Claude ZDR zero data retention guide for Anthropic API and Claude Code enterprise use
tools

Claude ZDR: Zero Data Retention for Enterprise and Claude Code

Is Claude ZDR available?

Yes, but only on qualified enterprise paths. Claude ZDR is available for eligible Anthropic API usage and for Claude Code on Claude Enterprise when ZDR is enabled for the organization. It does not apply to standard Claude Team or Claude Enterprise chat interfaces.

  • Claude ZDR covers eligible API usage and Claude Code on qualified Enterprise organizations.
  • Standard Claude Team and Claude Enterprise product interfaces are not ZDR-eligible.
  • Commercial Claude Code defaults to 30-day retention unless your organization is separately approved for ZDR.
  • ZDR reduces storage risk, but it does not replace the DPA, SCCs, or EU hosting analysis.

Claude ZDR is available, but only on qualified enterprise paths. The short procurement answer is this: Claude Zero Data Retention applies to eligible Anthropic API usage and to Claude Code on Claude Enterprise when ZDR is enabled for the organization. It does not apply to the standard Claude Team or Claude Enterprise chat interfaces, and it is not included automatically just because a company bought an Enterprise plan.

That distinction matters for German buyers searching claude zdr, anthropic zdr, or claude zero data retention. In most real reviews, the question is not “Does Anthropic mention ZDR somewhere?” but which exact product path gets it, what remains excluded, and what other GDPR controls still have to be in place. This page answers that question directly and keeps the broader privacy analysis secondary.

This article is general information, not legal advice for a specific deployment. For the contract layer, start with our Anthropic DPA. For the location question, see Claude EU hosting. For the broader rollout review, see Claude Enterprise GDPR, Claude Code GDPR, and our Claude Enterprise guide.

Short verdict: who can get Claude ZDR and who cannot

The cleanest way to read Claude ZDR in 2026 is to separate the product path from the contract label.

Product pathClaude ZDR available?What matters
Claude API with eligible commercial organization API keysYesZDR applies only to eligible APIs and qualified organizations
Claude Code on Claude EnterpriseYes, if enabledZDR must be enabled for the organization; not standard by default
Claude Enterprise chat interfaceNoStandard product interface is not ZDR-eligible
Claude Team interfaceNoTeam is commercial, but the interface is not ZDR-eligible
claude.ai Pro / Free / MaxNoConsumer plans are outside ZDR scope

That table is the answer most searchers want. If your company is using the direct Claude chat product, buying Claude Enterprise does not by itself create a ZDR deployment. If your company is using Claude Code or the Anthropic API on an approved enterprise path, ZDR may be available.

This is also why the search terms anthropic zdr and claude enterprise zdr can be misleading. The decisive point is not the vendor name or plan name alone. The decisive point is which interface or API path you are actually using.

Does Claude ZDR apply to Claude Enterprise, Claude Code, or only the API?

The official Anthropic documentation now makes this split much clearer than many older explainers did.

For the API: ZDR applies to eligible Claude APIs. Anthropic’s current platform documentation specifically lists the Messages API and Token Counting API as covered.

For Claude Code: ZDR can apply, but only on the qualified enterprise path. Anthropic’s current privacy and Claude Code documentation say ZDR is available for Claude Code on Enterprise plans and is enabled per organization after eligibility review. That means a company should confirm the scope in writing during procurement, especially if multiple Anthropic organizations exist internally.

For the standard Enterprise chat product: No. Anthropic says the Claude Team and Claude Enterprise product interfaces are not ZDR-eligible, except for Claude Code when used through Claude Enterprise with ZDR enabled for the organization.

This creates the most important extractable answer on the page:

Does Claude ZDR apply to Claude Code? Yes, if your Claude Enterprise organization is separately approved and configured for ZDR. Does it apply to the ordinary Claude Enterprise chat interface? No.

That answer should drive both search snippet copy and internal procurement notes.

What Claude ZDR covers and what Anthropic may still retain

Zero Data Retention means Anthropic does not store covered customer data at rest after the API response is returned, except where retention is needed for legal compliance or misuse prevention. For German privacy teams, that is useful because it narrows the storage footprint substantially. But it is not the same as “nothing is ever kept anywhere under any circumstance.”

Three boundaries matter:

  1. ZDR is feature-scoped. It applies only to the eligible product paths described above.
  2. ZDR is organization-scoped. Anthropic applies it per organization, not as a universal account toggle across every setup you might have.
  3. ZDR is not absolute. Anthropic states that data may still be retained where needed to comply with law or combat misuse or harm, and that User Safety classifier results are still retained.

Anthropic’s platform docs also add an important nuance that procurement teams should not miss: some model or feature combinations still require retention. Anthropic documents model-specific retention requirements for certain covered models, and organizations with a ZDR arrangement may need workspace-level configuration if they want to use those models while keeping ZDR elsewhere.

That is why the right legal question is not “Do we have ZDR, yes or no?” The better question is:

  • Which interfaces are in scope?
  • Which models are in scope?
  • Which organizations are in scope?
  • What exceptions remain?

If a buyer does not document those four answers, the internal understanding of claude zdr is usually too vague to support a real data-protection sign-off.

Claude ZDR vs DPA / AVV vs SCCs vs EU data residency

Companies often collapse four separate controls into one. That is a mistake.

ControlWhat it answersWhy it still matters with ZDR
ZDRIs covered data stored after the response?Helps with storage limitation and data minimization
DPA / AVVWhat is the processor contract under Article 28 GDPR?Still required for processor use cases
SCCsWhat is the transfer mechanism for third-country processing?Still relevant if data reaches US-based infrastructure
EU data residencyWhere is the processing and storage geographically anchored?Still relevant if your contracts or sector rules require EU-only handling

ZDR does not replace the DPA or AVV. If Anthropic processes personal data on your behalf, you still need the Article 28 GDPR contract layer. Review our Anthropic DPA guide for that question.

ZDR does not replace SCCs. If the deployment still involves processing through US-based infrastructure, the Chapter V transfer analysis remains relevant.

ZDR does not create EU hosting. A company that needs EU-only architecture must still work through the deployment path separately. That is the topic of our Claude EU hosting guide.

For German buyers, this distinction is often the practical difference between a defensible internal memo and a confused one.

How to request Claude ZDR during procurement

Anthropic does not present Claude ZDR as a generic self-serve setting for every plan. The current documentation points to an account-team or sales process and says requests are reviewed per organization.

In practice, a serious procurement workflow should do at least these six things:

  1. State the requirement early. Tell Anthropic that Claude ZDR is a formal procurement requirement, not just a nice-to-have privacy feature.
  2. Name the intended path. Clarify whether the company needs ZDR for the Anthropic API, for Claude Code on Enterprise, or both.
  3. Confirm organizational scope. If your company has multiple Anthropic organizations, confirm which ones are covered.
  4. Confirm feature and model scope. Ask which APIs, models, and product surfaces are in scope and which require exceptions or retained-data overrides.
  5. Check the fallback retention position. If ZDR is not approved for a workflow, document the default retention rule that will apply instead.
  6. Mirror the answer internally. Update your RoPA, rollout memo, and internal AI policy so engineering, privacy, and procurement teams work from the same assumptions.

If the deployment includes Claude Code, ask the question in extractable terms: “Is ZDR enabled for Claude Code in our organization, and if so, does that change server-side retention only, or are there local client artifacts we still need to manage?” That matters because Anthropic’s current Claude Code documentation separately states that commercial users otherwise have 30-day retention and that Claude Code clients keep local plaintext session transcripts for 30 days by default unless the cleanup period is changed.

When ZDR is the wrong question and EU hosting matters more

Some buyers over-focus on the term zero data retention because it sounds like the strongest possible privacy control. In many German and DACH workflows, the first decisive question is actually where processing occurs, not only whether prompts are stored afterward.

ZDR is usually the right lead question when the concern is:

  • storage limitation under Article 5(1)(e) GDPR
  • minimizing vendor-side retention of prompts and outputs
  • highly confidential but not EU-localization-mandated workflows
  • internal policy rules against persistent vendor storage

EU hosting is usually the more important lead question when the concern is:

  • contractual EU-only data handling requirements
  • public-sector or regulated-industry procurement
  • professional-secrecy workflows where third-country exposure is the central issue
  • customer commitments tied to geography rather than only retention

The two controls can be combined. A company may want ZDR for storage minimization and a separate EU-hosted architecture for localization. But they should not be treated as interchangeable.

If your real question is location rather than retention, start with Claude EU hosting. If your real question is the broader controller-processor and rollout analysis, go to Claude Enterprise GDPR. If the workflow is developer-facing, review Claude Code GDPR together with this page because the local transcript cache changes the practical risk picture.

Frequently asked questions

Is Claude ZDR available?

Yes, but only on qualified enterprise paths. Anthropic’s current docs say ZDR applies to eligible Anthropic APIs and to Claude Code when used with commercial organization API keys or through Claude Enterprise with ZDR enabled for the organization.

Does Claude ZDR apply to Claude Enterprise?

Not to the standard Claude Enterprise chat interface. Anthropic says Team and Enterprise product interfaces are not ZDR-eligible, except for Claude Code when the Enterprise organization has ZDR enabled.

Does Claude ZDR apply to Claude Code?

Yes, on the qualified enterprise path. Anthropic’s current Claude Code docs say commercial users otherwise have standard 30-day retention, while ZDR for Claude Code is enabled on a per-organization basis after eligibility confirmation.

What does Claude ZDR still not cover?

It does not cover Console or Workbench usage, consumer plans such as Free, Pro, or Max, or the standard Team and Enterprise product interfaces. Anthropic also documents model-specific cases where limited retention is still required.

Does Claude ZDR replace the DPA or AVV?

No. ZDR narrows retention; it does not create the Article 28 GDPR processor contract. Companies still need the DPA or AVV, transfer review, and internal governance.

Can Claude ZDR be combined with EU hosting?

Yes. ZDR addresses storage after response; EU hosting addresses geography. Many regulated buyers need both answers documented separately.

How do we request Claude ZDR?

Through Anthropic’s enterprise process. Anthropic says requests are reviewed and applied on a per-organization basis, so companies should confirm the exact scope before rollout.

Need a Claude ZDR procurement review?

Compound Law advises companies, startups, and legal teams in Germany on AI procurement, GDPR, commercial contracts, employment law, and AI governance. If your organization needs a deployment-specific review of Claude ZDR, the Anthropic DPA, or the split between retention, transfer, and hosting controls, contact us.

Related Tool Guides

DeepL DPA and GDPR approval guide for companies in Germany
tools

DeepL DPA and GDPR in Germany: Approval Guide for Buyers

DeepL can usually be approved in Germany only on paid business plans with a signed DPA, feature review, and confidentiality checks. DeepL Free is not approved.

Cursor DPA and GDPR review for teams in Germany
tools

Cursor DPA 2026: Where to Find It and What It Covers

The Cursor DPA is public at cursor.com/terms/dpa, but German teams still need the right paid plan, Privacy Mode, and transfer review before using personal data.

DeepSeek GDPR compliance analysis for German companies
tools

Is DeepSeek GDPR Compliant? What German Companies Need to Know

Hosted DeepSeek still creates GDPR and procurement risk for German companies. Self-hosted deployments can work with EU infrastructure and proper controls.

Zapier GDPR 2026 Germany — DPA, Article 28, SCCs and EU data transfers for German companies
tools

Is Zapier GDPR Compliant? Germany Guide 2026

Is Zapier GDPR compliant for German companies? DPA, SCCs, EU data residency, and when Zapier is too risky for personal data workflows.

Claude Code GDPR compliance — DPA, data retention and EU hosting guide
tools

Claude Code Data Privacy: GDPR, DPA & No Training Policy

Claude Code's data privacy policy: no training on your code by default, GDPR DPA included via Anthropic API, zero data retention for Enterprise.

HubSpot privacy and GDPR compliance for German businesses
tools

HubSpot Privacy in Germany: GDPR, DPA, and Works Council Risks

HubSpot privacy and GDPR compliance in Germany require a DPA, transfer review, EU data hosting assessment, and works council analysis.

Tool Library

Browse More AI Tools by Topic

Compare more tools, privacy issues, and deployment scenarios in the full AI tool library.

View all AI tools

Frequently asked questions

Yes. Claude ZDR is available on qualified enterprise paths, but not as a default setting. Anthropic's current documentation says ZDR applies to eligible Claude APIs and to Claude Code when used with commercial organization API keys or through Claude Enterprise with ZDR enabled for the organization.

Not to the standard Claude Enterprise product interface. Anthropic says Claude Team and Claude Enterprise interfaces are not ZDR-eligible, except for Claude Code when Claude Enterprise has ZDR enabled for the organization.

Yes, but only on the qualified enterprise path. Anthropic's current Claude Code documentation says commercial users otherwise have standard 30-day retention, and ZDR for Claude Code is enabled on a per-organization basis after Anthropic confirms eligibility.

ZDR does not turn every Anthropic product into a zero-retention service. Console and Workbench usage are excluded, Team and standard Enterprise chat interfaces are excluded, and consumer plans such as Free, Pro, and Max are excluded. Anthropic also documents model-specific cases where 30-day retention is required.

No. ZDR is a retention control, not the processor contract. If your company processes personal data through Claude, you still need the Article 28 GDPR contract layer, transfer analysis, and internal usage rules.

Yes. ZDR answers the storage question, while EU hosting answers the processing-location question. If your company needs both, you must address both separately in procurement and architecture.

Through Anthropic's enterprise or account-team process. Anthropic states ZDR is reviewed and applied on a per-organization basis, so companies should confirm the exact organizational scope, feature scope, and any excluded models before rollout.

Book Free Call