EU buyers should still verify transfer paths, subprocessors, retention, and workflow fit.
- The addendum is part of Anthropic Commercial Terms rather than a standalone public PDF.
- It applies to paid Claude products, including the API and Enterprise offerings.
- If Claude is used through another provider, that provider's contract stack may control instead.
The Anthropic Data Processing Addendum is Anthropic’s data processing agreement (DPA) for paid Claude products such as Claude Enterprise and the Claude API. Anthropic states that the addendum is incorporated into its Commercial Terms, so customers usually access it through the contracting flow or customer portal rather than downloading a separate public PDF. For companies in Germany and the EU, the key question is not only where to find the addendum, but also whether it fits the real workflow, transfer setup, and data categories involved.
This page provides general information and is not legal advice for a specific situation. For the broader contract and compliance analysis, see our page on Anthropic DPA. For a fuller GDPR review framework, see our page on Claude GDPR compliance. If you are comparing direct Anthropic contracting with a cloud intermediary, see our page on AWS Bedrock GDPR.
Where to Find the Anthropic Data Processing Addendum
Anthropic describes the Data Processing Addendum as part of the contractual package for its paid Claude products. In practice, that means most customers will not find a general public PDF download page titled “Anthropic Data Processing Addendum.” Instead, the current DPA is made available through Anthropic’s customer contracting channels.
For most buyers, the access path is:
- Paid Anthropic account: The DPA is relevant for Claude Enterprise and the Claude API, not for free Claude.ai use.
- Commercial Terms flow: Anthropic incorporates the DPA into the Commercial Terms rather than treating it as a separate offline document.
- Customer channel access: API customers usually review it through Anthropic’s console flow, while enterprise buyers may receive access through their account manager or procurement process.
This distinction matters for exact-match search intent. Someone searching for “Anthropic Data Processing Addendum” usually wants the official document location first, not a generic explanation of Article 28 GDPR. The short answer is that the official addendum is tied to the paid Anthropic contracting flow.
What the Anthropic Addendum Actually Is
The Anthropic Data Processing Addendum is the Article 28 GDPR processor contract used when Anthropic processes personal data on behalf of a customer through paid Claude services. In functional terms, it is the same type of document many EU teams call a DPA, and many German teams call an AVV.
Its role is usually to address two core points:
- Processor obligations under Article 28 GDPR: instructions, confidentiality, security, subprocessors, data subject support, deletion, and audit support.
- International transfer mechanism: Standard Contractual Clauses (SCCs) for personal data transferred outside the EEA.
For German companies, the practical point is straightforward: if you contract directly with Anthropic for Claude Enterprise or the Claude API, the addendum is the contract you review as the processor agreement.
Who Can Access the Addendum
The Anthropic Data Processing Addendum is generally relevant only for paid customers.
- Claude Enterprise customers: usually yes, through enterprise contracting or account-management channels.
- Claude API customers: usually yes, through the console or associated legal flow.
- Free Claude.ai users: usually no separate DPA access.
- Customers using Claude through another provider: not necessarily, because the intermediary provider’s contract stack may govern instead.
This last point is easy to miss. If your team uses Claude through Amazon Bedrock or another infrastructure provider, the key processor agreement is often not the direct Anthropic addendum at all. In that structure, the relevant DPA may come from the platform provider rather than from Anthropic.
How to Review the Official Anthropic Addendum
Once you have access to the current version, the review should be practical rather than abstract.
Step 1: Confirm the exact product and terms path
Check whether your deployment is:
- Claude Enterprise
- Claude API
- Claude via another provider
That determines whether the Anthropic addendum is the governing document at all.
Step 2: Save the version you actually accepted
Because the addendum is incorporated into the Commercial Terms, legal and procurement teams should retain the version that was in force when the account or contract was accepted. That copy matters more than a later web reference.
Step 3: Check the Article 28 basics against the workflow
At minimum, verify whether the contract language fits:
- the real data categories
- the affected data subjects
- the planned processing purpose
- the retention and deletion approach
- the subprocessor chain
- the expected security and audit documentation
Step 4: Review transfer mechanics, not just contract labels
If personal data leaves the EEA, the review should cover the actual transfer architecture. The Anthropic addendum may include SCCs, but EU buyers still need to understand where data is processed, which subprocessors are involved, and whether the intended use case requires additional transfer analysis.
What EU and German Buyers Should Verify Before Accepting
For DACH legal, privacy, and procurement teams, the addendum is only one checkpoint in the approval process. Before accepting it, verify the following:
- Direct or indirect contracting model If Claude is purchased through Anthropic directly, the Anthropic addendum is usually the relevant DPA. If Claude is purchased through another provider, that provider’s DPA may control.
- Personal data scope Lower-risk operational use is easier to fit than workflows involving large volumes of customer content, employee data, or special-category data under Article 9 GDPR.
- Cross-border transfers Check which transfer mechanism applies and whether a separate Transfer Impact Assessment is needed for the deployment.
- Subprocessor governance Review current subprocessors and the notification process for changes.
- Internal German-law requirements Where employee-related use cases are involved, also assess possible works council implications under section 87(1) no. 6 BetrVG.
Exact-Match Questions Buyers Commonly Ask
Is the Anthropic Data Processing Addendum a separate PDF?
Usually no. Anthropic presents the addendum as part of the Commercial Terms for paid products, so the document is commonly accessed through the contracting flow rather than as a public standalone PDF.
Is the Anthropic addendum the same as an AVV?
Functionally, yes. For German buyers, the Anthropic DPA is the Article 28 processor agreement that serves the same role as an Auftragsverarbeitungsvertrag.
Does the addendum apply to free Claude.ai?
No. Free consumer-style access is not the same as a paid commercial processor arrangement. If your organization needs a DPA in place, it should use the paid API or Enterprise path.
Is accepting the addendum enough for GDPR compliance?
No. The addendum is necessary for many controller-processor deployments, but it does not replace the rest of the GDPR analysis. The workflow, legal basis, internal governance, transfer assessment, and documentation still have to be handled separately.
Compound Law advises businesses and in-house teams in Germany on GDPR, AI contracts, and AI procurement. If you want legal review of the Anthropic Data Processing Addendum before accepting it, contact us.