Book Free Call
Claude Code GDPR compliance — DPA, data retention and EU hosting guide
tools

Is Claude Code GDPR Compliant? DPA and Data Retention Guide

Short answer

Yes, Claude Code is GDPR-compliant when used via the Anthropic commercial API. A DPA under Article 28 GDPR is available, code is not used for model training by default, and zero data retention is available for Enterprise API customers.

  • A DPA under Article 28 GDPR is included in Anthropic commercial terms for all API users.
  • Claude Code does not use your code or prompts for model training by default.
  • Zero data retention and EU data residency require Claude Enterprise or API ZDR configuration.

Claude Code is GDPR-compliant when used via the Anthropic commercial API — a Data Processing Agreement (DPA) under Article 28 GDPR is available, your code and prompts are not used for model training by default, and zero data retention is available for Enterprise API customers. The main limitations are EU data residency and advanced security controls, which require Claude Enterprise or a separate API arrangement. This page explains what the Anthropic agreement covers, where your data is processed, and what German companies need to check before deploying Claude Code.

This page provides general legal information and is not individual legal advice. For related background, see our guides on the Claude DPA and Claude EU hosting.

Is Claude Code GDPR Compliant?

Yes, with caveats. Claude Code is Anthropic’s AI coding assistant — a command-line interface (CLI) tool that runs on the Anthropic API. When used via the commercial Anthropic API (not the consumer claude.ai), it is covered by Anthropic’s commercial terms, including a DPA under Article 28 GDPR.

What GDPR compliance means in practice for Claude Code:

  • Anthropic acts as a data processor processing on your instructions
  • A DPA is automatically included in the Anthropic Commercial Terms (effective January 2026)
  • Code and prompts submitted to Claude Code are not used for model training by default
  • Standard Contractual Clauses (SCCs) cover transfers to the US where Anthropic’s infrastructure operates
  • Subprocessors are listed and Anthropic commits to advance notice of material changes

What it does not automatically provide:

  • EU-exclusive data processing — code is processed on Anthropic’s US infrastructure by default
  • Zero data retention without a specific contractual arrangement
  • Audit logs or SSO, which are Enterprise-only features

The key distinction for developers and companies: Claude Code used via claude.ai or a personal account is not covered by the DPA and is subject to consumer terms. For business use, the commercial API or an Enterprise agreement is required.

Claude Code DPA: What the Anthropic Agreement Covers

Anthropic’s Data Processing Agreement is embedded in the Commercial Terms and applies automatically to all commercial API customers, including Claude Code CLI deployments. No separate signature or negotiation is required for standard deployments.

The DPA covers the mandatory elements under Article 28 GDPR:

DPA elementCovered by Anthropic
Subject matter and purpose of processingYes
Processing on instructions onlyYes
Confidentiality obligationsYes
Technical and organisational measures (Art. 32 GDPR)Yes
Subprocessor list and approval processYes
Support with data subject rightsYes
Deletion or return at end of contractYes
SCCs for third-country transfersYes (EU SCCs, Module 2)

The DPA is not available as a standalone PDF download. You access it through the Anthropic customer portal at console.anthropic.com. For more detail on the DPA contents and how to review it for procurement purposes, see our dedicated guide on the Claude DPA.

Subprocessors: Anthropic uses a limited number of infrastructure subprocessors. Amazon Web Services (primarily US East) and Google Cloud are the key ones. Anthropic maintains a subprocessor list and commits to advance notice before adding subprocessors that materially affect data processing.

Data Retention: Does Claude Code Store Your Code?

This is one of the most common questions from German developers and security teams. The answer depends on how you use Claude Code and your agreement tier.

Default behaviour (commercial API):

  • Prompts and code submitted to Claude Code are processed transiently — used to generate a response and then discarded
  • Anthropic does not use API prompts for model training by default
  • A limited retention window may apply for safety and abuse monitoring, but this is separate from training use

Important caveat: “not used for training” is not the same as “zero data retention”. Anthropic may retain prompt data for a limited period for operational and safety purposes. If your organisation needs contractual confirmation that no data is retained beyond the processing window, you need Zero Data Retention (ZDR) — covered in the next section.

Claude.ai vs commercial API: When developers use the claude.ai web interface for code review, different consumer terms apply. Always ensure your team is using the commercial API or Enterprise deployment for business code.

EU Data Residency & Claude Code

EU data residency is not available natively via the Anthropic API for Claude Code. By default, Claude Code requests are processed on Anthropic’s infrastructure in the United States. The SCCs in the DPA provide the legal transfer mechanism for GDPR purposes but do not change where processing physically occurs.

If your organisation needs processing within EU borders — due to internal policy, sector regulation, or contractual requirements — there are two paths:

  1. AWS Bedrock (Frankfurt, Ireland, Paris): Deploy Claude via Amazon Bedrock with an EU profile. Claude Code can be pointed to Bedrock as its API endpoint, with processing anchored to the selected EU region.

  2. Google Cloud Vertex AI (EU regions): Vertex AI offers Claude models in European regions. With appropriate region-lock configuration, prompt data does not leave EU infrastructure.

Both options require a Claude Enterprise agreement and additional AWS or GCP configuration. For a full comparison of EU hosting options, see our guide on Claude EU hosting.

Zero Data Retention (ZDR) — Available for API Users

Zero Data Retention (ZDR) is a contractual commitment from Anthropic that no prompt data is retained after the API response is returned — not even for safety monitoring. It is available for customers with specific contractual arrangements.

Who can get ZDR:

  • Enterprise API customers can request ZDR as part of contract negotiations with Anthropic
  • Standard commercial API customers do not get ZDR automatically — Anthropic’s standard operational data retention policy applies

When ZDR matters most:

  • Source code containing trade secrets or proprietary algorithms
  • Code related to regulated sectors (finance, healthcare, insurance)
  • Employee code subject to co-determination or strict confidentiality agreements
  • Workflows where legal or regulatory frameworks require specific data minimisation commitments

If ZDR is a compliance requirement for your organisation, address it before deployment as part of the Enterprise procurement process — it is not included by default.

Claude Code vs Claude Enterprise: Key GDPR Differences

Claude Code is a tool, not a plan tier. It runs on Anthropic API access, which can be either the standard commercial API or the Enterprise tier. The table below compares the relevant compliance features:

FeatureStandard API (Claude Code CLI)Claude Enterprise
DPA under Article 28 GDPRYesYes
Training opt-outYesYes
Zero data retentionNo (requires separate arrangement)Configurable
EU data residencyNo (SCCs only)Configurable (Bedrock / Vertex)
SSO / SCIMNoYes
Audit logsNoYes
Custom data retention policyNoYes
Minimum commitmentPay-as-you-goAnnual contract

For most development teams with standard workflows and no special data categories, the commercial API with Claude Code CLI is sufficient from a GDPR perspective. Teams processing sensitive code, operating in regulated industries, or with strict data localisation requirements should evaluate Claude Enterprise or a ZDR arrangement. For a detailed comparison of Claude plans for business use, see our guide on Claude Enterprise.

Checklist for German Companies Using Claude Code

Before rolling out Claude Code across a development team, work through the following seven steps:

  1. Confirm commercial API access. Ensure developers access Claude Code via the commercial API tier, not claude.ai personal accounts. The DPA only applies to commercial customers.

  2. Document the DPA. Download and archive the current Anthropic Commercial Terms from console.anthropic.com. Keep a dated copy in your internal vendor documentation.

  3. Review subprocessors. Check the Anthropic subprocessor list against your internal vendor approval register. Note subprocessors outside the EEA and confirm SCCs are documented in your records.

  4. Update your records of processing activities (Article 30 GDPR). Add Claude Code as a new processor entry: purpose (AI code assistance), data categories (source code, prompts, possibly personal data embedded in code), transfer mechanism (SCCs to US), and retention policy.

  5. Conduct a DPIA threshold assessment (Article 35 GDPR). Claude Code for individual developer productivity rarely triggers a mandatory DPIA. However, automated code review at scale, processing personal data in code, or employee monitoring adjacent use cases require a threshold assessment.

  6. Works council (Betriebsrat) notification. If your company has a works council, introducing Claude Code — particularly for code review or developer performance analysis — may trigger co-determination rights under § 87(1)(6) BetrVG. Involve your Betriebsrat before rollout.

  7. Set internal usage guidelines. Define what may and may not be submitted to Claude Code: no customer personal data without appropriate safeguards, no trade secrets without ZDR in place, no special-category data. Train developers accordingly.

When You Need More Than General Guidance

This guide covers the typical scenario. Additional legal review is warranted when:

  • Regulated sector: your company operates in finance, healthcare, or insurance where sector-specific obligations layer on top of GDPR
  • Employee code review at scale: using Claude Code to systematically review employee-written code raises data protection and labour law questions
  • Source code with embedded personal data: code that processes or contains personal data (health records, financial data, biometrics) requires careful scoping
  • Strict data localisation: your contracts or sector regulation require EU-only processing
  • Works council questions: you have a Betriebsrat with open questions on AI tool adoption

Compound Law advises businesses, development teams, and in-house counsel in Germany on GDPR, AI procurement, and commercial contracts. If you need a specific review of your Claude Code deployment, contact us.

This guide provides general legal information and does not replace individual legal advice. Data protection assessments — particularly DPIA decisions and contract analysis — require advice tailored to your specific situation.

Is Claude Code GDPR Compliant?

Yes. Claude Code used via the Anthropic commercial API is covered by a DPA under Article 28 GDPR, which is embedded in the Anthropic Commercial Terms (effective January 2026). Code and prompts are not used for model training by default.

Does Claude Code Have a DPA?

Yes. Anthropic provides a Data Processing Agreement for all commercial API customers. The DPA covers the mandatory Article 28 GDPR requirements: processing instructions, subprocessor management, SCCs for US transfers, technical and organisational measures, and data subject rights support.

Does Claude Code Store My Code?

Claude Code processes prompts transiently and does not use them for model training by default. A limited retention window may apply for operational purposes. Zero data retention can be contractually guaranteed for Enterprise API customers.

Is There EU Data Residency for Claude Code?

Not by default. EU data residency for Claude Code requires deploying via AWS Bedrock Frankfurt or Google Cloud Vertex AI EU regions under a Claude Enterprise or commercial API agreement with appropriate regional configuration.

What Are the Claude Code Subprocessors?

Anthropic uses Amazon Web Services and Google Cloud as key infrastructure subprocessors. The full subprocessor list is available in the Anthropic commercial terms and privacy policy, and Anthropic commits to advance notice of material changes.

Related Tool Guides

Anthropic Data Processing Addendum GDPR Article 28 compliance review guide
tools

Anthropic Data Processing Addendum — GDPR Review Guide

What the Anthropic DPA covers under GDPR Art. 28, which SCCs apply, and what gaps to review before deploying Claude in Germany.
Anthropic DPA data processing agreement Article 28 GDPR for Germany
tools

Anthropic DPA: GDPR-Compliant Data Processing Agreement for Germany

Yes — Anthropic provides a DPA for Claude Enterprise and the Claude API. What it covers, how to access it, and when it is sufficient for Germany.
Claude data processing agreement review for companies in Germany
tools

Claude Enterprise: Pricing, EU Data Residency & GDPR — Germany

Claude Enterprise pricing, DPA/AVV, Zero-Data-Retention, and GDPR compliance for German companies. EU data residency options via AWS Bedrock and Vertex AI.
Claude Team GDPR compliance — DPA and data protection guide for businesses
tools

Claude Team GDPR: DPA and Data Protection for Businesses

Does Claude Team include a DPA? Yes. What the plan covers for GDPR compliance, where it has limits, and when Claude Enterprise is the better choice.
Claude plan comparison for GDPR compliance — Pro, Team, and Enterprise DPA guide for Germany
tools

Claude Business, Team & Enterprise: Which Plan Includes a GDPR DPA?

There is no Claude Business plan. Anthropic offers Pro, Team, and Enterprise — this guide shows which tier includes a GDPR DPA for companies in Germany.
Salesforce Einstein GDPR compliance guide for German businesses
tools

Salesforce Einstein GDPR: Sub-Processors, AI Act & DPA Guide

Is Salesforce Einstein GDPR-compliant? Yes — with signed DPA and Hyperforce EU. Full guide: sub-processors, AI Act risk, BetrVG for German companies.

Browse More AI Tools

Frequently asked questions

Is Claude Code GDPR compliant?

Yes. Claude Code used via the Anthropic commercial API includes a DPA under Article 28 GDPR. Code and prompts are not retained for model training by default.

Does Claude Code have a DPA?

Yes. Anthropic provides a Data Processing Agreement for all commercial API customers. The DPA is embedded in the Anthropic Commercial Terms, effective from January 2026.

Does Claude Code store my code?

Claude Code does not store your code for model training by default. Prompts are processed transiently. Zero data retention can be contractually guaranteed for Enterprise API customers.

Is there EU data residency for Claude Code?

Not natively via the Anthropic API. EU data residency requires deploying via AWS Bedrock Frankfurt or Google Cloud Vertex AI EU regions under a Claude Enterprise or API agreement.

What are the Claude Code subprocessors?

Anthropic lists subprocessors in its commercial terms and privacy policy. Key infrastructure partners include Amazon Web Services and Google Cloud. The subprocessor list is updated as Anthropic adds infrastructure.

Book Free Call