Anthropic DPA: GDPR-Compliant Data Processing Agreement for Germany
Does Anthropic provide a DPA for Claude?
Yes. Anthropic provides a Data Processing Agreement with SCCs for commercial products including Claude Enterprise and the Claude API. Whether the Anthropic DPA is sufficient for a specific German deployment depends on the workflow, data types, and internal compliance requirements.
- The Anthropic DPA is incorporated into the commercial terms and includes SCCs for international data transfers.
- Companies must review processor role allocation, retention periods, subprocessors, and transfer paths for their specific use case.
- Employee data, Article 9 GDPR special-category data, and highly confidential documents each require stricter individual review.
Yes, Anthropic provides a Data Processing Agreement (DPA) for commercial Claude products, including the Claude API and Claude Enterprise. The Anthropic DPA is the contractual instrument that covers processor obligations under Article 28 GDPR. It is incorporated into Anthropic’s commercial terms and accessed electronically through the Anthropic customer portal — it is not available as a standalone PDF download. For companies in Germany, the critical question is not merely whether the Anthropic DPA exists, but whether it fits the specific deployment, the data types processed, and the organization’s GDPR obligations. This page explains how to access the Anthropic DPA, what it covers, and when a deeper legal review is required.
This page provides general information and is not legal advice for a specific situation. For a full GDPR review framework for Claude deployments, see our page on Claude GDPR. For a broader overview of using Claude under German law, see our page on Claude Enterprise.
How to Access the Anthropic DPA
The Anthropic DPA is not available as a standalone PDF download. It is incorporated into the commercial terms and accessed electronically through the Anthropic customer portal. Free Claude.ai users cannot access a DPA — the agreement requires a paid API or Enterprise plan.
Three steps to access the Anthropic DPA:
- Log into the Anthropic Console: Sign in at console.anthropic.com (for API customers) or contact your Anthropic Enterprise account representative.
- Navigate to privacy or legal settings: The current DPA is accessible within the portal under data privacy or contract settings. Anthropic also provides guidance on signing the DPA via help.anthropic.com.
- Confirm electronically: The DPA is not executed as a separate paper document. It is countersigned electronically within the portal and incorporated into your commercial agreement on confirmation.
Note: Only customers on a paid Anthropic contract — the Claude API or Claude Enterprise — can access a DPA. Free-tier Claude.ai users do not have access to a data processing agreement and should not process personal data that requires one.
DPA and Data Processing Agreement — Same Document, Different Labels
In international procurement contexts the term Data Processing Agreement (DPA) is standard. It is the English-language equivalent of the German Auftragsverarbeitungsvertrag (AVV) under Article 28 GDPR. From a GDPR perspective, Anthropic acts as a data processor for commercial products such as Claude Enterprise and the Claude API, because the company processes personal data on behalf of the customer-controller.
One important distinction applies:
- Direct contract with Anthropic (Claude Enterprise, Claude API): The Anthropic commercial terms, including the DPA and SCCs, govern the processor relationship.
- Access through a third-party platform (e.g., Amazon Bedrock, other cloud providers): That provider’s own contract stack is controlling — not the Anthropic DPA.
This distinction has significant legal consequences for procurement. Companies using Claude via Amazon Bedrock review the AWS contract stack, not the Anthropic DPA.
What the Anthropic DPA Covers Under Article 28 GDPR
Article 28 GDPR mandates that any data processing agreement between a controller and processor cover specific elements. Legal and privacy teams should verify whether the Anthropic DPA addresses each element for the specific deployment:
| Required element | What to check |
|---|---|
| Subject matter and duration | Is the processing scope described with enough precision for the intended workflow? |
| Nature and purpose of processing | Do the stated purposes match the actual use of Claude in the organization? |
| Categories of personal data | Are all data types involved in the workflow covered? |
| Categories of data subjects | Are customers, employees, and users correctly identified? |
| Processor instructions | Is Anthropic contractually bound to process only on documented instructions? |
| Confidentiality obligations | Are Anthropic personnel bound by confidentiality commitments? |
| Security measures (Article 32 GDPR) | Are technical and organizational measures specified with enough detail? |
| Subprocessors | Is there a current subprocessor list and a defined approval mechanism for changes? |
| Data subject rights | Is Anthropic required to support access, deletion, and correction requests? |
| Deletion and return | Are timelines and options for data deletion after termination specified? |
| Audit rights | Can the company request audit support or documentation from Anthropic? |
The Anthropic DPA addresses these mandatory elements in principle. Legal teams should review whether the current contract version and associated service documentation align with the specific workflow and data categories planned for deployment.
International Transfers and SCCs in the Anthropic DPA
A common question for German procurement teams is whether data stays within the EU. Anthropic processes data on infrastructure that may not be located exclusively within the EEA. The primary transfer mechanism is Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR, which Anthropic incorporates automatically into the commercial terms.
Despite the inclusion of SCCs, companies must still carry out their own transfer analysis:
- Document transfer paths. Identify which countries outside the EEA may receive data — covering storage, processing, and potential support access.
- Review the subprocessor list. Anthropic uses its own subprocessors. Verify whether these operate outside the EEA and whether SCCs have been passed down the chain.
- Consider a Transfer Impact Assessment. For sensitive data categories or stricter internal policies, a dedicated Transfer Impact Assessment may be required even where SCCs are in place.
- Distinguish EU hosting from EU-only processing. These terms are often used interchangeably but carry different legal weight. If strict data residency is required, confirm the actual architecture in writing. See our page on Claude EU hosting for more detail.
The Anthropic DPA for Different Data Types
How well the Anthropic DPA covers a specific deployment depends significantly on which data types flow through the workflow.
Customer data
Claude can be used in customer data workflows in many cases, provided the workflow is carefully designed. Lower-risk scenarios typically involve limited metadata, pseudonymized content, or non-sensitive operational data with human review at the output stage. The review becomes more demanding for large-scale customer communication ingestion, complaint handling, or contract analysis involving identifiable individuals.
Employee data
Employee data requires stricter review in Germany. Where Claude is used for hiring, performance evaluation, productivity analysis, or workplace monitoring, co-determination rights under section 87(1) no. 6 BetrVG may become relevant. In some cases a Data Protection Impact Assessment (DPIA) under Article 35 GDPR will also be required. The Anthropic DPA alone does not resolve these labor-law questions.
Special-category data (Article 9 GDPR)
Health data, biometric data, union membership, or other Article 9 GDPR categories require a significantly higher standard of justification. A standard enterprise rollout is usually not sufficient. Deployment of Claude for these data types requires not only a valid DPA but also a legal basis under Article 9(2) GDPR and in many cases a DPIA.
Trade secrets and confidential documents
Not every legal risk is a privacy risk. Companies considering Claude for due diligence documents, term sheets, M&A preparation, or internal investigations need to review confidentiality obligations, access controls, and internal approval processes separately from the DPA review.
Anthropic DPA Review Checklist Before Rollout
Before deploying Claude Enterprise or the Claude API in production, legal and privacy teams should work through the following steps:
- Access the DPA and compare it against the planned workflow. Verify that the stated subject matter, purposes, and data categories in the contract match what the organization actually intends to process.
- Confirm processor role allocation. Document that Anthropic is acting as a processor for the relevant workflow, and record the organization’s controller responsibilities.
- Document SCCs and transfer paths. Map which countries outside the EEA are involved and record the transfer mechanism in the record of processing activities.
- Review and register subprocessors. Request the current subprocessor list from Anthropic and document the review in the vendor management system.
- Assess employee data and Article 9 data separately. Identify early whether works council involvement, HR sign-off, or a DPIA is required before rollout.
When the Anthropic DPA Is Not Enough on Its Own
The Anthropic DPA is a necessary starting point but not a sufficient basis for all Claude deployments. A more detailed legal review is regularly required where:
- the Claude workflow processes large volumes of customer communications, contract documents, or support tickets
- the deployment involves employee data, recruitment data, or performance-related analysis
- special categories of personal data under Article 9 GDPR are involved
- strict EU-only data residency or specific certification requirements apply
- sector-specific regulation applies, such as financial services, healthcare, or regulated professional advice
In these scenarios, checking the DPA box is not enough. What is required is a full assessment covering the DPA, processing architecture, legal basis, transfer mechanism, and internal governance rules. For the complete GDPR review framework for Claude, see our page on Claude GDPR compliance.
Compound Law advises businesses, founders, and in-house teams in Germany on GDPR, AI contracts, and AI procurement. If you want to review the Anthropic DPA or another AI vendor contract before rollout, contact us.
FAQ
What is the Anthropic DPA?
The Anthropic DPA is the Data Processing Agreement Anthropic provides for commercial Claude products under Article 28 GDPR. It is incorporated into the commercial terms and includes Standard Contractual Clauses (SCCs) for international data transfers. For German companies, the key question is whether the DPA fits the specific deployment and data types involved.
Does Anthropic offer a DPA for Claude Enterprise?
Yes. Anthropic states that its DPA with SCCs is incorporated into the commercial terms for Claude Enterprise and the Claude API. Companies should still verify whether the contract fits their specific deployment and data flows.
Is the Anthropic DPA sufficient for Article 28 GDPR compliance?
The Anthropic DPA covers the mandatory Article 28 GDPR content in principle. Whether it is sufficient depends on whether processor role allocation, data categories, transfer paths, and subprocessors are correctly mapped to the actual workflow.
Does the Anthropic DPA apply to the Claude API?
Yes. Anthropic states the DPA with SCCs applies to commercial products including the Claude API. Companies using Claude through a third-party platform such as Amazon Bedrock must review that platform’s contract stack separately, as the Anthropic DPA does not directly govern those deployments.
What does the Anthropic DPA cost?
Anthropic does not offer a separately priced DPA. It is included as part of the commercial terms for paid products such as Claude Enterprise and the Claude API.
Who needs to sign the Anthropic DPA?
When contracting directly with Anthropic, the DPA is incorporated into the commercial terms and is not executed as a standalone document. Companies should access the current version electronically, document the review internally, and retain a copy alongside their record of processing activities.
Where can I download the Anthropic DPA?
The Anthropic DPA is not available as a standalone PDF. It is incorporated into the commercial terms and accessed electronically through the Anthropic customer portal at console.anthropic.com. For enterprise customers, access is confirmed through the account management process. Additional guidance is available at help.anthropic.com.
Does the Anthropic DPA cover the free Claude.ai plan?
No. A data processing agreement is only available to customers on a paid Anthropic plan — the Claude API or Claude Enterprise. Free Claude.ai accounts do not have access to a DPA. Companies that need a DPA in place before processing personal data must use a paid Anthropic product.
