Does Claude Have a Data Processing Agreement (DPA)?
Does Anthropic provide a Data Processing Agreement for Claude?
Yes. Anthropic offers a DPA with SCCs for commercial products including Claude Enterprise and the Claude API. Whether that DPA is sufficient for a German deployment depends on the workflow, data types, and internal compliance requirements.
- The Anthropic DPA is incorporated into the commercial terms and includes SCCs for international data transfers.
- Companies must review processor role allocation, retention periods, subprocessors, and transfer paths for their specific use case.
- Employee data, Article 9 GDPR special-category data, and highly confidential documents each require stricter individual review.
Yes, Anthropic provides a Data Processing Agreement (DPA) for commercial use of Claude, including the Claude API and Claude Enterprise. The Anthropic DPA is sometimes called a “data protection agreement” in procurement contexts — the precise GDPR term is Data Processing Agreement, which is what this page covers. The DPA is embedded in Anthropic’s commercial terms and accessed electronically through the Anthropic customer portal — it is not available as a standalone PDF download. For companies in Germany, the relevant question goes beyond whether a DPA exists: it is whether this DPA fits the specific Claude deployment, the data types involved, and the company’s GDPR obligations. This page explains how to access the DPA, what it covers, and when additional review is necessary.
This page provides general information and is not legal advice for a specific situation. For a broader overview of using Claude Enterprise under German law, see our page on Claude Enterprise. For a detailed GDPR compliance overview, see our Claude GDPR guide. For GDPR guidance specific to Claude Team deployments, see our Claude Team GDPR compliance page. Developers using Claude Code and the API should refer to our Claude Code GDPR guide.
How to Access the Anthropic DPA
The Anthropic DPA is not available as a standalone PDF download. It is incorporated into the commercial terms and accessed electronically through the Anthropic customer portal. Free Claude.ai users cannot access a DPA — the agreement requires a paid API or Enterprise plan.
Three steps to access the Anthropic DPA:
- Log into the Anthropic Console: Sign in at console.anthropic.com (for API customers) or contact your Anthropic Enterprise account representative.
- Navigate to privacy or legal settings: The current DPA is accessible within the portal under data privacy or contract settings. Anthropic also provides guidance on signing the DPA via help.anthropic.com.
- Sign electronically: The DPA is not executed as a separate paper document. It is countersigned electronically within the portal and incorporated into your commercial agreement on confirmation.
Note: Only customers on a paid Anthropic contract — the Claude API or Claude Enterprise — can access and sign a DPA. Free-tier Claude.ai users do not have access to a data processing agreement and should not process personal data that requires one. For a broader overview of DPA requirements, see our data processing agreement guide.
Does Anthropic Offer a Data Processing Agreement?
Anthropic states in its commercial documentation that a DPA with Standard Contractual Clauses is automatically incorporated into the commercial terms for its commercial products. This applies to:
- Claude Enterprise and Claude for Work purchased directly from Anthropic
- Claude API used directly through Anthropic
An important distinction applies when Claude is accessed through a third-party platform. If a company uses Claude via Amazon Bedrock or another cloud provider, that provider’s own contract stack — not Anthropic’s DPA — governs the processor relationship. In those cases, the Anthropic DPA is not directly relevant, and the platform vendor’s DPA must be reviewed instead.
What Does the Claude DPA Cover Under Article 28 GDPR?
Article 28 GDPR mandates that any data processing agreement between a controller and processor cover specific content. Legal and privacy teams should verify whether the Anthropic DPA addresses each element for the specific deployment:
| Required element | What to check |
|---|---|
| Subject matter and duration | Is the processing scope described with enough precision for the intended workflow? |
| Nature and purpose of processing | Do the stated purposes match actual use of Claude in the organization? |
| Categories of personal data | Are all data types involved in the workflow covered? |
| Categories of data subjects | Are customers, employees, and users correctly identified? |
| Processor instructions | Is Anthropic contractually bound to process only on documented instructions? |
| Confidentiality obligations | Are Anthropic personnel bound by confidentiality commitments? |
| Security measures (Article 32 GDPR) | Are technical and organizational measures specified with enough detail? |
| Subprocessors | Is there a current subprocessor list and a defined approval mechanism for changes? |
| Data subject rights | Is Anthropic required to support access, deletion, and correction requests? |
| Deletion and return | Are timelines and options for data deletion after termination specified? |
| Audit rights | Can the company request audit support or documentation from Anthropic? |
The Anthropic DPA addresses these mandatory elements in principle. However, legal teams should review whether the current contract version and associated service documentation align with the specific workflow and data categories planned for deployment.
Note on HIPAA BAA: The standard Anthropic DPA does not automatically include a HIPAA Business Associate Agreement. For organisations in regulated sectors — healthcare, financial services, professional advisory — a HIPAA BAA can be requested separately as part of a Claude Enterprise contract. Companies with HIPAA obligations should explicitly confirm BAA availability and terms with Anthropic before deployment. The HIPAA BAA is a Claude Enterprise-only add-on; it is not available on Claude Team.
International Transfers and SCCs in the Claude DPA
A common question for German procurement teams is whether data stays within the EU. Anthropic processes data on infrastructure that may not be located exclusively within the EEA. Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR are the primary transfer mechanism Anthropic relies on for international transfers.
Anthropic states that SCCs are automatically included in the commercial terms. Despite this, companies should carry out their own transfer analysis:
- Document transfer paths. Identify which countries outside the EEA may receive data — covering storage, processing, and potential support access.
- Review the subprocessor list. Anthropic uses its own subprocessors. Check whether these operate outside the EEA and whether SCCs have been passed down the chain.
- Consider a Transfer Impact Assessment. For sensitive data categories or stricter internal policies, a dedicated Transfer Impact Assessment may be required even where SCCs are in place.
- Distinguish EU hosting from EU-only processing. These terms are often used interchangeably but carry different legal weight. If strict data residency is required, confirm the actual architecture in writing rather than relying on sales materials. For a full breakdown of the legal distinction and the confirmed paths for EU data residency with Claude, see our Claude EU data residency guide.
Claude DPA for Different Data Types
How well the Claude DPA serves a specific deployment depends significantly on which data types flow through the workflow.
Customer data
Claude can be used in customer data workflows in many cases, provided the workflow is carefully designed. Lower-risk scenarios typically involve limited metadata, pseudonymized content, or non-sensitive operational data with human review at the output stage. The review becomes harder for large-scale customer communication ingestion, complaint handling, or contract analysis involving identifiable individuals.
Employee data
Employee data requires stricter review in Germany. Where Claude is used for hiring, performance evaluation, productivity analysis, or workplace monitoring, the question is no longer only about GDPR. Co-determination rights under section 87(1) no. 6 BetrVG may become relevant. In some cases a Data Protection Impact Assessment (DPIA) under Article 35 GDPR will be required. The DPA alone does not resolve these labor-law questions.
Special-category data (Article 9 GDPR)
Health data, biometric data, union membership, or other Article 9 GDPR categories require a significantly higher standard of justification. A standard enterprise rollout process is usually not enough. Deployment of Claude for these data types requires not only a valid DPA but also a legal basis under Article 9(2) GDPR and in many cases a DPIA.
Trade secrets and confidential documents
Not every legal risk is a privacy risk. Companies considering Claude for due diligence documents, term sheets, M&A preparation, or internal investigations need to review confidentiality obligations, access controls, and internal approval processes separately from the DPA review.
What the Anthropic DPA Does Not Cover
The Anthropic DPA defines the contractual framework for processing — but several important compliance responsibilities remain with the deploying organization. Companies sometimes assume that executing the DPA completes their GDPR obligations. It does not.
Responsibilities that remain with the controller:
- Record of processing activities (Article 30 GDPR). The company, as controller, must document the Claude deployment in its own Article 30 register, including purposes, data categories, and transfer paths.
- Data Protection Impact Assessment (DPIA, Article 35 GDPR). The DPA does not trigger or substitute a DPIA. Whether one is required depends on the specific workflow, data types, and deployment scale.
- Legal basis (Article 6 GDPR). The DPA covers the processor relationship — it does not establish a legal basis for processing. The organization must identify and document a valid legal basis for each Claude use case independently.
- Data subject rights procedures. While the DPA requires Anthropic to assist with data subject requests, the organization must establish its own procedures for responding to access, deletion, and correction requests from affected individuals.
What the DPA cannot substitute:
- EU-only data residency. The DPA incorporates SCCs for international transfers but does not guarantee that data stays within the EEA. A signed DPA is not a substitute for EU hosting. See our page on Claude EU data hosting for specific residency considerations.
- EU AI Act compliance. If Claude is deployed for high-risk AI use cases under the EU AI Act, the DPA does not address conformity assessments, technical documentation, or the obligations that apply to a deployer under that regulation.
- Sector-specific regulatory requirements. Healthcare, financial services, and regulated professional sectors may face compliance obligations beyond GDPR that the Anthropic DPA does not address.
Claude DPA vs ChatGPT Enterprise vs Gemini Workspace DPA
When evaluating Claude against alternatives, procurement and legal teams need to compare DPA features side by side. The table below summarizes publicly available information as of 2026 — verify current terms directly with each vendor before making procurement decisions.
| Feature | Claude (Anthropic) | ChatGPT Enterprise (OpenAI) | Gemini for Google Workspace |
|---|---|---|---|
| DPA basis | Incorporated into commercial terms | Incorporated into enterprise terms | Incorporated into Google Workspace terms |
| SCCs for EU–US transfers | Yes | Yes | Yes |
| EU data residency option | Not available as standard | Available for Enterprise (EEA region) | Available (EU data boundary option) |
| Zero Data Retention (ZDR) | Yes (API and Enterprise add-on) | No training on Enterprise/API data | No training on Workspace data |
| DPA negotiation | Limited (Enterprise customers) | Limited (Enterprise customers) | Limited (large enterprise contracts) |
| Sub-processor change notification | Yes | Yes | Yes |
| Data used for model training | No (with commercial terms) | No (Enterprise/API) | No (Google Workspace) |
What this means in practice: All three vendors provide DPA frameworks that meet the structural requirements of Article 28 GDPR. The key differentiators for German deployments are data residency and retention options. If EU-only data storage is a hard requirement, ChatGPT Enterprise and Gemini for Google Workspace offer regional options that Claude does not currently match as a standard feature. If the primary concern is prompt and response retention, Claude’s Zero Data Retention option is the relevant differentiator to evaluate.
For a full legal guide on using ChatGPT Enterprise under GDPR, see our ChatGPT Enterprise guide. For Gemini, see our Gemini Enterprise guide.
DPA Review Checklist Before Claude Rollout
Before deploying Claude Enterprise or the Claude API in production, legal and privacy teams should work through the following steps:
- Download the DPA and compare it against the planned workflow. Verify that the stated subject matter, purposes, and data categories in the contract match what the organization actually intends to process.
- Confirm processor role allocation. Document that Anthropic is acting as a processor for the relevant workflow, and record the organization’s controller responsibilities.
- Document SCCs and transfer paths. Map which countries outside the EEA are involved and record the transfer mechanism in the record of processing activities.
- Review and register subprocessors. Request the current subprocessor list from Anthropic and record the review in the vendor management system.
- Assess employee data and Article 9 data separately. Identify early whether works council involvement, HR sign-off, or a DPIA is required before rollout.
When the Claude DPA Is Not Enough on Its Own
The Anthropic DPA is a necessary starting point but not a sufficient basis for all Claude deployments. A more detailed legal review is regularly required where:
- the Claude workflow processes large volumes of customer communications, contract documents, or support tickets
- the deployment involves employee data, recruitment data, or performance-related analysis
- special categories of personal data under Article 9 GDPR are involved
- strict EU-only data residency or specific certification requirements apply
- sector-specific regulation applies, such as financial services, healthcare, or regulated professional advice
In these scenarios, checking the DPA box is not enough. What is needed is a full assessment covering the DPA, processing architecture, legal basis, transfer mechanism, and internal governance rules.
Compound Law advises businesses, founders, and in-house teams in Germany on GDPR, commercial contracts, employment law, and AI procurement. If you want to review the Claude DPA or another AI vendor contract before rollout, contact us.
FAQ
What is the Claude data processing agreement?
The Claude DPA is the contractual framework Anthropic provides for commercial products to meet Article 28 GDPR processor requirements. It is incorporated into the commercial terms and includes Standard Contractual Clauses for international data transfers. For German companies, the key task is verifying whether the DPA fits the specific deployment and data types involved.
Is the Claude DPA sufficient for Article 28 GDPR compliance?
The Anthropic DPA covers the mandatory Article 28 GDPR content in principle. Whether it is sufficient for a specific deployment depends on whether the processor role, data categories, subprocessors, and transfer paths are correctly mapped and documented for the actual use case.
Does the Claude DPA apply to the Claude API?
Yes. Anthropic states the DPA with SCCs applies to its commercial products including the Claude API. Companies using Claude through a third-party platform such as Amazon Bedrock must review that platform’s contract stack separately, as the Anthropic DPA does not directly govern those deployments.
What does the Claude DPA cost?
Anthropic does not offer a separately priced DPA. It is included as part of the commercial terms for paid products such as Claude Enterprise and the Claude API.
Who needs to sign the Claude DPA?
When contracting directly with Anthropic, the DPA is incorporated into the commercial terms and is not executed as a standalone document. Companies should download the current version, document the review internally, and retain a copy alongside their record of processing activities.
Where can I download the Anthropic DPA?
The Anthropic DPA is not available as a standalone PDF. It is incorporated into the commercial terms and accessed electronically through the Anthropic customer portal at console.anthropic.com. For enterprise customers, the DPA is confirmed through the account management process. Additional guidance is available at help.anthropic.com.
Does the Claude DPA cover the free tier?
No. A data processing agreement is only available to customers on a paid Anthropic plan — the Claude API or Claude Enterprise. Free Claude.ai accounts do not have access to a DPA. Companies that need a DPA in place before processing personal data must use a paid Anthropic product.
How long does the Claude DPA apply?
The Claude DPA is not a time-limited standalone document. It applies as part of the Anthropic commercial terms for the duration of the contractual relationship. Organisations should document the version in force at time of contracting and review it again when Anthropic announces material updates to its commercial terms.
What is the difference between the Claude Team DPA and the Claude Enterprise DPA?
Both tiers rely on the same Anthropic DPA framework. The practical difference lies in additional compliance features: Claude Enterprise adds an optional HIPAA BAA (on request), SCIM provisioning, audit logs, and the Compliance API — relevant for regulated sectors. For smaller teams without those requirements, Claude Team includes a full DPA from 5 users at approximately $25 per user per month on annual billing.