Anthropic Data Processing Addendum official DPA access guide
tools

Anthropic Data Processing Addendum: Where to Find the Official DPA

Where is the Anthropic Data Processing Addendum?

Anthropic's Data Processing Addendum is the DPA built into the Commercial Terms for paid Claude products. API and Enterprise customers access it through Anthropic channels, while free Claude.ai users do not get a separate DPA. EU buyers should still verify transfer paths, subprocessors, retention, and workflow fit.

  • The addendum is part of Anthropic Commercial Terms rather than a standalone public PDF.
  • It applies to paid Claude products, including the API and Enterprise offerings.
  • If Claude is used through another provider, that provider's contract stack may control instead.

The Anthropic Data Processing Addendum is Anthropic’s data processing agreement (DPA) for paid Claude products such as Claude Enterprise and the Claude API. Anthropic states that the addendum is incorporated into its Commercial Terms, so customers usually access it through the contracting flow or customer portal rather than downloading a separate public PDF. For companies in Germany and the EU, the key question is not only where to find the addendum, but also whether it fits the real workflow, transfer setup, and data categories involved.

This page provides general information and is not legal advice for a specific situation. For the broader contract and compliance analysis, see our page on Anthropic DPA. For a fuller GDPR review framework, see our page on Claude GDPR compliance. If you are comparing direct Anthropic contracting with a cloud intermediary, see our page on AWS Bedrock GDPR.

Where to Find the Anthropic Data Processing Addendum

Anthropic describes the Data Processing Addendum as part of the contractual package for its paid Claude products. In practice, that means most customers will not find a general public PDF download page titled “Anthropic Data Processing Addendum.” Instead, the current DPA is made available through Anthropic’s customer contracting channels.

For most buyers, the access path is:

  1. Paid Anthropic account: The DPA is relevant for Claude Enterprise and the Claude API, not for free Claude.ai use.
  2. Commercial Terms flow: Anthropic incorporates the DPA into the Commercial Terms rather than treating it as a separate offline document.
  3. Customer channel access: API customers usually review it through Anthropic’s console flow, while enterprise buyers may receive access through their account manager or procurement process.

This distinction matters for exact-match search intent. Someone searching for “Anthropic Data Processing Addendum” usually wants the official document location first, not a generic explanation of Article 28 GDPR. The short answer is that the official addendum is tied to the paid Anthropic contracting flow.

What the Anthropic Addendum Actually Is

The Anthropic Data Processing Addendum is the Article 28 GDPR processor contract used when Anthropic processes personal data on behalf of a customer through paid Claude services. In functional terms, it is the same type of document many EU teams call a DPA, and many German teams call an AVV.

Its role is usually to address two core points:

  1. Processor obligations under Article 28 GDPR: instructions, confidentiality, security, subprocessors, data subject support, deletion, and audit support.
  2. International transfer mechanism: Standard Contractual Clauses (SCCs) for personal data transferred outside the EEA.

For German companies, the practical point is straightforward: if you contract directly with Anthropic for Claude Enterprise or the Claude API, the addendum is the contract you review as the processor agreement.

Who Can Access the Addendum

The Anthropic Data Processing Addendum is generally relevant only for paid customers.

  • Claude Enterprise customers: usually yes, through enterprise contracting or account-management channels.
  • Claude API customers: usually yes, through the console or associated legal flow.
  • Free Claude.ai users: usually no separate DPA access.
  • Customers using Claude through another provider: not necessarily, because the intermediary provider’s contract stack may govern instead.

This last point is easy to miss. If your team uses Claude through Amazon Bedrock or another infrastructure provider, the key processor agreement is often not the direct Anthropic addendum at all. In that structure, the relevant DPA may come from the platform provider rather than from Anthropic.

How to Review the Official Anthropic Addendum

Once you have access to the current version, the review should be practical rather than abstract.

Step 1: Confirm the exact product and terms path

Check whether your deployment is:

  • Claude Enterprise
  • Claude API
  • Claude via another provider

That determines whether the Anthropic addendum is the governing document at all.

Step 2: Save the version you actually accepted

Because the addendum is incorporated into the Commercial Terms, legal and procurement teams should retain the version that was in force when the account or contract was accepted. That copy matters more than a later web reference.

Step 3: Check the Article 28 basics against the workflow

At minimum, verify whether the contract language fits:

  • the real data categories
  • the affected data subjects
  • the planned processing purpose
  • the retention and deletion approach
  • the subprocessor chain
  • the expected security and audit documentation

Step 4: Review transfer mechanics, not just contract labels

If personal data leaves the EEA, the review should cover the actual transfer architecture. The Anthropic addendum may include SCCs, but EU buyers still need to understand where data is processed, which subprocessors are involved, and whether the intended use case requires additional transfer analysis.

What EU and German Buyers Should Verify Before Accepting

For DACH legal, privacy, and procurement teams, the addendum is only one checkpoint in the approval process. Before accepting it, verify the following:

  1. Direct or indirect contracting model If Claude is purchased through Anthropic directly, the Anthropic addendum is usually the relevant DPA. If Claude is purchased through another provider, that provider’s DPA may control.
  2. Personal data scope Lower-risk operational use is easier to fit than workflows involving large volumes of customer content, employee data, or special-category data under Article 9 GDPR.
  3. Cross-border transfers Check which transfer mechanism applies and whether a separate Transfer Impact Assessment is needed for the deployment.
  4. Subprocessor governance Review current subprocessors and the notification process for changes.
  5. Internal German-law requirements Where employee-related use cases are involved, also assess possible works council implications under section 87(1) no. 6 BetrVG.

Exact-Match Questions Buyers Commonly Ask

Is the Anthropic Data Processing Addendum a separate PDF?

Usually no. Anthropic presents the addendum as part of the Commercial Terms for paid products, so the document is commonly accessed through the contracting flow rather than as a public standalone PDF.

Is the Anthropic addendum the same as an AVV?

Functionally, yes. For German buyers, the Anthropic DPA is the Article 28 processor agreement that serves the same role as an Auftragsverarbeitungsvertrag.

Does the addendum apply to free Claude.ai?

No. Free consumer-style access is not the same as a paid commercial processor arrangement. If your organization needs a DPA in place, it should use the paid API or Enterprise path.

Is accepting the addendum enough for GDPR compliance?

No. The addendum is necessary for many controller-processor deployments, but it does not replace the rest of the GDPR analysis. The workflow, legal basis, internal governance, transfer assessment, and documentation still have to be handled separately.

Compound Law advises businesses and in-house teams in Germany on GDPR, AI contracts, and AI procurement. If you want legal review of the Anthropic Data Processing Addendum before accepting it, contact us.

Related Tool Guides

Claude ZDR zero data retention guide for Anthropic API and Claude Code enterprise use
tools

Claude ZDR: Zero Data Retention for Enterprise and Claude Code

Claude ZDR is available only on qualified Anthropic API and Claude Code enterprise paths. Learn scope, exclusions, retention exceptions, and procurement steps.

DeepL DPA and GDPR approval guide for companies in Germany
tools

DeepL DPA and GDPR in Germany: Approval Guide for Buyers

DeepL can usually be approved in Germany only on paid business plans with a signed DPA, feature review, and confidentiality checks. DeepL Free is not approved.

Cursor DPA and GDPR review for teams in Germany
tools

Cursor DPA 2026: Where to Find It and What It Covers

The Cursor DPA is public at cursor.com/terms/dpa, but German teams still need the right paid plan, Privacy Mode, and transfer review before using personal data.

DeepSeek GDPR compliance analysis for German companies
tools

Is DeepSeek GDPR Compliant? What German Companies Need to Know

Hosted DeepSeek still creates GDPR and procurement risk for German companies. Self-hosted deployments can work with EU infrastructure and proper controls.

Zapier GDPR 2026 Germany — DPA, Article 28, SCCs and EU data transfers for German companies
tools

Is Zapier GDPR Compliant? Germany Guide 2026

Is Zapier GDPR compliant for German companies? DPA, SCCs, EU data residency, and when Zapier is too risky for personal data workflows.

Claude Code GDPR compliance — DPA, data retention and EU hosting guide
tools

Claude Code Data Privacy: GDPR, DPA & No Training Policy

Claude Code's data privacy policy: no training on your code by default, GDPR DPA included via Anthropic API, zero data retention for Enterprise.

Tool Library

Browse More AI Tools by Topic

Compare more tools, privacy issues, and deployment scenarios in the full AI tool library.

View all AI tools

Frequently asked questions

Anthropic provides the Data Processing Addendum through its customer contracting flow for paid Claude products. It is incorporated into the Commercial Terms rather than published as a standalone public PDF. API and Enterprise customers can access the current version through Anthropic's console or account-management channel.

Yes. Anthropic states that its DPA with SCCs applies to paid commercial products, including Claude Enterprise and the Claude API. Free Claude.ai accounts do not receive a separate DPA.

Usually no. The Anthropic DPA is the functional equivalent of an Auftragsverarbeitungsvertrag under Article 28 GDPR. German buyers should still confirm whether the workflow, data categories, transfers, and internal governance requirements are fully covered.

Usually no. If Claude is accessed through another platform such as Amazon Bedrock, that provider's contract stack generally governs the processing arrangement. The direct Anthropic addendum is relevant mainly for customers contracting with Anthropic itself.

EU buyers should verify which product and terms version apply, whether SCCs cover the actual transfer path, which subprocessors are involved, how retention and deletion work, and whether the intended workflow triggers extra requirements such as a DPIA, a Transfer Impact Assessment, or works council involvement.

Book Free Call