Claude Business, Team & Enterprise: Which Plan Includes a GDPR DPA?

Which Claude plan includes a GDPR data processing agreement?

There is no official Claude Business plan. Anthropic offers Claude Pro (individual), Claude Team (business, DPA included), and Claude Enterprise (custom, DPA included). Only Team and Enterprise are suitable for GDPR-compliant business data processing.

• Claude Pro is an individual-use plan with no DPA — not suitable for business personal-data processing under GDPR.
• Claude Team includes an automatic DPA with SCCs and is the minimum compliant tier for businesses.
• Claude Enterprise adds SSO, audit logs, and optional Zero-Data-Retention for higher-risk workflows.

There is no official plan called Claude Business. Anthropic’s three commercial tiers are Claude Pro (individual), Claude Team (entry-level business), and Claude Enterprise (custom). Buyers searching for a Claude Business plan are typically looking for the business-grade tier — and the critical GDPR question they are really asking is: which plan includes a data processing agreement (DPA) under Article 28 GDPR? The answer is Claude Team and Claude Enterprise. Claude Pro and Claude Free do not include a DPA and are not suitable for processing personal data in a business context. This page explains the tier differences, the GDPR implications of each, and what German companies need to review before deploying Claude. For the full DPA review, see our dedicated Claude DPA page. For the end-to-end GDPR framework, see our Claude GDPR compliance page.

Claude Plans Explained — Pro, Team, and Enterprise

Many buyers and even some procurement teams still search for a Claude Business plan. This term does not appear in Anthropic’s current pricing. Anthropic previously used different tier naming, and third-party sources sometimes still reference old terminology — which explains the confusion. As of 2026, the current tiers are:

• Claude Free — no-cost, consumer plan, no DPA
• Claude Pro — paid, individual-use plan, no DPA
• Claude Team — business plan, DPA included automatically, minimum 5 users
• Claude Enterprise — custom-quoted enterprise plan, DPA included, full governance controls

The practical GDPR consequence is immediate: only Claude Team and Claude Enterprise give companies the contractual foundation needed to use Claude as a data processor under Article 28 GDPR. Free and Pro are consumer products — using them to process business personal data is not legally defensible.

Claude plan comparison for GDPR compliance

Plan	DPA/AVV included	SSO	Audit logs	Zero-Data-Retention	Suitable for GDPR business use
Claude Free	No	No	No	No	No
Claude Pro	No	No	No	No	No
Claude Team	Yes (automatic)	No	No	No	Yes — min. 5 users
Claude Enterprise	Yes (automatic)	Yes	Yes	Optional add-on	Yes
Anthropic API	Yes (automatic)	—	—	Optional	Yes

What happened to Claude Business?

Anthropic has updated its tier naming over time. Some legacy documentation, third-party comparison tools, and media coverage still reference a “Claude Business” plan — this label is no longer used by Anthropic. If a vendor, broker, or internal procurement document references Claude Business, it almost certainly refers to what is now Claude Team or, in the context of larger organisations, Claude Enterprise.

For German companies running a GDPR vendor assessment, this naming confusion matters. A reference to “Claude Business” in a risk register or data processing record should be clarified against the current Anthropic commercial terms — the actual tier name affects which DPA version, which SCC wording, and which product terms apply.

Claude Pro and GDPR — Why Individual Plans Are Not GDPR-Safe for Companies

This is one of the most common and consequential mistakes in practice. Employees often use personal Claude Pro subscriptions for work tasks. From a GDPR perspective, this creates a direct violation wherever company or customer personal data is involved.

The problem is structural, not behavioural:

• No DPA: Claude Pro is governed by Anthropic’s consumer terms, not commercial terms. There is no processor agreement. This means Anthropic is not acting as a processor under Article 28 GDPR — the controller-processor relationship that GDPR requires simply does not exist.
• Wrong role allocation: A personal subscription means the employee is the contracting party, not the company. The company is not even a party to the Anthropic contract, let alone a controller with a valid processor relationship.
• Training risk: Consumer plans may not carry the same data-use commitments as commercial plans. This makes retention and training-data risk harder to assess.

The practical rule for German companies: if employees are processing personal data — customer names, contact details, communication content, HR data — they must not use Claude Pro or Claude Free for those tasks. The minimum compliant route is a company Claude Team subscription.

A useful internal governance measure is an explicit AI usage policy that names the approved tools and tiers, specifies what data categories may be used with each tool, and prohibits employees from routing company or customer data through personal AI subscriptions. For guidance on AI policies for businesses in Germany, see our Claude Enterprise overview.

Claude Team and GDPR

Claude Team is Anthropic’s entry-level business tier and the minimum compliant plan for GDPR-regulated use. It includes an automatic DPA with Standard Contractual Clauses and is priced at approximately €25 per user per month on annual billing, with a minimum of five users.

What Claude Team includes for GDPR purposes

• DPA with SCCs: The Anthropic Data Processing Addendum is incorporated automatically into the commercial terms. No separate signature is required for standard deployment, but companies should review and document the current DPA version.
• Standard Contractual Clauses: SCCs cover international data transfers from the EU to Anthropic’s processing infrastructure. Companies still need to carry out their own transfer analysis and document it in the record of processing activities.
• No training on customer data: Anthropic states that commercial customer data is not used to train models by default. This applies to Claude Team.
• 5-user minimum: The 5-user minimum is a commercial requirement, not a GDPR constraint, but smaller teams need to plan for it.

When Claude Team is sufficient

Claude Team is generally suitable for lower-risk internal productivity workflows — drafting, summarisation, research support, structured knowledge work — where employees avoid routing unnecessary personal data through the system. It is the right starting point for most SME deployments in Germany.

When Claude Team is not enough

Claude Team lacks several governance controls that become important for more sensitive use cases:

• No SSO: This matters for IT governance, identity management, and compliance with internal access-control policies.
• No audit logs: If the deployment involves sensitive workflows where an audit trail is required for internal oversight or regulatory documentation, Claude Team does not provide this out of the box.
• No Zero-Data-Retention: For workflows involving highly confidential material, the lack of ZDR means prompt data may be retained under Anthropic’s standard retention schedule.

If any of these gaps are blockers, the correct tier is Claude Enterprise.

Claude Enterprise and GDPR

Claude Enterprise is Anthropic’s full-governance business tier, custom-quoted and designed for organisations with stricter compliance requirements. It includes everything in Claude Team, plus SSO, audit logs, custom system prompts, a significantly expanded context window, and the optional Zero-Data-Retention (ZDR) add-on.

What Claude Enterprise adds for GDPR purposes

• SSO and admin controls: Centralised user management and single sign-on integration make Claude Enterprise appropriate for organisations with IT governance or identity-management requirements — typical in larger German companies and regulated sectors.
• Audit logs: Activity and usage logs support internal oversight, vendor-risk documentation, and compliance reporting. In Germany, these also contribute to demonstrating accountability under Article 5(2) GDPR.
• Zero-Data-Retention (ZDR): With ZDR enabled, inputs and outputs are not stored after the request completes. This is especially relevant for M&A preparation, legally privileged communications, board-level documents, and other workflows where standard retention is unacceptable.
• Custom system prompts: Organisations can set governance guardrails at the organisational level — relevant for defining consistent, policy-compliant input boundaries across all users.

When companies need Claude Enterprise

Claude Enterprise is the appropriate tier where:

• the deployment involves employee data, HR analytics, or workflows with monitoring or evaluation effects — triggering stricter review under GDPR and potentially co-determination requirements under section 87(1) no. 6 BetrVG
• the organisation is in a regulated sector such as financial services, healthcare, or professional advisory services
• audit logs are required for internal compliance reporting or regulatory inspection
• the ZDR add-on is needed for high-sensitivity document workflows
• IT governance requires SSO and centralised access management
• the workflow involves large documents requiring a significantly wider context window

For a full review of Claude Enterprise from a German law perspective, see our Claude Enterprise guide.

What to Check Before Buying Any Claude Plan

Regardless of which Claude tier a company selects, the GDPR compliance work does not end at purchase. A DPA being included in the commercial terms is a starting point, not a complete GDPR answer.

Six checks before rollout

1. Confirm the exact deployment path. If Claude is accessed directly from Anthropic, the Anthropic commercial terms apply. If accessed through a third-party platform such as AWS Bedrock or Google Vertex AI, the relevant contract stack changes. EU-only data residency is only architecturally available via AWS Bedrock EU regions or Google Vertex AI EU profiles — not directly from Anthropic.

2. Document the legal basis under Article 6 GDPR. The most common bases for business Claude use are Article 6(1)(f) legitimate interests (with a documented balancing test) or Article 6(1)(b) contract performance. The chosen basis must be documented before deployment.

3. Review the DPA against the actual workflow. Verify that the purposes, data categories, and instructions language in the DPA match how Claude will actually be used. A generic DPA reference does not substitute for a use-case-specific review.

4. Cover international transfers. The SCCs in Anthropic’s commercial terms provide the transfer mechanism, but companies must still map the actual transfer path, document it in the record of processing activities, and assess whether a Transfer Impact Assessment is required.

5. Assess DPIA obligation. Workflows involving systematic profiling, employee evaluation, large-scale processing of sensitive data, or automated decisions with significant individual effects require a Data Protection Impact Assessment under Article 35 GDPR.

6. Check works council requirements. If Claude is deployed in ways that affect employees — productivity tools, HR analytics, monitoring-adjacent workflows — works council involvement under section 87(1) no. 6 BetrVG may be mandatory before rollout. This is a German labour-law requirement separate from the GDPR review.

This page is general information and not legal advice for a specific implementation. Compound Law advises businesses, startups, and in-house legal teams in Germany on GDPR, AI procurement, commercial contracts, and employment law. If you want to assess which Claude plan fits your GDPR requirements or review the Anthropic DPA for your specific use case, contact us.

FAQ

Does Anthropic offer a Claude Business plan?

No. Anthropic does not use the name “Claude Business” for any current tier. The commercial plans are Claude Pro (individual, no DPA), Claude Team (business, DPA included, minimum 5 users), and Claude Enterprise (custom, full governance). Buyers searching for “Claude Business” are typically looking for Claude Team or Claude Enterprise.

Which Claude plan includes a GDPR data processing agreement?

Claude Team and Claude Enterprise both include an automatic DPA with Standard Contractual Clauses. The DPA is incorporated into Anthropic’s commercial terms and does not require a separate signature for standard deployments. Claude Free and Claude Pro do not include a DPA and cannot be used for GDPR-regulated business personal-data processing.

Is Claude Team GDPR compliant for businesses in Germany?

Claude Team can support GDPR-compliant use. It includes a DPA and SCCs, and Anthropic states that commercial data is not used to train models by default. Compliance still depends on the specific use case, the documented legal basis under Article 6 GDPR, data category analysis, transfer documentation, and appropriate technical safeguards.

What is the difference between Claude Team and Claude Enterprise?

Claude Team is the entry-level business tier: DPA included, 5-user minimum, approximately €25 per user per month, no SSO or audit logs. Claude Enterprise is custom-quoted and adds SSO, audit logs, custom system prompts, a larger context window, and the optional Zero-Data-Retention add-on. For organisations with stricter governance, audit, or residency requirements, Claude Enterprise is the appropriate choice.

Can employees use personal Claude Pro subscriptions for work?

Not for work involving personal data. Claude Pro is a consumer plan with no DPA. Employees processing company or customer personal data through a personal Claude Pro account create a GDPR violation — there is no processor agreement in place, and Anthropic is not acting as a processor. The minimum compliant option for business personal-data use is a company Claude Team subscription.

When does a company need Claude Enterprise instead of Claude Team?

Claude Enterprise is appropriate when the organisation needs SSO, audit logs, custom governance controls, or the optional Zero-Data-Retention add-on. It is also the practical choice for regulated-sector deployments, employee data workflows, M&A-sensitive document processing, and any use case where stricter oversight, a larger context window, or a documented audit trail is required.