Claude Enterprise: Business Plans, EU Data Residency & GDPR
What is Claude Enterprise?
Claude Enterprise is Anthropic's highest-tier business plan: SSO, audit logs, 200K context window, GDPR DPA (automatic), and optional Zero-Data-Retention. Custom-quoted, annual contract, no minimum user count.
- Claude Enterprise includes SSO, audit logs, 200K context window, custom system prompts, GDPR DPA, and optional Zero-Data-Retention.
- Pricing is custom-quoted through Anthropic enterprise sales; Claude Team starts at ~€25/user/month as the entry-level GDPR-compliant tier.
- EU data residency is not included by default; strict EU-only processing requires AWS Bedrock or Google Vertex AI deployment.
Claude Enterprise is Anthropic’s highest-tier business plan — custom-quoted, includes SSO, audit logs, GDPR DPA, 200K context window, and optional Zero-Data-Retention. Here’s what it includes, what it costs, and how it compares to Claude Team. For companies in Germany, Claude Enterprise is the right tier when enterprise contract coverage — documented processor commitments, security controls, and a negotiable DPA — is a procurement requirement. This guide covers the full plan, what must be verified in the DPA before rollout, and how it compares to lower tiers and competing enterprise AI products. For an overview of the full AI tool landscape, see the AI tools assessed by Compound Law.
Claude Enterprise: Quick Summary
- What it is: Anthropic’s highest-tier commercial AI plan for enterprise governance
- What it costs: Custom-quoted (annual contract; Claude Team is the entry-level compliant tier at ~€25/user/month)
- What’s included: SSO with SCIM, audit logs, 200K context window, GDPR DPA (automatic), optional Zero-Data-Retention
- Who it’s for: Organisations requiring SSO, audit logs, or ZDR; enterprise procurement with governance requirements
Claude plan comparison: Free, Pro, Team, Business and Enterprise
| Feature | Claude Free | Claude Pro | Claude Team | Claude Business | Claude Enterprise |
|---|---|---|---|---|---|
| DPA/AVV included | No | No | Yes | Yes | Yes |
| Price | Free | ~€20/month | ~€25/user/month | ~€25/user/month | Custom-quoted |
| SSO | No | No | No | No | Yes |
| Audit logs | No | No | No | No | Yes |
| Custom system prompts | No | No | No | No | Yes |
| Zero-Data-Retention | No | No | No | No | Optional |
| Minimum users | 1 | 1 | 5 | 5 | No minimum |
| GDPR suitable for business | No | No | Yes | Yes | Yes |
Note: Anthropic does not offer a plan officially called “Claude Business.” The term is commonly used to refer to Claude Team — see our Claude Business guide for details.
When to choose Enterprise vs Team vs Business
The Claude Team plan is the right fit when you need a GDPR DPA and a shared workspace but do not require SSO, audit logs, or custom system prompts. Starting from approximately €25 per user per month on annual billing, with a minimum of 5 users.
Claude Business is a common search term for Claude Team — both refer to Anthropic’s entry-level commercial plan with a DPA. See our Claude Business guide for a full comparison.
Claude Enterprise is the right choice when SSO with SCIM, audit logs, custom system prompts, or optional Zero-Data-Retention are hard requirements — or when your organisation’s procurement process requires a negotiable DPA and dedicated enterprise support. Pricing is custom-quoted.
For German companies, the rule of thumb: start at Claude Team if you need a DPA; move to Claude Enterprise when governance controls (SSO, audit logs) or ZDR become procurement requirements.
What is Claude Enterprise?
Claude Enterprise is Anthropic’s highest-tier commercial offering for organisations that need more than individual AI access. It is designed for companies deploying AI across teams, with governance, admin, and compliance controls built in from the start.
Key features included in Claude Enterprise:
- Admin controls and SSO: Centralised user management and single sign-on integration make Claude Enterprise suitable for organisations with IT governance or identity-management requirements.
- Audit logs: Activity and usage logs support internal oversight, vendor-risk documentation, and compliance reporting.
- Custom system prompts: Organisations can configure default instructions, behavioural guardrails, and workflow context at the organisational level — relevant for consistent, policy-compliant AI use across teams.
- Expanded context window: Claude Enterprise supports a larger context window than lower tiers, enabling document-heavy workflows such as contract review, multi-document research, and structured analysis.
- Priority access: Enterprise customers receive priority capacity, which matters for high-volume or time-critical operations.
- Zero-Data-Retention (ZDR) option: Claude Enterprise supports an optional ZDR configuration where inputs and outputs are discarded immediately after processing and not retained — see the retention section below for detail.
Why German companies evaluate Claude Enterprise
German businesses and DACH-region organisations are increasingly evaluating Claude Enterprise as an AI productivity tool that comes with a compliance-relevant foundation. The automatic DPA, admin controls, and ZDR option make it more structurally suitable for GDPR workflows than consumer-tier or prosumer AI tools.
That said, those built-in controls are a starting point — not a complete GDPR answer. The sections below cover the specific DPA, transfer, and use-case questions that German legal and privacy teams need to work through before rollout.
Claude Enterprise Admin Console Features
Claude Enterprise gives administrators a centralised control layer for managing AI access across teams. The admin console covers:
- Workspace management: Projects and Folders let teams organise shared prompts, artefacts, and conversation context. Legal teams can maintain separate workspaces for client matters, compliance workflows, and internal knowledge bases.
- Usage analytics: The admin dashboard shows seat utilisation, conversation volume, active users by team, and model usage — the data points typically needed for software licence reviews and budget reconciliation.
- Model selection controls: Administrators can control which Claude models — including Claude 3.5 Sonnet, Claude 3 Opus, and Haiku — are available to which teams or projects. This prevents unintended access to more capable or cost-intensive models for routine tasks.
- Sharing and permissions: Admins set rules for conversation sharing, artefact export, and data access at the workspace or team level — relevant for organisations with strict data-classification policies.
- Custom system prompts: Organisation-level prompts configure default AI behaviour across all sessions. A legal firm can, for example, configure Claude to prepend a confidentiality header to every output: “This response is for internal use only and does not constitute legal advice.” This creates consistent, policy-compliant AI outputs without requiring individual users to configure anything.
- SSO and SCIM provisioning: Claude Enterprise integrates with standard identity providers (Okta, Azure AD, Google Workspace) for single sign-on and automated user provisioning and deprovisioning — reducing onboarding friction and access-control risk.
Claude Enterprise Use Cases — Legal, Compliance, and Enterprise Workflows
Law firms, in-house legal teams, and compliance functions are among the most active Claude Enterprise adopters. The three highest-impact use cases are contract review, due diligence, and compliance documentation. Below are the core workflows where Claude’s 200,000-token context window creates measurable operational value.
Contract review and redlining. Upload full contracts — up to approximately 150,000 words — and ask Claude to flag risk clauses, identify missing provisions, suggest redline language, or compare against a standard template. Legal teams use this to accelerate first-pass review of commercial agreements, vendor contracts, and NDAs without sending the document to an external tool.
Due diligence and multi-document analysis. Claude processes multiple documents simultaneously within a single session — financial statements, regulatory filings, organisational charts, and prior agreements. For data room packages, this means structured analysis of large document sets without splitting work across separate queries or summarisation steps.
Compliance documentation. Draft GDPR Records of Processing Activities (RoPA), internal AI usage policies, DPA response templates, and privacy notices. Claude can structure these to required formats and adapt the output based on applicable regulation, sector, and jurisdiction — useful for teams managing compliance across multiple entities.
Legal research across large corpora. Ask Claude to analyse a body of case law, summarise regulatory changes across jurisdictions, or compare requirements under different regimes — for example, GDPR versus UK GDPR versus Swiss nDSG. This works best when source documents are uploaded directly rather than relying on model training data.
M&A workflow support. Term sheet analysis, shareholder agreement review, integration checklist generation, and data room structuring. With ZDR enabled, sensitive deal materials are processed without persistent storage — directly relevant for confidentiality obligations and deal-security requirements.
Internal knowledge management. Configure organisation-level system prompts with firm-specific knowledge: matter types, standard client instructions, billing codes, escalation contacts, and preferred contract structures. This turns Claude into a context-aware assistant that reflects your firm’s practice from the start of every session.
Compound Law advises legal teams and compliance functions on AI procurement, GDPR compliance, and governance design for tools like Claude Enterprise. If you are assessing Claude for a legal practice or in-house function, discuss your use case with us. For context on AI regulation affecting legal services, see our AI Act guide for legal services.
Which Claude plan includes a DPA?
For German buyers, the first practical question is often: which Claude tier actually includes an AVV/DPA? The table below reflects Anthropic’s commercial terms effective January 1, 2026.
| Plan | DPA/AVV included | Suitable for GDPR/DSGVO business use |
|---|---|---|
| Claude Free | No | No — consumer terms only |
| Claude Pro | No | No — consumer terms only |
| Claude Team | Yes (automatic) | Yes — minimum 5 users |
| Claude Enterprise | Yes (automatic) | Yes |
| Anthropic API | Yes (automatic) | Yes |
Three points worth noting before procurement:
- Free and Pro tiers do not include a DPA. Any business processing personal data on these tiers is non-compliant with Article 28 GDPR. Consumer terms do not substitute for a processor agreement.
- The DPA is incorporated automatically into Anthropic’s commercial terms — no separate signature is required for standard deployment.
- The current DPA version is effective January 1, 2026. Confirm the applicable version in writing at time of contract.
For German companies, the minimum compliant tier for business use is Claude Team (minimum 5 users, approximately €25 per user per month on annual billing). Claude Free and Claude Pro are consumer products — using them for business data processing involving personal data is not a defensible GDPR setup.
This page is general information, not legal advice for a specific implementation. If you are comparing LLM vendors for a German rollout, it also helps to review our pages on OpenAI API, AWS Bedrock, Perplexity, and our broader AI legal expertise.
Can German companies use Claude Enterprise lawfully?
In many cases, yes. But the legal answer depends on how you use Claude Enterprise, not just on the vendor name.
Under the GDPR, the relevant questions are familiar:
- What personal data goes into Claude?
- What is the legal basis under Article 6 GDPR?
- Is there a valid Article 28 GDPR processor agreement?
- Are there international transfers under Chapter V GDPR?
- Are the technical and organizational measures under Article 32 GDPR sufficient?
- Does the workflow create added labor-law, confidentiality, or DPIA risk?
For businesses in Germany, Claude Enterprise is often easiest to justify for lower-risk internal productivity use, such as drafting, summarization, research support, or structured knowledge work where teams avoid sensitive source material. Common deployment patterns — including internal chatbots and writing assistance — require review against AI chatbot compliance under GDPR and AI writing assistant compliance frameworks. The position changes once the deployment touches:
- customer communications containing broad personal data
- employee data or manager-facing analytics
- trade secrets and confidential deal documents
- regulated advice or high-impact decision support
- special categories of personal data under Article 9 GDPR
That is why the better procurement question is not “Is Claude GDPR compliant?” but “Is our Claude deployment contractually and operationally defensible?” Claude Enterprise is frequently adopted by professional services companies and legal services firms in Germany where confidentiality and professional-secrecy obligations demand a higher standard of vendor scrutiny.
Does Anthropic offer a DPA and what needs review?
Anthropic states in its help documentation for commercial products that its DPA with Standard Contractual Clauses is automatically incorporated into the commercial terms. Anthropic also states that this answer applies to products such as Claude for Work and the Claude API, while use through a third-party platform is governed by that platform’s own terms instead.
That distinction matters in practice:
- if you buy Claude directly from Anthropic, the Anthropic commercial terms and DPA are the starting point
- if you access Claude through another vendor, such as a cloud platform, you also need to review that vendor’s contract stack
Anthropic’s public help materials also indicate that, for commercial products, the customer organization controls user data and Anthropic processes that data to provide the service on the customer’s behalf. That is generally helpful for an Article 28 GDPR analysis, but it is still not the end of the review.
Before rollout, legal and privacy teams should verify at least the following:
| Issue | Why it matters | What legal should verify |
|---|---|---|
| Processor role | Your GDPR obligations depend on whether Anthropic acts as processor, controller, or a mixed-role provider | Match the DPA and service terms to the actual workflow and data types |
| Article 28 terms | A DPA is required where Claude processes personal data on your behalf | Check instructions, confidentiality, deletion, audit language, and subprocessor commitments |
| International transfers | Even with strong enterprise controls, a transfer review may still be required | Review SCCs, transfer wording, access scenarios, and any supplementary measures |
| Retention and deletion | Prompt, output, and admin logs can persist longer than business teams expect | Confirm retention defaults, deletion controls, and whether exceptions apply |
| Security and incidents | Security promises matter for procurement and vendor-risk sign-off | Review certifications, TOMs, breach-notification terms, and internal escalation steps |
If your use case includes customer-facing automation, internal policy drafting, or knowledge workflows, compare the Claude contract review against your wider AI stack rather than assessing it in isolation. That is why buyers often evaluate Claude together with OpenAI API or AWS Bedrock.
For a detailed guide on accessing, verifying, and stress-testing the Anthropic Data Processing Agreement, see our dedicated Claude DPA page. For a comprehensive overview of GDPR compliance requirements for Claude — including legal basis, DPIA triggers, and a practical checklist — see our Claude GDPR compliance page. For developer and engineering teams using Claude Code and the Anthropic API, see our Claude Code GDPR guide for API-specific compliance considerations.
What the Claude Enterprise DPA covers
The Anthropic commercial DPA is designed to satisfy Article 28 GDPR requirements for processor agreements. Key elements buyers should expect to find — and verify — include:
- Processor instructions: Anthropic processes customer data only on documented customer instructions — the foundational Article 28 requirement.
- Confidentiality: Anthropic staff with access to customer data are bound by confidentiality obligations, covering both personnel and subprocessors.
- Security measures (Article 32 GDPR): Technical and organisational measures appropriate to the risk, including encryption, access controls, and incident response procedures. Substantiated by SOC 2 Type II and ISO 27001 certifications.
- Subprocessor controls: A list of authorised subprocessors, a notification mechanism for subprocessor changes, and the right to object. German companies should request the current subprocessor list and map it against their vendor register before sign-off.
- Deletion and return: On contract termination, Anthropic must delete or return customer data. Verify applicable timeframes and any backup-retention exceptions.
- Audit rights: The right to audit Anthropic’s GDPR compliance — typically satisfied in practice through Anthropic’s third-party certification stack (SOC 2 Type II, ISO 27001).
- Standard Contractual Clauses (SCCs): The DPA incorporates SCCs as the transfer mechanism for EEA data leaving the EEA. Buyers should confirm which SCC module applies — typically Module 2 (Controller to Processor) for enterprise deployments — and whether supplementary measures are required for their specific risk profile.
Is a BAA available for Claude Enterprise?
For healthcare organisations or those subject to comparable sector requirements, the relevant question is whether Anthropic offers a Business Associate Agreement (BAA) or equivalent sector-specific addendum. BAA availability for Claude Enterprise depends on the specific deployment and the categories of data involved. Buyers should raise this question directly with Anthropic’s enterprise sales team at the DPA negotiation stage — not after contract execution. For regulated-sector deployments in Germany, involvement of external legal counsel at the contract-review stage is advisable.
DPA negotiation: what is and is not standard
For Claude Enterprise, the DPA is incorporated automatically but is not static. Understanding what is negotiable informs when to involve legal:
- Standard DPA terms cover the Article 28 requirements listed above and are sufficient for most enterprise deployments.
- Negotiable elements include specific retention periods, subprocessor change-notification windows, SLA response times, and sector-specific addenda for regulated industries.
- What buyers cannot typically change: Core model behaviour, training data controls (commercial customer data is not used for training by default), and infrastructure architecture.
Legal and privacy teams should review the DPA before contract signature and confirm that the final executed version matches the version reviewed. For larger organisations, the DPA negotiation phase — typically 4–8 weeks into the procurement process — is also the right moment to raise DPIA requirements, any BetrVG co-determination considerations if the deployment affects employee data, and ZDR configuration.
EU Data Residency and Claude Enterprise
Claude Enterprise does not include EU data residency. The plan uses US-based infrastructure by default; if EU-only processing is a hard requirement, the only architecturally confirmed paths are AWS Bedrock EU profiles (Frankfurt eu-central-1) or Google Vertex AI EU regions — both require a separate cloud provider setup outside the Claude Enterprise contract. For a full breakdown of deployment paths, transfer compliance implications, and EU hosting options, see our guide to Claude EU data residency options.
For international transfer compliance under Chapter V GDPR, the Claude Enterprise DPA incorporates Standard Contractual Clauses (SCCs). Buyers should verify whether supplementary measures are required for their specific risk profile — in particular for high-sensitivity deployments involving customer-facing data or regulated sectors — and confirm which subprocessors involve third-country access.
Training, retention, and confidentiality questions buyers ask
Anthropic’s commercial privacy documentation is useful here. Anthropic states that commercial customer data is not used to train its models by default, and its privacy materials also describe retention controls for commercial products. That is helpful, but a legal review should still go one layer deeper.
The key buyer questions are usually:
Is Claude trained on our prompts and outputs?
For commercial products, Anthropic states that customer data is not used to train models by default. That is a strong procurement point, especially for companies handling confidential documents, board materials, or product plans.
How long is data retained?
Retention is not a side issue. Prompt data, output data, usage logs, admin logs, and shared workspace content can each have different retention logic. Legal teams should verify:
- default retention periods
- configurable deletion options
- whether backups or security logs follow a different schedule
- whether shared chats or workspace exports create separate copies
Zero-Data-Retention (ZDR) for Enterprise customers
Beyond standard retention controls, Anthropic offers an optional Zero-Data-Retention (ZDR) add-on for Enterprise customers:
- With ZDR enabled, inputs and outputs are not stored after the request is complete — they are processed in memory and discarded immediately.
- ZDR is particularly relevant for high-sensitivity workflows: M&A preparation, legal privilege communications, patient data processing, or board-level strategic documents.
- ZDR applies at the API level and requires explicit activation — it is not on by default.
For procurement teams, ZDR changes the retention risk picture materially. Companies operating in regulated sectors or handling trade secrets should ask specifically whether ZDR is available for their deployment path and whether it is compatible with their audit-log and incident-response requirements.
Who can access the data?
Buyers should not stop at the statement that access is limited. They should ask which categories of Anthropic staff, subprocessors, or support personnel may access data, under what conditions, and how that access is documented and controlled.
Are certifications enough?
No. Anthropic publicly lists certifications and assurance frameworks such as SOC 2 Type II, ISO 27001, and ISO 42001. These are relevant and helpful, but they do not replace the legal questions around purpose, data minimization, transfer risk, and internal governance.
For many German businesses, the real confidentiality control is not only the vendor contract. It is also the internal rule that employees must not paste unnecessary personal data, secrets, or regulated content into Claude in the first place.
When Claude can be used for customer, employee, or sensitive data
This is where the legal analysis becomes use-case specific.
Customer data
Claude can sometimes be used for customer data, for example in carefully designed support, success, or drafting workflows. But that depends on how much content is sent to the model, whether free text includes unnecessary personal data, and whether customers are informed appropriately.
The safer cases usually involve:
- limited metadata
- pseudonymized or redacted text
- non-sensitive operational workflows
- human review before any customer-facing output is used
The harder cases include large-scale ticket ingestion, complaint handling, or contract analysis involving identifiable individuals.
Employee data
Employee data requires stricter scrutiny in Germany. If Claude is used in ways that affect hiring, evaluation, productivity analysis, or workplace monitoring, the issue is no longer only GDPR. Co-determination rights under section 87(1) no. 6 BetrVG may become relevant, and some deployments can raise DPIA or labor-law concerns even if the tool is marketed as a productivity assistant.
Special-category data
Where the workflow involves health data, biometric data, union-membership data, or other Article 9 GDPR categories, companies should assume a significantly higher threshold for lawful deployment. In many cases, a standard enterprise rollout process is not enough.
Trade secrets and highly confidential documents
Not every legal risk is a privacy risk. Founders and management teams often want to use Claude for due diligence, term sheet drafting, M&A preparation, or internal investigations. Those uses can be attractive, but they need a separate review of confidentiality, access control, document classification, and internal approval rules.
Claude Enterprise vs ChatGPT Enterprise vs Microsoft Copilot
For procurement teams evaluating multiple enterprise AI vendors, a structured comparison against the two most common alternatives helps focus the review on the dimensions that matter for GDPR compliance and enterprise governance in Germany.
| Feature | Claude Enterprise | ChatGPT Enterprise | Microsoft Copilot |
|---|---|---|---|
| Provider | Anthropic | OpenAI | Microsoft |
| EU hosting possible | Yes (via AWS Bedrock / Google Vertex AI) | Yes (Azure EU regions) | Yes (EU Data Boundary) |
| DPA / AVV | Automatic in commercial terms | Automatic in commercial terms | Via Microsoft DPA |
| Zero-Data-Retention | Optional (ZDR add-on) | Optional | Limited |
| SSO / SCIM | Yes | Yes | Yes (M365 integration) |
| Audit logs | Yes | Yes | Yes |
| Context window | Up to 200,000 tokens | 128,000 tokens | Context-dependent |
| Training on customer data | No (default) | No (default) | No (default) |
| Strength | Long context, document analysis, constitutional AI guardrails | Broad ecosystem, code interpreter, data analysis | M365 integration, native Office workflows |
| EU cloud deployment | AWS Bedrock, Google Vertex AI | Azure | Azure |
When to choose Claude Enterprise
Claude Enterprise stands out for its industry-leading context window of up to 200,000 tokens, which makes it particularly effective for document-heavy workflows — contract review, due diligence analysis, research across large corpora, and multi-document legal analysis. Consider Claude Enterprise when:
- Your workflows involve long documents or large volumes of text that benefit from extended context
- You prefer to operate outside the Microsoft ecosystem or Azure infrastructure
- Anthropic’s Constitutional AI approach and built-in safety guardrails align with your AI governance requirements
- You want a direct contractual relationship with Anthropic including a standalone DPA/AVV
When to choose ChatGPT Enterprise
ChatGPT Enterprise is particularly strong for teams that rely on structured data analysis, code-generation workflows, or OpenAI’s broad plugin ecosystem. It is a good fit when:
- Your team uses code interpreter features for data analysis, financial modeling, or automated reporting
- You want to leverage OpenAI’s fine-tuning capabilities or plugin integrations
- Your organization is already invested in the OpenAI API and wants Enterprise-grade governance on top
When to choose Microsoft Copilot
Microsoft Copilot is the natural choice for organizations deeply embedded in the Microsoft 365 ecosystem. Its advantages are primarily about workflow integration rather than pure AI capability:
- Seamless integration within Word, Teams, Outlook, SharePoint, and other M365 applications
- Leverages existing Azure commitments and Microsoft licensing agreements
- Teams that work primarily within M365 applications benefit most from native embedding
GDPR note: what the comparison means for German buyers
An important point for procurement teams in Germany: all three vendors require the same foundational GDPR review. A DPA being included in the commercial terms does not mean a deployment is automatically GDPR compliant. For each vendor, you still need to review the processor role allocation, the transfer mechanism and data residency model, subprocessor commitments, and retention logic for your specific workflow. The comparison table above addresses structural features, but the legal review must go deeper for each vendor you shortlist. For a comprehensive GDPR checklist for Claude specifically, see our Claude GDPR compliance page. Compare also our pages on OpenAI API and AWS Bedrock.
Claude Enterprise Security Certifications
Anthropic holds a stack of enterprise security certifications relevant for procurement review, vendor-risk assessments, and regulatory compliance documentation. For German buyers evaluating Claude Enterprise, these are the key certifications and what each means in practice:
- SOC 2 Type II: An annual independent audit covering security, availability, and confidentiality controls. SOC 2 Type II — as opposed to Type I — confirms that controls were effective over a sustained testing period, not merely that they exist on paper. Required by many enterprise procurement and vendor-risk programmes.
- ISO 27001: International standard for information security management systems. Relevant for vendor-risk assessments, public-sector procurement in Germany, and financial services frameworks that require certified security controls from technology providers.
- ISO 42001: AI management system standard — the AI-specific certification. ISO 42001 is relevant for EU AI Act compliance documentation, particularly for organisations deploying AI in higher-risk contexts under Annex III of the AI Act. Relatively few major AI vendors currently hold this certification.
- CSA STAR: Cloud Security Alliance assurance framework for cloud service providers. Relevant for cloud-security assessments and vendor-risk programmes that require structured cloud-security evaluation.
Anthropic’s current certification documentation and trust materials are available via Anthropic’s trust portal.
For German procurement teams, ISO 42001 deserves particular attention: it maps to the governance expectations of the EU AI Act’s Annex IV documentation requirements for high-risk AI systems, and it signals a level of AI risk management maturity that goes beyond standard cybersecurity frameworks. For context on how AI Act documentation requirements apply to your business, see our EU AI Act compliance guide.
Claude Enterprise Pricing and Licensing
Claude Enterprise does not have a public fixed price — it is custom-quoted through Anthropic’s sales team. The entry-level compliant tier for business use is Claude Team, which is priced at approximately €25 per user per month on annual billing with a minimum of 5 users.
For Claude Enterprise, the key pricing parameters are:
- Custom-quoted: Claude Enterprise pricing is negotiated directly with Anthropic. Contract size, term length, and conditions are deal-specific.
- Annual contracts: Claude Enterprise is typically structured as an annual license.
- Pricing factors: Number of seats, API usage volume (if applicable), Zero-Data-Retention add-on, support tier, and any custom contract terms.
- Zero-Data-Retention add-on: ZDR is a separately negotiated feature and is not included in the base price.
For German companies, one practical implication of custom pricing is that your legal team should be involved early in the procurement process. Because there is no public price sheet, the contract negotiation phase is the right moment to address DPA terms, SLA commitments, and any GDPR-specific contractual requirements alongside the commercial terms. For EU hosting options that may affect contract structure, see our Claude EU Hosting page.
For current official pricing and sales contact, visit Anthropic directly. If you need legal review of the DPA, contract structure, or AI procurement process, contact us.
How to Get Claude Enterprise
Claude Enterprise is available exclusively through Anthropic’s enterprise sales team — there is no self-service signup path. The typical procurement journey for a mid-to-large organisation:
- Contact Anthropic Enterprise sales via the Anthropic website to initiate a discovery call. Prepare an overview of your use case, estimated seat count, and any known compliance requirements.
- Discovery and scoping: The sales process covers use case fit, data sensitivity classification, ZDR requirements, and integration needs. Anthropic sales will outline what is and is not available under standard terms.
- Custom quote: Pricing is negotiated, not published. Key factors include seat volume, ZDR configuration, SLA tier, support terms, and contract length (typically annual).
- Contract and DPA negotiation: For German organisations, this stage should involve legal and privacy teams. It is the appropriate moment to address DPA language, subprocessor commitments, ZDR scope, SLA terms, and any GDPR-specific contractual requirements — including whether standard SCCs are sufficient or whether supplementary measures are needed.
- Onboarding and SSO configuration: Identity provider integration and admin console setup typically takes 2–4 weeks after contract execution.
Typical timeline: 4–8 weeks for organisations requiring full legal and privacy review of the DPA and commercial terms. Smaller deployments with minimal custom requirements move faster.
What is negotiable: ZDR configuration, SLA terms, DPA language for specific use cases, and certain subprocessor commitments. Standard clauses may not be sufficient for high-risk deployments in regulated sectors — legal review before signature is advisable.
For guidance on reviewing the Claude Enterprise DPA before signing, see our Claude DPA guide. To discuss the procurement process with Compound Law’s legal team, contact us.
Practical legal checklist before rollout
If your team needs an operational decision path, start with these steps:
- Map the exact deployment path. Confirm whether you are buying directly from Anthropic or using Claude through another platform.
- Classify the intended data. Separate low-risk productivity content from customer data, employee data, sensitive contracts, and special-category data.
- Review the DPA and commercial terms. Check processor language, SCCs, subprocessor controls, deletion terms, and security commitments.
- Verify transfer and residency assumptions. Do not rely on sales shorthand such as “EU hosting” without confirming the precise processing model.
- Set internal usage restrictions. Define what employees may and may not upload, who can approve exceptions, and how high-risk use cases are escalated.
- Assess labor-law and DPIA risk. If the workflow affects employees or systematic monitoring, involve HR, privacy, and where relevant the works council early.
- Document the decision. Record the approved use case, safeguards, owner, review date, and fallback plan.
This structured review is often more important than the headline question of whether Anthropic offers a DPA. The contract matters, but the workflow design usually decides whether the deployment is defensible.
When extra review is required
General guidance is usually not enough where the Claude deployment:
- processes large volumes of customer communications
- supports HR, recruiting, or workforce decisions
- touches financial, insurance, or health-related data
- is used in regulated advice or high-impact decision-making
- handles board, fundraising, or M&A material with strict confidentiality demands
At that point, the right question is no longer “Does Claude Enterprise have a DPA?” It is whether your exact deployment can be defended under the GDPR, your vendor contracts, your labor-law setup, and your internal security rules.
Compound Law advises businesses, founders, and in-house teams in Germany on GDPR, commercial contracts, employment law, and AI procurement. If you want to review a Claude rollout, compare vendor contracts, or pressure-test an AI policy before procurement, contact us.
FAQ
What is included in Claude Enterprise?
Claude Enterprise includes a built-in GDPR DPA (automatically incorporated into commercial terms), SSO with SCIM provisioning, audit logs, custom system prompts, an expanded context window (up to 200,000 tokens), priority capacity, and an optional Zero-Data-Retention (ZDR) add-on. It is Anthropic’s highest-tier commercial plan for organisations that require enterprise AI governance. Free and Pro tiers do not include a DPA and are not suitable for business data processing under the GDPR.
How does Claude Enterprise differ from Claude Team?
Claude Team and Claude Enterprise both include a GDPR DPA, but differ significantly on governance controls. Claude Enterprise adds SSO with SCIM provisioning, audit logs, custom system prompts, a larger context window, and optional Zero-Data-Retention — none of which are available on Claude Team. Claude Team starts from 5 users at approximately €25 per user per month on annual billing; Claude Enterprise is custom-quoted and suited to larger organisations with procurement and governance requirements. For a full breakdown, see the Claude Team vs Enterprise plan comparison.
What is the Claude data processing agreement?
It is the contractual framework Anthropic provides for its commercial products to address controller-processor requirements, including DPA terms and SCC language. For German companies, the real task is to verify whether those terms fit the exact Claude deployment and the categories of data involved.
Is Claude Enterprise GDPR compliant in Germany?
Claude Enterprise can support GDPR-compliant use, but the answer depends on the use case, legal basis, processor setup, transfer mechanism, retention model, and internal controls. There is no useful one-word answer at platform level.
Does Claude Enterprise include EU data residency?
No. Claude Enterprise does not include EU data residency. The plan uses US-based infrastructure by default. If EU-only data residency is a procurement requirement, the only architecturally confirmed paths are AWS Bedrock EU profiles or Google Vertex AI EU regions — both require a separate cloud provider setup outside the Claude Enterprise contract. See our Claude EU Hosting guide for full deployment options.
When do German companies need extra review before using Claude?
Extra review is typically needed for employee data, sensitive customer content, special-category data, regulated sectors, high-impact outputs, or workflows involving monitoring, profiling, or confidential strategic documents.
How does Claude Enterprise compare to ChatGPT Enterprise?
Claude Enterprise leads on context window size — up to 200,000 tokens versus ChatGPT Enterprise’s 128,000 tokens — which makes it well-suited for document-heavy analysis: long contracts, multi-document due diligence, and research workflows involving large corpora. ChatGPT Enterprise offers a broader plugin ecosystem, built-in code interpreter for data analysis, and the option to use OpenAI fine-tuning. Microsoft Copilot is the strongest option for organizations embedded in the Microsoft 365 ecosystem, offering native integration with Word, Teams, and Outlook.
For GDPR-compliant use in Germany, all three vendors require the same core legal review: DPA quality, transfer mechanism, data residency model, subprocessor commitments, and retention logic must be verified for each specific deployment — regardless of which vendor you choose.
What security certifications does Claude Enterprise have?
Anthropic holds SOC 2 Type II, ISO 27001, ISO 42001, and CSA STAR certifications. ISO 42001 is an AI management system standard — one of the few held by major AI vendors — and is directly relevant for EU AI Act compliance documentation. SOC 2 Type II and ISO 27001 are the certifications most commonly required by enterprise procurement teams. Current certification documentation is available via Anthropic’s trust portal.
What can law firms and legal teams use Claude Enterprise for?
Law firms and in-house legal teams primarily use Claude Enterprise for contract review and redlining, due diligence document analysis, legal research across large corpora, and compliance documentation drafting. The 200,000-token context window supports processing full contracts and multi-document data room packages in a single session. With ZDR enabled, sensitive deal and client materials can be processed without persistent storage — directly relevant for professional secrecy and confidentiality obligations.
How do I get Claude Enterprise, and how long does procurement take?
Claude Enterprise is sold exclusively through Anthropic’s enterprise sales team — there is no self-service option. The process covers discovery, custom quoting, contract and DPA negotiation, and SSO onboarding. For organisations requiring full legal and privacy review of the DPA and commercial terms, expect 4–8 weeks from first contact to contract execution. German companies should involve legal and privacy teams at the DPA negotiation stage. For guidance on what to review in the Claude DPA before signing, see our Claude DPA guide.