Book Free Call
Claude data processing agreement Article 28 GDPR review for Germany
tools

Claude Data Processing Agreement: Does Anthropic Offer a DPA?

Does Anthropic provide a Data Processing Agreement for Claude?

Yes. Anthropic offers a Data Processing Agreement (DPA) with Standard Contractual Clauses for commercial products including Claude Enterprise and the Claude API. Whether that DPA is sufficient for a specific German deployment depends on the workflow, data types, and internal compliance requirements.

  • The Anthropic DPA is incorporated into the commercial terms and includes SCCs for international data transfers.
  • Companies must review processor role allocation, retention periods, subprocessors, and transfer paths for their specific use case.
  • Employee data, Article 9 GDPR special-category data, and highly confidential documents each require stricter individual review.

Yes, Anthropic provides a Data Processing Agreement (DPA) for its commercial products, including Claude Enterprise and the Claude API. The DPA incorporates Standard Contractual Clauses (SCCs) and is built into Anthropic’s commercial terms. For companies in Germany, the relevant question is not simply whether a DPA exists — it is whether this DPA fits the specific Claude deployment, the data types involved, and the company’s GDPR obligations. This page covers what the Claude DPA contains, what Article 28 GDPR requires, and when additional review is necessary.

This page provides general information and is not legal advice for a specific situation. For a broader overview of using Claude Enterprise under German law, see our page on Claude Enterprise.

Does Anthropic Offer a Data Processing Agreement?

Anthropic states in its commercial documentation that a DPA with Standard Contractual Clauses is automatically incorporated into the commercial terms for its commercial products. This applies to:

  • Claude Enterprise and Claude for Work purchased directly from Anthropic
  • Claude API used directly through Anthropic

An important distinction applies when Claude is accessed through a third-party platform. If a company uses Claude via Amazon Bedrock or another cloud provider, that provider’s own contract stack — not Anthropic’s DPA — governs the processor relationship. In those cases, the Anthropic DPA is not directly relevant, and the platform vendor’s DPA must be reviewed instead.

What Does the Claude DPA Cover Under Article 28 GDPR?

Article 28 GDPR mandates that any data processing agreement between a controller and processor cover specific content. Legal and privacy teams should verify whether the Anthropic DPA addresses each element for the specific deployment:

Required elementWhat to check
Subject matter and durationIs the processing scope described with enough precision for the intended workflow?
Nature and purpose of processingDo the stated purposes match actual use of Claude in the organization?
Categories of personal dataAre all data types involved in the workflow covered?
Categories of data subjectsAre customers, employees, and users correctly identified?
Processor instructionsIs Anthropic contractually bound to process only on documented instructions?
Confidentiality obligationsAre Anthropic personnel bound by confidentiality commitments?
Security measures (Article 32 GDPR)Are technical and organizational measures specified with enough detail?
SubprocessorsIs there a current subprocessor list and a defined approval mechanism for changes?
Data subject rightsIs Anthropic required to support access, deletion, and correction requests?
Deletion and returnAre timelines and options for data deletion after termination specified?
Audit rightsCan the company request audit support or documentation from Anthropic?

The Anthropic DPA addresses these mandatory elements in principle. However, legal teams should review whether the current contract version and associated service documentation align with the specific workflow and data categories planned for deployment.

International Transfers and SCCs in the Claude DPA

A common question for German procurement teams is whether data stays within the EU. Anthropic processes data on infrastructure that may not be located exclusively within the EEA. Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR are the primary transfer mechanism Anthropic relies on for international transfers.

Anthropic states that SCCs are automatically included in the commercial terms. Despite this, companies should carry out their own transfer analysis:

  • Document transfer paths. Identify which countries outside the EEA may receive data — covering storage, processing, and potential support access.
  • Review the subprocessor list. Anthropic uses its own subprocessors. Check whether these operate outside the EEA and whether SCCs have been passed down the chain.
  • Consider a Transfer Impact Assessment. For sensitive data categories or stricter internal policies, a dedicated Transfer Impact Assessment may be required even where SCCs are in place.
  • Distinguish EU hosting from EU-only processing. These terms are often used interchangeably but carry different legal weight. If strict data residency is required, confirm the actual architecture in writing rather than relying on sales materials.

Claude DPA for Different Data Types

How well the Claude DPA serves a specific deployment depends significantly on which data types flow through the workflow.

Customer data

Claude can be used in customer data workflows in many cases, provided the workflow is carefully designed. Lower-risk scenarios typically involve limited metadata, pseudonymized content, or non-sensitive operational data with human review at the output stage. The review becomes harder for large-scale customer communication ingestion, complaint handling, or contract analysis involving identifiable individuals.

Employee data

Employee data requires stricter review in Germany. Where Claude is used for hiring, performance evaluation, productivity analysis, or workplace monitoring, the question is no longer only about GDPR. Co-determination rights under section 87(1) no. 6 BetrVG may become relevant. In some cases a Data Protection Impact Assessment (DPIA) under Article 35 GDPR will be required. The DPA alone does not resolve these labor-law questions.

Special-category data (Article 9 GDPR)

Health data, biometric data, union membership, or other Article 9 GDPR categories require a significantly higher standard of justification. A standard enterprise rollout process is usually not enough. Deployment of Claude for these data types requires not only a valid DPA but also a legal basis under Article 9(2) GDPR and in many cases a DPIA.

Trade secrets and confidential documents

Not every legal risk is a privacy risk. Companies considering Claude for due diligence documents, term sheets, M&A preparation, or internal investigations need to review confidentiality obligations, access controls, and internal approval processes separately from the DPA review.

DPA Review Checklist Before Claude Rollout

Before deploying Claude Enterprise or the Claude API in production, legal and privacy teams should work through the following steps:

  1. Download the DPA and compare it against the planned workflow. Verify that the stated subject matter, purposes, and data categories in the contract match what the organization actually intends to process.
  2. Confirm processor role allocation. Document that Anthropic is acting as a processor for the relevant workflow, and record the organization’s controller responsibilities.
  3. Document SCCs and transfer paths. Map which countries outside the EEA are involved and record the transfer mechanism in the record of processing activities.
  4. Review and register subprocessors. Request the current subprocessor list from Anthropic and record the review in the vendor management system.
  5. Assess employee data and Article 9 data separately. Identify early whether works council involvement, HR sign-off, or a DPIA is required before rollout.

When the Claude DPA Is Not Enough on Its Own

The Anthropic DPA is a necessary starting point but not a sufficient basis for all Claude deployments. A more detailed legal review is regularly required where:

  • the Claude workflow processes large volumes of customer communications, contract documents, or support tickets
  • the deployment involves employee data, recruitment data, or performance-related analysis
  • special categories of personal data under Article 9 GDPR are involved
  • strict EU-only data residency or specific certification requirements apply
  • sector-specific regulation applies, such as financial services, healthcare, or regulated professional advice

In these scenarios, checking the DPA box is not enough. What is needed is a full assessment covering the DPA, processing architecture, legal basis, transfer mechanism, and internal governance rules.

Compound Law advises businesses, founders, and in-house teams in Germany on GDPR, commercial contracts, employment law, and AI procurement. If you want to review the Claude DPA or another AI vendor contract before rollout, contact us.

FAQ

What is the Claude data processing agreement?

The Claude DPA is the contractual framework Anthropic provides for commercial products to meet Article 28 GDPR processor requirements. It is incorporated into the commercial terms and includes Standard Contractual Clauses for international data transfers. For German companies, the key task is verifying whether the DPA fits the specific deployment and data types involved.

Is the Claude DPA sufficient for Article 28 GDPR compliance?

The Anthropic DPA covers the mandatory Article 28 GDPR content in principle. Whether it is sufficient for a specific deployment depends on whether the processor role, data categories, subprocessors, and transfer paths are correctly mapped and documented for the actual use case.

Does the Claude DPA apply to the Claude API?

Yes. Anthropic states the DPA with SCCs applies to its commercial products including the Claude API. Companies using Claude through a third-party platform such as Amazon Bedrock must review that platform’s contract stack separately, as the Anthropic DPA does not directly govern those deployments.

What does the Claude DPA cost?

Anthropic does not offer a separately priced DPA. It is included as part of the commercial terms for paid products such as Claude Enterprise and the Claude API.

Who needs to sign the Claude DPA?

When contracting directly with Anthropic, the DPA is incorporated into the commercial terms and is not executed as a standalone document. Companies should download the current version, document the review internally, and retain a copy alongside their record of processing activities.

Related Tool Guides

Datadog AI GDPR compliance Germany Bits AI
tools

Datadog AI in Germany: GDPR, AI Act, and Works Council Compliance Guide

Deploying Datadog AI (Bits AI) in Germany: DPA review, AI Act risk classification, works council requirements, and data processing.
Figma DPA and GDPR compliance for German companies
tools

Figma DPA: Does Figma Have a Data Processing Agreement for GDPR?

Figma offers a DPA for Organization and Enterprise plans. Learn what German companies must check before using Figma and Figma AI under GDPR.
Miro GDPR and DPA compliance for German companies
tools

Miro GDPR Compliance: DPA for German Companies

Is Miro GDPR compliant? How to review the Miro DPA, manage data transfers, and use Miro lawfully in Germany.
Grammarly GDPR compliance and data processing agreement for German businesses
tools

Grammarly GDPR Compliance in Germany: DPA, AVV, and Data Privacy

Grammarly offers a DPA for Enterprise customers. Learn what German businesses must assess before deploying Grammarly under GDPR and DSGVO.
HubSpot GDPR compliance and data processing agreement for German businesses
tools

HubSpot GDPR Compliance for German Businesses: DPA, AVV, and AI Act Guide

HubSpot offers a Data Processing Agreement for all customers. Learn what German companies must sign and verify before using HubSpot under GDPR.
OpenAI API GDPR compliance and data processing agreement for German businesses
tools

OpenAI API GDPR Compliance for German Businesses: DPA and AVV Guide

OpenAI offers a DPA for API customers. German businesses must sign it and assess lawful bases for processing personal data under GDPR.

Browse More AI Tools

Frequently asked questions

Does Anthropic offer a data processing agreement for Claude Enterprise?

Yes. Anthropic states that its DPA with SCCs is incorporated into the commercial terms for products including Claude Enterprise and the Claude API. Companies should still verify whether the contract fits their concrete deployment and data flows.

Is the Claude DPA sufficient for Article 28 GDPR compliance?

The Anthropic DPA covers the mandatory Article 28 GDPR content in principle. Whether it is sufficient depends on whether processor role allocation, data categories, transfer paths, and subprocessors are correctly mapped to the actual workflow.

Does the Claude DPA also apply to the Claude API?

Yes. Anthropic states the DPA with SCCs applies to commercial products including the Claude API. Companies accessing Claude through a third-party platform such as Amazon Bedrock must review that platform's contract stack separately.

What does the Claude DPA cost?

Anthropic does not offer a separately priced DPA. The DPA is part of the commercial terms and automatically included with paid products such as Claude Enterprise or the Claude API.

Who needs to sign the Claude DPA?

When contracting directly with Anthropic, the DPA is incorporated into the commercial terms and is not signed as a separate document. Companies should download the current version, review it internally, and document the review against the specific use case.

Book Free Call