Claude EU Hosting: How to Keep Your Data in Europe Under GDPR
Does Claude offer EU data residency?
EU data residency for Claude is not available through claude.ai or the Anthropic API — only through AWS Bedrock EU profiles (Frankfurt, Ireland, Paris) or Google Cloud Vertex AI EU regions with region-locked configuration.
- claude.ai and the Anthropic API offer no EU data residency — only US infrastructure by default.
- EU data residency is a contractual guarantee; EU hosting is just a location fact — legally distinct.
- AWS Bedrock eu-central-1 (Frankfurt) is the confirmed path for EU data residency in Germany.
- Claude Enterprise does not include EU data residency — requires separate Bedrock or Vertex AI setup.
Does Claude offer EU data residency? No — not through claude.ai or the direct Anthropic API. Both default to US-based infrastructure. The two confirmed paths for EU data residency with Claude are deployment via AWS Bedrock EU profiles (Frankfurt eu-central-1, Ireland eu-west-1, Paris eu-west-3) or Google Cloud Vertex AI EU regions — both require specific region configuration to enforce data residency. Direct access to claude.ai or the Anthropic API relies on Standard Contractual Clauses (SCCs) as the Chapter V GDPR transfer mechanism, which requires a Transfer Impact Assessment and may not satisfy contractual EU-only processing obligations.
This matters most for businesses in Germany and the DACH region that must comply with the GDPR, operate in regulated sectors, or hold contractual commitments to EU-only data processing. Before choosing a deployment path, the architecture decision and the legal setup need to be reviewed together.
What is EU data residency — and is it a legal requirement?
EU data residency and EU hosting are often used interchangeably, but they carry different legal weight:
- EU hosting means infrastructure — servers, data centres — is physically located in the European Union.
- EU data residency is a contractual and regulatory guarantee that data will not leave a defined jurisdiction under any operational circumstance.
GDPR Chapter V does not automatically require EU-only processing for every organisation. However, EU data residency becomes a practical legal obligation in several scenarios:
- B2B contracts: Client agreements increasingly include EU-only data processing clauses, particularly in financial services, healthcare sourcing, and public procurement.
- Regulated sectors: EBA outsourcing guidelines for banking, and sector-specific frameworks for healthcare, telecom, and insurance routinely require data to remain within EU borders.
- Public sector procurement: Government and public authority frameworks in Germany commonly specify EU-jurisdiction requirements.
- Professional secrecy: Attorneys (Rechtsanwälte), tax advisors (Steuerberater), and auditors (Wirtschaftsprüfer) face confidentiality obligations that restrict third-country data transfer.
If any of these apply to your organisation, EU hosting alone is not sufficient — you need a contractual data residency guarantee from your cloud provider and a technically enforced region configuration. For a full GDPR compliance overview for Claude, see our Claude GDPR compliance guide.
Does Claude Enterprise include EU data residency?
No. This is one of the most common misconceptions in enterprise procurement of Claude.
Claude Enterprise — Anthropic’s enterprise product accessed through claude.ai — uses US-based infrastructure by default. Anthropic does not offer an EU data residency option through the claude.ai platform or the direct Anthropic API. The Enterprise plan provides a commercial DPA and enhanced admin controls, but does not change where data is processed.
EU data residency for Claude requires a deployment architecture change:
- AWS Bedrock EU profiles (Frankfurt eu-central-1, Ireland eu-west-1, Paris eu-west-3) — shifts the primary processor contract to AWS
- Google Cloud Vertex AI EU regions (Belgium, Netherlands, Poland) — places processing under Google Cloud’s DPA framework
Neither option is available within a Claude Enterprise contract — both require a separate cloud provider relationship. For broader enterprise compliance questions, see our Claude Enterprise Germany guide.
The three deployment paths — and what they mean for EU data residency
Not every Claude deployment is equal under GDPR. The table below maps the four main paths to their data residency defaults:
| Deployment path | Data location default | EU-only option | AVV / DPA path | Typical use case |
|---|---|---|---|---|
| claude.ai / Claude.com direct | US by default | No dedicated EU option | Anthropic DPA (Team/Enterprise) | Individual and team productivity |
| Anthropic API direct | US by default | No dedicated EU option | Anthropic commercial DPA | Custom integrations, product development |
| Claude via AWS Bedrock | Configurable by region | Yes — Frankfurt, Ireland, Paris | AWS DPA + Bedrock model terms | Enterprise with existing AWS setup |
| Claude via Google Vertex AI | Configurable by region | Yes — Belgium, Netherlands, Poland, and more | Google Cloud DPA | Enterprise with existing GCP setup |
The key takeaway: EU hosting is an architecture question, not a product feature you can enable with a checkbox. Companies that want confirmed EU-only processing need to deploy through Bedrock or Vertex AI and verify region configuration, cross-region inference settings, and connected services.
Claude via AWS Bedrock — EU regions explained
For most German companies, AWS Bedrock eu-central-1 (Frankfurt) is the primary option for EU-localised Claude deployment. It offers geographic proximity, fits naturally into existing AWS governance and procurement frameworks, and AWS confirms that customer content is encrypted and stored at rest in the region where the service is used.
Key points for legal and procurement teams:
- Primary EU regions: eu-central-1 (Frankfurt), eu-west-1 (Ireland), eu-west-3 (Paris)
- Cross-region inference profiles: Bedrock supports cross-region inference for availability and latency purposes. If this feature is enabled, inference may route to regions outside your chosen primary region. Legal teams should confirm whether cross-region profiles are active. If your data residency obligation requires strict region-lock, apply this checklist before going live:
- Confirm cross-region inference profiles are disabled in the AWS Bedrock console for your account
- Verify the selected inference profile is locked to your target region (e.g. eu-central-1 only — no cross-region routing)
- Document the region configuration settings in your internal compliance records
- Review Bedrock’s Anthropic model-provider terms to confirm no data leaves the selected region for inference or logging
- Contract shift: When you use Claude via AWS Bedrock, the main processor contract is with AWS, not Anthropic. The AWS DPA and Article 28 GDPR processor terms govern the infrastructure. This is a material legal change versus a direct Anthropic purchase.
- Model-provider layer still applies: AWS publishes separate third-party model terms for Bedrock. The Anthropic model-provider terms for Bedrock describe additional conditions including acceptable use. Procurement must review both the AWS layer and the model-provider layer.
For a full analysis of the AWS legal framework, see our AWS Bedrock DPA and GDPR guide.
Claude via Google Cloud Vertex AI — EU regions
Google Cloud Vertex AI is the second confirmed EU-hosting path for Claude. Google has deployed Claude models in several EU regions, including:
- europe-west1 (Belgium)
- europe-west4 (Netherlands)
- europe-central2 (Poland)
Additional regions may be available depending on model availability at the time of deployment.
Legally, the Vertex AI setup operates under Google Cloud’s DPA and GDPR framework rather than Anthropic’s commercial terms. Key review points:
- Confirm the applicable Google Cloud DPA covers your specific Vertex AI use case and data categories
- Verify which EU regions are active for the Claude model version you intend to use
- Review Google Cloud’s subprocessor list and assess whether any support or operational access could create third-country exposure
- Check whether your Google Cloud agreement includes the EU-region restriction you need, or whether additional configuration is required
Companies that already operate under a mature Google Cloud procurement framework may find Vertex AI the more natural path, while AWS-first organisations will typically default to Bedrock.
Direct Anthropic API — what the contract says about data location
If you use the Anthropic API without Bedrock or Vertex AI, data is processed in Anthropic’s US-based infrastructure. Anthropic’s commercial DPA addresses this through Standard Contractual Clauses (SCCs) as the Chapter V GDPR transfer mechanism, specifically the EU SCCs under Commission Implementing Decision 2021/914.
What this means in practice:
- SCCs are a recognised transfer mechanism under GDPR, but they come with obligations. Companies must perform a Transfer Impact Assessment (TIA) to verify that the SCCs provide effective protection given US law and surveillance frameworks.
- For many internal productivity workflows with low-sensitivity data, SCCs via the direct Anthropic API can be an acceptable setup.
- For workflows involving special categories of personal data (Article 9 GDPR), large volumes of customer data, or data subject to sector-specific regulation, a TIA and closer legal review are needed before relying solely on SCCs.
The practical rule: if your internal policy or customer contracts require EU-only processing, the direct Anthropic API is not sufficient. If SCCs are acceptable for your data and risk profile, the direct API can work — but that decision requires legal input, not just a procurement assumption.
Microsoft 365 Copilot + Claude — the EU Data Boundary gap
One important caveat for companies relying on Microsoft 365 for GDPR geographic compliance: the Microsoft 365 Copilot integration with Claude is explicitly excluded from the Microsoft EU Data Boundary, effective January 2026.
This means:
- Companies using Microsoft 365 Copilot and assuming that all Copilot-connected AI services are covered by the Microsoft EU Data Boundary are wrong — Claude is not included.
- If your organisation’s data governance policy relies on the Microsoft EU Data Boundary as the geographic compliance mechanism, you cannot extend that assumption to Claude accessed through Copilot.
- Microsoft’s own documentation confirms this exclusion. Procurement and privacy teams should verify the current scope of the Microsoft EU Data Boundary against any AI tool integrations before treating them as EU-compliant by inheritance.
This is a frequently missed detail in procurement reviews. The Microsoft EU Data Boundary covers a defined set of Microsoft services — third-party AI models integrated through Copilot are not automatically included.
Practical decision guide — which setup to choose
| Scenario | Recommended path |
|---|---|
| EU-only required, existing AWS contract in place | Claude via AWS Bedrock (Frankfurt eu-central-1) |
| EU-only required, existing Google Cloud contract | Claude via Vertex AI (EU region) |
| SCCs acceptable, no EU-only requirement | Direct Anthropic API with TIA |
| Using Microsoft 365 Copilot | Cannot rely on EU Data Boundary — verify separately |
| Hybrid (some EU-only, some not) | Bedrock or Vertex AI for EU-sensitive workflows; API for others |
The right choice depends on your existing cloud infrastructure, procurement framework, and the data categories you plan to process. For most German companies with established AWS environments, Bedrock is the lowest-friction EU-hosting path for Claude.
What EU hosting does NOT solve
Choosing an EU-hosted deployment path is a necessary step for geographic compliance — but it is not a complete GDPR solution on its own.
Even with Bedrock Frankfurt or Vertex AI EU regions, you still need:
- A valid AVV (Auftragsverarbeitungsvertrag): Either the AWS DPA for Bedrock, the Google Cloud DPA for Vertex AI, or the Anthropic commercial DPA for direct use. The contract must reflect the actual processing setup.
- A subprocessor review: AWS and Google both maintain subprocessor lists. Legal should confirm that any third-country subprocessor exposure is covered by the applicable transfer mechanism.
- A DSFA (Datenschutz-Folgenabschätzung / DPIA) where required: Article 35 GDPR requires a DPIA if the processing is likely to result in a high risk to individuals. EU hosting reduces transfer risk but does not eliminate the DPIA trigger.
- Internal usage rules: Which data may be sent to Claude, by whom, under what conditions, and with what data minimisation measures — these must be documented regardless of geography.
- Works council assessment if needed: Under section 87(1) no. 6 BetrVG, employee-facing Claude deployments may trigger co-determination rights in Germany. EU hosting does not affect this analysis.
- Data minimisation and retention: EU hosting addresses geographic scope, not how long Anthropic retains your data. If your GDPR obligations include storage limitation under Article 5(1)(e) GDPR, the Claude Zero Data Retention (ZDR) agreement is a separate control that can be combined with EU hosting. ZDR commits Anthropic to not storing API inputs and outputs after the response is returned. See our Claude ZDR guide for eligibility and how to request it.
To review the Anthropic DPA and its data transfer provisions, see our Claude DPA guide. For a complete GDPR and procurement review of Claude, see our Claude Enterprise Germany guide.
FAQ
Does claude.ai offer EU servers?
No, not as of April 2026. Direct access through claude.ai or the Anthropic API defaults to US infrastructure. Companies with EU-only data residency requirements cannot rely on the consumer or standard API product for that purpose.
Which AWS Bedrock region is closest to Germany?
The primary region for German companies is eu-central-1 in Frankfurt. This is the standard choice for organisations that need German or EU-proximate data processing. Ireland (eu-west-1) and Paris (eu-west-3) are additional EU options.
Does switching to Bedrock change the legal setup for the AVV?
Yes — switching to Claude via AWS Bedrock means the primary processing contract shifts to AWS, not Anthropic. The AWS DPA governs the infrastructure layer, and Anthropic model-provider terms apply on top. This is a different legal structure than a direct Anthropic purchase and requires its own review.
Is Google Vertex AI GDPR compliant for Claude?
Vertex AI operates within Google Cloud’s GDPR framework, which provides EU-region infrastructure and a DPA structure. However, GDPR compliance for a specific Claude deployment on Vertex AI depends on how you configure the setup, which EU region you use, and whether the Google Cloud DPA covers your data categories. Individual legal advice is recommended.
Can I use Claude for work data with just SCCs from the direct API?
Possibly, but this requires a case-by-case legal analysis. SCCs are a valid Chapter V GDPR transfer mechanism, but they must be backed by a Transfer Impact Assessment and internal documentation. Whether SCCs are sufficient for your specific data types and risk level is a legal question, not a procurement assumption. Where EU-only processing is required contractually or by internal policy, the direct Anthropic API is not the right path.
Is EU data residency the same as EU hosting for GDPR purposes?
No — these are legally distinct concepts. EU hosting means the infrastructure (servers, data centres) is physically located in the European Union. EU data residency is a contractual guarantee that data will not be transferred outside the defined jurisdiction under any operational circumstance. Many enterprise procurement contracts, regulated sectors (banking, healthcare, telecom), and public authority procurement frameworks require a data residency guarantee — not just geographically proximate infrastructure. Without a contractual commitment, EU-hosted infrastructure alone does not constitute data residency.
Does Claude Enterprise include EU data residency?
No. The Claude Enterprise plan accessed via claude.ai operates on US infrastructure and does not include EU data residency as a feature. EU data residency for Claude requires a separate deployment via AWS Bedrock EU profiles or Google Cloud Vertex AI EU regions. This also changes the legal structure: the primary processing contract shifts from Anthropic to AWS or Google Cloud. Procurement teams evaluating Claude Enterprise for regulated-sector or B2B-contract use cases should confirm this distinction before assuming Enterprise equals EU residency.
Is AWS Bedrock Frankfurt sufficient for EU data residency under GDPR?
For most use cases, yes — if correctly configured. AWS eu-central-1 (Frankfurt) confirms that customer content is processed and stored within the region. The key configuration requirement is that cross-region inference profiles are disabled and the deployment is locked to eu-central-1. Whether Frankfurt residency is legally sufficient for your specific obligation — such as a B2B contract clause, regulatory requirement, or internal policy — depends on the exact wording of that obligation and may require individual legal advice for high-stakes decisions.