Claude Enterprise: GDPR, DPA & EU Data Residency
What is Claude Enterprise?
Claude Enterprise is Anthropic's highest-tier business plan with SSO, audit logs, an automatic GDPR DPA, and optional Zero-Data-Retention. The current plan uses an annual per-user seat fee for access, while all chat, Claude Code, and Cowork usage is billed separately at standard API rates.
- Claude Enterprise includes SSO, audit logs, custom data retention controls, Compliance API access, a GDPR DPA, and optional Zero-Data-Retention.
- Enterprise pricing uses an annual seat fee for access, while usage is billed separately at standard API rates with no included token allowance.
- EU data residency is not included by default; strict EU-only processing requires AWS Bedrock or Google Vertex AI deployment.
Claude Enterprise can support GDPR-compliant use in Germany if your organisation verifies the Anthropic DPA, international transfer setup, retention controls, and the fact that EU data residency is not included by default. It is Anthropic’s higher-governance plan for organisations that need SSO, audit logs, stronger admin controls, and enterprise procurement support. Under Anthropic’s current documentation, Claude Team is the official business plan name for teams, while Claude Enterprise sits above it with additional governance features. This guide explains what Claude Enterprise includes, where the GDPR and DPA boundaries sit, and when Enterprise is preferable to Claude Team for German businesses. For an overview of the full AI tool landscape, see the AI tools assessed by Compound Law.
Claude Enterprise: Quick Summary
- What it is: Anthropic’s highest-tier commercial AI plan for enterprise governance
- What it costs: Annual per-user seat fee for access, with all usage billed separately at standard API rates
- What’s included: SSO with SCIM, audit logs, custom data retention controls, GDPR DPA, Claude Code, Cowork, Compliance API, Analytics API, spend limits, optional ZDR
- Who it’s for: Organisations requiring SSO, audit logs, stronger admin controls, or enterprise procurement support
Claude plan comparison: Free, Pro, Team, Business and Enterprise
| Feature | Claude Free | Claude Pro | Claude Team | Claude Business | Claude Enterprise |
|---|---|---|---|---|---|
| DPA/AVV included | No | No | Yes | Yes | Yes |
| Price | Free | ~€20/month | ~€25/user/month | ~€25/user/month | Annual per-user seat fee + separate API-rate usage |
| SSO | No | No | No | No | Yes |
| Audit logs | No | No | No | No | Yes |
| Custom system prompts | No | No | No | No | Yes |
| Zero-Data-Retention | No | No | No | No | Optional |
| Minimum users | 1 | 1 | 5 | 5 | 20 self-serve / 50 sales-assisted |
| GDPR suitable for business | No | No | Yes | Yes | Yes |
Note: Anthropic does not offer a plan officially called “Claude Business.” The term is commonly used to refer to Claude Team — see our Claude Business guide for details.
When to choose Enterprise vs Team vs Business
The Claude Team plan is the right fit when you need a GDPR DPA and a shared workspace but do not require SSO, audit logs, or custom system prompts. Starting from approximately €25 per user per month on annual billing, with a minimum of 5 users.
Claude Business is a common search term for Claude Team — both refer to Anthropic’s entry-level commercial plan with a DPA. See our Claude Business guide for a full comparison.
Claude Enterprise is the right choice when SSO with SCIM, audit logs, custom system prompts, usage governance, or optional Zero-Data-Retention are hard requirements. It is also the tier to evaluate when your organisation needs either self-serve Enterprise at higher seat counts or a sales-assisted procurement path with invoicing, BAA support, or tailored contract handling.
For German companies, the rule of thumb: start at Claude Team if you need a DPA; move to Claude Enterprise when governance controls (SSO, audit logs) or ZDR become procurement requirements. If your procurement team is still comparing the individual subscription against business tiers, our Claude Pro privacy guide explains why Pro is not a lawful fallback for business personal data.
What is Claude Enterprise?
Claude Enterprise is Anthropic’s highest-tier commercial offering for organisations that need more than individual AI access. It is designed for companies deploying AI across teams, with governance, admin, and compliance controls built in from the start.
Key features included in Claude Enterprise:
- Admin controls and SSO: Centralised user management and single sign-on integration make Claude Enterprise suitable for organisations with IT governance or identity-management requirements.
- Audit logs: Activity and usage logs support internal oversight, vendor-risk documentation, and compliance reporting.
- Custom system prompts: Organisations can configure default instructions, behavioural guardrails, and workflow context at the organisational level — relevant for consistent, policy-compliant AI use across teams.
- Expanded context window: Claude Enterprise supports a larger context window than lower tiers, enabling document-heavy workflows such as contract review, multi-document research, and structured analysis.
- Priority access: Enterprise customers receive priority capacity, which matters for high-volume or time-critical operations.
- Zero-Data-Retention (ZDR) option: Claude Enterprise supports an optional ZDR configuration where inputs and outputs are discarded immediately after processing and not retained — see the retention section below for detail.
Why German companies evaluate Claude Enterprise
German businesses and DACH-region organisations are increasingly evaluating Claude Enterprise as an AI productivity tool that comes with a compliance-relevant foundation. The automatic DPA, admin controls, and ZDR option make it more structurally suitable for GDPR workflows than consumer-tier or prosumer AI tools.
That said, those built-in controls are a starting point — not a complete GDPR answer. The sections below cover the specific DPA, transfer, and use-case questions that German legal and privacy teams need to work through before rollout.
Claude Enterprise Admin Console Features
Claude Enterprise gives administrators a centralised control layer for managing AI access across teams. The admin console covers:
- Workspace management: Projects and Folders let teams organise shared prompts, artefacts, and conversation context. Legal teams can maintain separate workspaces for client matters, compliance workflows, and internal knowledge bases.
- Usage analytics: The admin dashboard shows seat utilisation, conversation volume, active users by team, and model usage — the data points typically needed for software licence reviews and budget reconciliation.
- Model selection controls: Administrators can control which supported Claude models are available to which teams or projects. This helps prevent unintended access to more capable or cost-intensive models for routine tasks.
- Sharing and permissions: Admins set rules for conversation sharing, artefact export, and data access at the workspace or team level — relevant for organisations with strict data-classification policies.
- Custom system prompts: Organisation-level prompts configure default AI behaviour across all sessions. A legal firm can, for example, configure Claude to prepend a confidentiality header to every output: “This response is for internal use only and does not constitute legal advice.” This creates consistent, policy-compliant AI outputs without requiring individual users to configure anything.
- SSO and SCIM provisioning: Claude Enterprise integrates with standard identity providers (Okta, Azure AD, Google Workspace) for single sign-on and automated user provisioning and deprovisioning — reducing onboarding friction and access-control risk.
- Per-user spend caps: Admins can set individual monthly spend limits per user, giving finance and operations teams granular cost control across the organisation without needing manual reviews.
Enterprise-only products and integrations
The following are included in the Claude Enterprise seat or available exclusively to Enterprise customers:
- Claude Code: The Enterprise seat includes access to Claude Code across web, desktop, mobile, and the Claude Code CLI — relevant for engineering teams integrating AI into development workflows at the organisational level.
- Cowork: Included in the Enterprise seat. Enables collaborative AI sessions within the organisation, letting teams work together in shared Claude contexts.
- Compliance API: An Enterprise-exclusive feature that enables audit and compliance integrations with existing tooling — relevant for organisations that need to pipe Claude usage data into a SIEM, audit platform, or compliance reporting workflow.
Claude Enterprise Use Cases — Legal, Compliance, and Enterprise Workflows
Law firms, in-house legal teams, and compliance functions are among the most active Claude Enterprise adopters. The three highest-impact use cases are contract review, due diligence, and compliance documentation. Below are the core workflows where Claude’s long-context capabilities create measurable operational value, with the important caveat that the standard paid-plan window is 200K and 500K applies only on supported newer models.
Contract review and redlining. Upload full contracts — up to approximately 150,000 words — and ask Claude to flag risk clauses, identify missing provisions, suggest redline language, or compare against a standard template. Legal teams use this to accelerate first-pass review of commercial agreements, vendor contracts, and NDAs without sending the document to an external tool.
Due diligence and multi-document analysis. Claude processes multiple documents simultaneously within a single session — financial statements, regulatory filings, organisational charts, and prior agreements. For data room packages, this means structured analysis of large document sets without splitting work across separate queries or summarisation steps.
Compliance documentation. Draft GDPR Records of Processing Activities (RoPA), internal AI usage policies, DPA response templates, and privacy notices. Claude can structure these to required formats and adapt the output based on applicable regulation, sector, and jurisdiction — useful for teams managing compliance across multiple entities.
Legal research across large corpora. Ask Claude to analyse a body of case law, summarise regulatory changes across jurisdictions, or compare requirements under different regimes — for example, GDPR versus UK GDPR versus Swiss nDSG. This works best when source documents are uploaded directly rather than relying on model training data.
M&A workflow support. Term sheet analysis, shareholder agreement review, integration checklist generation, and data room structuring. With ZDR enabled, sensitive deal materials are processed without persistent storage — directly relevant for confidentiality obligations and deal-security requirements.
Internal knowledge management. Configure organisation-level system prompts with firm-specific knowledge: matter types, standard client instructions, billing codes, escalation contacts, and preferred contract structures. This turns Claude into a context-aware assistant that reflects your firm’s practice from the start of every session.
Compound Law advises legal teams and compliance functions on AI procurement, GDPR compliance, and governance design for tools like Claude Enterprise. If you are assessing Claude for a legal practice or in-house function, discuss your use case with us. For context on AI regulation affecting legal services, see our AI Act guide for legal services.
Which Claude plan includes a DPA?
For German buyers, the first practical question is often: which Claude tier actually includes an AVV/DPA? The table below reflects Anthropic’s commercial terms effective January 1, 2026.
| Plan | DPA/AVV included | Suitable for GDPR/DSGVO business use |
|---|---|---|
| Claude Free | No | No — consumer terms only |
| Claude Pro | No | No — consumer terms only |
| Claude Team | Yes (automatic) | Yes — minimum 5 users |
| Claude Enterprise | Yes (automatic) | Yes |
| Anthropic API | Yes (automatic) | Yes |
Three points worth noting before procurement:
- Free and Pro tiers do not include a DPA. Any business processing personal data on these tiers is non-compliant with Article 28 GDPR. Consumer terms do not substitute for a processor agreement.
- The DPA is incorporated automatically into Anthropic’s commercial terms — no separate signature is required for standard deployment.
- The current DPA version is effective January 1, 2026. Confirm the applicable version in writing at time of contract.
For German companies, the minimum compliant tier for business use is Claude Team (minimum 5 users, approximately €25 per user per month on annual billing). Claude Free and Claude Pro are consumer products — using them for business data processing involving personal data is not a defensible GDPR setup. For a full breakdown of Claude Team — including what the colloquial term “Claude Business” means, how Team compares to Pro, and what the DPA covers for GDPR compliance — see our Claude Business plan guide.
This page is general information, not legal advice for a specific implementation. If you are comparing LLM vendors for a German rollout, it also helps to review our pages on OpenAI API, AWS Bedrock, Perplexity, and our broader AI legal expertise.
Can German companies use Claude Enterprise lawfully?
In many cases, yes. But the legal answer depends on how you use Claude Enterprise, not just on the vendor name.
Under the GDPR, the relevant questions are familiar:
- What personal data goes into Claude?
- What is the legal basis under Article 6 GDPR?
- Is there a valid Article 28 GDPR processor agreement?
- Are there international transfers under Chapter V GDPR?
- Are the technical and organizational measures under Article 32 GDPR sufficient?
- Does the workflow create added labor-law, confidentiality, or DPIA risk?
For businesses in Germany, Claude Enterprise is often easiest to justify for lower-risk internal productivity use, such as drafting, summarization, research support, or structured knowledge work where teams avoid sensitive source material. Common deployment patterns — including internal chatbots and writing assistance — require review against AI chatbot compliance under GDPR and AI writing assistant compliance frameworks. The position changes once the deployment touches:
- customer communications containing broad personal data
- employee data or manager-facing analytics
- trade secrets and confidential deal documents
- regulated advice or high-impact decision support
- special categories of personal data under Article 9 GDPR
That is why the better procurement question is not “Is Claude GDPR compliant?” but “Is our Claude deployment contractually and operationally defensible?” Claude Enterprise is frequently adopted by professional services companies and legal services firms in Germany where confidentiality and professional-secrecy obligations demand a higher standard of vendor scrutiny.
Does Anthropic offer a DPA and what needs review?
Anthropic states in its help documentation for commercial products that its DPA with Standard Contractual Clauses is automatically incorporated into the commercial terms. Anthropic also states that this answer applies to products such as Claude for Work and the Claude API, while use through a third-party platform is governed by that platform’s own terms instead.
That distinction matters in practice:
- if you buy Claude directly from Anthropic, the Anthropic commercial terms and DPA are the starting point
- if you access Claude through another vendor, such as a cloud platform, you also need to review that vendor’s contract stack
Anthropic’s public help materials also indicate that, for commercial products, the customer organization controls user data and Anthropic processes that data to provide the service on the customer’s behalf. That is generally helpful for an Article 28 GDPR analysis, but it is still not the end of the review.
Before rollout, legal and privacy teams should verify at least the following:
| Issue | Why it matters | What legal should verify |
|---|---|---|
| Processor role | Your GDPR obligations depend on whether Anthropic acts as processor, controller, or a mixed-role provider | Match the DPA and service terms to the actual workflow and data types |
| Article 28 terms | A DPA is required where Claude processes personal data on your behalf | Check instructions, confidentiality, deletion, audit language, and subprocessor commitments |
| International transfers | Even with strong enterprise controls, a transfer review may still be required | Review SCCs, transfer wording, access scenarios, and any supplementary measures |
| Retention and deletion | Prompt, output, and admin logs can persist longer than business teams expect | Confirm retention defaults, deletion controls, and whether exceptions apply |
| Security and incidents | Security promises matter for procurement and vendor-risk sign-off | Review certifications, TOMs, breach-notification terms, and internal escalation steps |
If your use case includes customer-facing automation, internal policy drafting, or knowledge workflows, compare the Claude contract review against your wider AI stack rather than assessing it in isolation. That is why buyers often evaluate Claude together with OpenAI API or AWS Bedrock.
For a detailed guide on accessing, verifying, and stress-testing the Anthropic Data Processing Agreement, see our dedicated Claude DPA page and our vendor-specific Anthropic DPA guide. For a comprehensive overview of GDPR compliance requirements for Claude — including legal basis, DPIA triggers, and a practical checklist — see our Claude GDPR compliance page. For developer and engineering teams using Claude Code and the Anthropic API, see our Claude Code GDPR guide for API-specific compliance considerations.
What the Claude Enterprise DPA covers
The Anthropic commercial DPA is designed to satisfy Article 28 GDPR requirements for processor agreements. Key elements buyers should expect to find — and verify — include:
- Processor instructions: Anthropic processes customer data only on documented customer instructions — the foundational Article 28 requirement.
- Confidentiality: Anthropic staff with access to customer data are bound by confidentiality obligations, covering both personnel and subprocessors.
- Security measures (Article 32 GDPR): Technical and organisational measures appropriate to the risk, including encryption, access controls, and incident response procedures. Substantiated by SOC 2 Type II and ISO 27001 certifications.
- Subprocessor controls: A list of authorised subprocessors, a notification mechanism for subprocessor changes, and the right to object. German companies should request the current subprocessor list and map it against their vendor register before sign-off.
- Deletion and return: On contract termination, Anthropic must delete or return customer data. Verify applicable timeframes and any backup-retention exceptions.
- Audit rights: The right to audit Anthropic’s GDPR compliance — typically satisfied in practice through Anthropic’s third-party certification stack (SOC 2 Type II, ISO 27001).
- Standard Contractual Clauses (SCCs): The DPA incorporates SCCs as the transfer mechanism for EEA data leaving the EEA. Buyers should confirm which SCC module applies — typically Module 2 (Controller to Processor) for enterprise deployments — and whether supplementary measures are required for their specific risk profile.
Is a BAA available for Claude Enterprise?
For healthcare organisations or those subject to comparable sector requirements, the relevant question is whether Anthropic offers a Business Associate Agreement (BAA) or equivalent sector-specific addendum. BAA availability for Claude Enterprise depends on the specific deployment and the categories of data involved. Buyers should raise this question directly with Anthropic’s enterprise sales team at the DPA negotiation stage — not after contract execution. For regulated-sector deployments in Germany, involvement of external legal counsel at the contract-review stage is advisable.
DPA negotiation: what is and is not standard
For Claude Enterprise, the DPA is incorporated automatically but is not static. Understanding what is negotiable informs when to involve legal:
- Standard DPA terms cover the Article 28 requirements listed above and are sufficient for most enterprise deployments.
- Negotiable elements include specific retention periods, subprocessor change-notification windows, SLA response times, and sector-specific addenda for regulated industries.
- What buyers cannot typically change: Core model behaviour, training data controls (commercial customer data is not used for training by default), and infrastructure architecture.
Legal and privacy teams should review the DPA before contract signature and confirm that the final executed version matches the version reviewed. For larger negotiated deployments, the DPA negotiation phase is also the right moment to raise DPIA requirements, any BetrVG co-determination considerations if the deployment affects employee data, and ZDR configuration.
EU Data Residency and Claude Enterprise
Claude Enterprise does not include EU data residency. The plan uses US-based infrastructure by default; if EU-only processing is a hard requirement, the only architecturally confirmed paths are AWS Bedrock EU profiles (Frankfurt eu-central-1) or Google Vertex AI EU regions — both require a separate cloud provider setup outside the Claude Enterprise contract. For a full breakdown of deployment paths, transfer compliance implications, and EU hosting options, see our guide to Claude EU data residency options.
For international transfer compliance under Chapter V GDPR, the Claude Enterprise DPA incorporates Standard Contractual Clauses (SCCs). Buyers should verify whether supplementary measures are required for their specific risk profile — in particular for high-sensitivity deployments involving customer-facing data or regulated sectors — and confirm which subprocessors involve third-country access.
Training, retention, and confidentiality questions buyers ask
Anthropic’s commercial privacy documentation is useful here. Anthropic states that commercial customer data is not used to train its models by default, and its privacy materials also describe retention controls for commercial products. That is helpful, but a legal review should still go one layer deeper.
The key buyer questions are usually:
Is Claude trained on our prompts and outputs?
For commercial products, Anthropic states that customer data is not used to train models by default. That is a strong procurement point, especially for companies handling confidential documents, board materials, or product plans.
How long is data retained?
Retention is not a side issue. Prompt data, output data, usage logs, admin logs, and shared workspace content can each have different retention logic. Legal teams should verify:
- default retention periods
- configurable deletion options
- whether backups or security logs follow a different schedule
- whether shared chats or workspace exports create separate copies
Zero-Data-Retention (ZDR) for Enterprise customers
Beyond standard retention controls, Anthropic offers an optional Zero-Data-Retention (ZDR) add-on for Enterprise customers:
- With ZDR enabled, inputs and outputs are not stored after the request is complete — they are processed in memory and discarded immediately.
- ZDR is particularly relevant for high-sensitivity workflows: M&A preparation, legal privilege communications, patient data processing, or board-level strategic documents.
- ZDR applies at the API level and requires explicit activation — it is not on by default.
For procurement teams, ZDR changes the retention risk picture materially. Companies operating in regulated sectors or handling trade secrets should ask specifically whether ZDR is available for their deployment path and whether it is compatible with their audit-log and incident-response requirements.
Who can access the data?
Buyers should not stop at the statement that access is limited. They should ask which categories of Anthropic staff, subprocessors, or support personnel may access data, under what conditions, and how that access is documented and controlled.
Are certifications enough?
No. Anthropic publicly lists certifications and assurance frameworks such as SOC 2 Type II, ISO 27001, and ISO 42001. These are relevant and helpful, but they do not replace the legal questions around purpose, data minimization, transfer risk, and internal governance.
For many German businesses, the real confidentiality control is not only the vendor contract. It is also the internal rule that employees must not paste unnecessary personal data, secrets, or regulated content into Claude in the first place.
When Claude can be used for customer, employee, or sensitive data
This is where the legal analysis becomes use-case specific.
Customer data
Claude can sometimes be used for customer data, for example in carefully designed support, success, or drafting workflows. But that depends on how much content is sent to the model, whether free text includes unnecessary personal data, and whether customers are informed appropriately.
The safer cases usually involve:
- limited metadata
- pseudonymized or redacted text
- non-sensitive operational workflows
- human review before any customer-facing output is used
The harder cases include large-scale ticket ingestion, complaint handling, or contract analysis involving identifiable individuals.
Employee data
Employee data requires stricter scrutiny in Germany. If Claude is used in ways that affect hiring, evaluation, productivity analysis, or workplace monitoring, the issue is no longer only GDPR. Co-determination rights under section 87(1) no. 6 BetrVG may become relevant, and some deployments can raise DPIA or labor-law concerns even if the tool is marketed as a productivity assistant.
Special-category data
Where the workflow involves health data, biometric data, union-membership data, or other Article 9 GDPR categories, companies should assume a significantly higher threshold for lawful deployment. In many cases, a standard enterprise rollout process is not enough.
Trade secrets and highly confidential documents
Not every legal risk is a privacy risk. Founders and management teams often want to use Claude for due diligence, term sheet drafting, M&A preparation, or internal investigations. Those uses can be attractive, but they need a separate review of confidentiality, access control, document classification, and internal approval rules.
Claude Enterprise vs ChatGPT Enterprise vs Microsoft Copilot
For procurement teams evaluating multiple enterprise AI vendors, a structured comparison against the two most common alternatives helps focus the review on the dimensions that matter for GDPR compliance and enterprise governance in Germany.
| Feature | Claude Enterprise | ChatGPT Enterprise | Microsoft Copilot |
|---|---|---|---|
| Provider | Anthropic | OpenAI | Microsoft |
| EU hosting possible | Yes (via AWS Bedrock / Google Vertex AI) | Yes (Azure EU regions) | Yes (EU Data Boundary) |
| DPA / AVV | Automatic in commercial terms | Automatic in commercial terms | Via Microsoft DPA |
| Zero-Data-Retention | Optional (ZDR add-on) | Optional | Limited |
| SSO / SCIM | Yes | Yes | Yes (M365 integration) |
| Audit logs | Yes | Yes | Yes |
| Context window | 200K by default; 500K on supported newer models | 128,000 tokens | Context-dependent |
| Training on customer data | No (default) | No (default) | No (default) |
| Strength | Long context, document analysis, constitutional AI guardrails | Broad ecosystem, code interpreter, data analysis | M365 integration, native Office workflows |
| EU cloud deployment | AWS Bedrock, Google Vertex AI | Azure | Azure |
When to choose Claude Enterprise
Claude Enterprise stands out for long-context document analysis, especially where supported newer models unlock a 500K chat window. That makes it particularly effective for contract review, due diligence analysis, research across large corpora, and multi-document legal analysis. Consider Claude Enterprise when:
- Your workflows involve long documents or large volumes of text that benefit from extended context
- You prefer to operate outside the Microsoft ecosystem or Azure infrastructure
- Anthropic’s Constitutional AI approach and built-in safety guardrails align with your AI governance requirements
- You want a direct contractual relationship with Anthropic including a standalone DPA/AVV
When to choose ChatGPT Enterprise
ChatGPT Enterprise is particularly strong for teams that rely on structured data analysis, code-generation workflows, or OpenAI’s broad plugin ecosystem. It is a good fit when:
- Your team uses code interpreter features for data analysis, financial modeling, or automated reporting
- You want to leverage OpenAI’s fine-tuning capabilities or plugin integrations
- Your organization is already invested in the OpenAI API and wants Enterprise-grade governance on top
When to choose Microsoft Copilot
Microsoft Copilot is the natural choice for organizations deeply embedded in the Microsoft 365 ecosystem. Its advantages are primarily about workflow integration rather than pure AI capability:
- Seamless integration within Word, Teams, Outlook, SharePoint, and other M365 applications
- Leverages existing Azure commitments and Microsoft licensing agreements
- Teams that work primarily within M365 applications benefit most from native embedding
GDPR note: what the comparison means for German buyers
An important point for procurement teams in Germany: all three vendors require the same foundational GDPR review. A DPA being included in the commercial terms does not mean a deployment is automatically GDPR compliant. For each vendor, you still need to review the processor role allocation, the transfer mechanism and data residency model, subprocessor commitments, and retention logic for your specific workflow. The comparison table above addresses structural features, but the legal review must go deeper for each vendor you shortlist. For a comprehensive GDPR checklist for Claude specifically, see our Claude GDPR compliance page. Compare also our pages on OpenAI API and AWS Bedrock.
Claude Enterprise Security Certifications
Anthropic holds a stack of enterprise security certifications relevant for procurement review, vendor-risk assessments, and regulatory compliance documentation. For German buyers evaluating Claude Enterprise, these are the key certifications and what each means in practice:
- SOC 2 Type II: An annual independent audit covering security, availability, and confidentiality controls. SOC 2 Type II — as opposed to Type I — confirms that controls were effective over a sustained testing period, not merely that they exist on paper. Required by many enterprise procurement and vendor-risk programmes.
- ISO 27001: International standard for information security management systems. Relevant for vendor-risk assessments, public-sector procurement in Germany, and financial services frameworks that require certified security controls from technology providers.
- ISO 42001: AI management system standard — the AI-specific certification. ISO 42001 is relevant for EU AI Act compliance documentation, particularly for organisations deploying AI in higher-risk contexts under Annex III of the AI Act. Relatively few major AI vendors currently hold this certification. Anthropic’s current certification documentation and trust materials are available via Anthropic’s trust portal.
For German procurement teams, ISO 42001 deserves particular attention: it maps to the governance expectations of the EU AI Act’s Annex IV documentation requirements for high-risk AI systems, and it signals a level of AI risk management maturity that goes beyond standard cybersecurity frameworks. For context on how AI Act documentation requirements apply to your business, see our EU AI Act compliance guide.
Claude Enterprise Pricing and Licensing
Claude Enterprise uses a two-part billing model: an annual per-user seat fee for access plus separate usage billing.
- Seat fee: The seat fee covers access to the Claude Enterprise workspace on web, desktop, and mobile, plus Claude Code and Cowork.
- Usage billing: Usage is not included in the seat fee. Every token used in chat, Claude Code, or Cowork is billed separately at standard API rates.
- No included token allowance: Anthropic’s current usage-based Enterprise documentation says there is no plan-level or seat-level usage cap and no included token allowance; admins can instead set spend limits at the organisation or user level.
- Legacy contracts still exist: Some existing customers remain on older seat-based Enterprise plans with Standard and Premium seats until renewal, so procurement teams should confirm which billing model is actually being offered.
- Zero-Data-Retention add-on: ZDR is separately negotiated and not included in the standard seat fee.
The entry-level compliant tier for business use remains Claude Team at approximately €25 per user per month (annual billing, minimum 5 users). For current official pricing and to verify the current model before contract, visit Anthropic’s enterprise pricing page directly.
For German companies, the two-part model means legal, finance, and IT should review both the access subscription and the usage-billing logic upfront. For DPA and contract structure review, see our Claude DPA guide or contact us.
For current official pricing and sales contact, visit Anthropic directly. If you need legal review of the DPA, contract structure, or AI procurement process, contact us.
How to Get Claude Enterprise
Claude Enterprise is available both self-serve and through Anthropic’s sales team. The right path depends on seat count, payment method, contract needs, and whether you need advanced commercial support. The typical procurement journey for a mid-to-large organisation is:
- Choose self-serve or sales-assisted. Anthropic’s current docs list self-serve Enterprise for organisations starting at 20 seats, while sales-assisted Enterprise starts at 50 seats and is the route for invoicing, multi-currency billing, trials, HIPAA-readiness with a BAA, or dedicated customer success support.
- Scope the deployment. Prepare your use case, seat count, identity setup, data sensitivity classification, and any requirements around ZDR, invoicing, or sector-specific addenda.
- Confirm the billing model. Current usage-based Enterprise charges an annual seat fee for access and bills actual usage separately at standard API rates. Procurement should verify whether the offer is the current usage-based model or a legacy renewal path.
- Review contract and DPA terms. For German organisations, legal and privacy teams should address DPA language, subprocessor commitments, ZDR scope, SLA terms, and whether standard SCCs are sufficient for the intended workflow.
- Onboard and configure governance. After signature or self-serve purchase, the practical work is SSO/SCIM setup, spend limits, retention settings, and internal usage rules.
Typical timeline: Self-serve purchases can move quickly once payment and seat count are confirmed. Larger negotiated deployments can still take several weeks where legal, privacy, security, and procurement all review the DPA and commercial terms.
What is negotiable: ZDR configuration, SLA terms, DPA language for specific use cases, and certain subprocessor commitments. Standard clauses may not be sufficient for high-risk deployments in regulated sectors — legal review before signature is advisable.
For guidance on reviewing the Claude Enterprise DPA before signing, see our Claude DPA guide. To discuss the procurement process with Compound Law’s legal team, contact us.
Practical legal checklist before rollout
If your team needs an operational decision path, start with these steps:
- Map the exact deployment path. Confirm whether you are buying directly from Anthropic or using Claude through another platform.
- Classify the intended data. Separate low-risk productivity content from customer data, employee data, sensitive contracts, and special-category data.
- Review the DPA and commercial terms. Check processor language, SCCs, subprocessor controls, deletion terms, and security commitments.
- Verify transfer and residency assumptions. Do not rely on sales shorthand such as “EU hosting” without confirming the precise processing model.
- Set internal usage restrictions. Define what employees may and may not upload, who can approve exceptions, and how high-risk use cases are escalated.
- Assess labor-law and DPIA risk. If the workflow affects employees or systematic monitoring, involve HR, privacy, and where relevant the works council early.
- Document the decision. Record the approved use case, safeguards, owner, review date, and fallback plan.
This structured review is often more important than the headline question of whether Anthropic offers a DPA. The contract matters, but the workflow design usually decides whether the deployment is defensible.
When extra review is required
General guidance is usually not enough where the Claude deployment:
- processes large volumes of customer communications
- supports HR, recruiting, or workforce decisions
- touches financial, insurance, or health-related data
- is used in regulated advice or high-impact decision-making
- handles board, fundraising, or M&A material with strict confidentiality demands
At that point, the right question is no longer “Does Claude Enterprise have a DPA?” It is whether your exact deployment can be defended under the GDPR, your vendor contracts, your labor-law setup, and your internal security rules.
Compound Law advises businesses, founders, and in-house teams in Germany on GDPR, commercial contracts, employment law, and AI procurement. If you want to review a Claude rollout, compare vendor contracts, or pressure-test an AI policy before procurement, contact us.
FAQ
What is Claude Business?
Claude Business is not Anthropic’s current official plan name. As of May 22, 2026, Anthropic’s pricing and help documentation use Claude Team as the business plan for companies, so most searches for Claude Business are really asking about Claude Team. For German buyers, Claude Team is the entry-level commercial tier with a GDPR DPA, while Claude Enterprise adds SSO, audit logs, custom governance controls, and optional Zero-Data-Retention. For the lower-tier plan details, see our Claude Business guide.
What is included in Claude Enterprise?
Claude Enterprise includes a built-in GDPR DPA, SSO with SCIM provisioning, audit logs, custom system prompts, custom data retention controls, Claude Code, Cowork, the Compliance API, the Analytics API, spend limits, priority capacity, and an optional Zero-Data-Retention (ZDR) add-on. Context size depends on the model: 200K is the standard paid-plan window, while supported newer models can reach 500K in chat. Free and Pro tiers do not include a DPA and are not suitable for business data processing under the GDPR.
How does Claude Enterprise differ from Claude Team?
Claude Team and Claude Enterprise both include a GDPR DPA, but differ significantly on governance controls. Claude Enterprise adds SSO with SCIM provisioning, audit logs, custom retention controls, compliance tooling, and optional Zero-Data-Retention. It also uses a different billing structure: the seat fee covers access, and usage is billed separately at standard API rates. For a full breakdown, see the Claude Team vs Enterprise plan comparison.
What is the Claude data processing agreement?
It is the contractual framework Anthropic provides for its commercial products to address controller-processor requirements, including DPA terms and SCC language. For German companies, the real task is to verify whether those terms fit the exact Claude deployment and the categories of data involved.
Is Claude Enterprise GDPR compliant in Germany?
Claude Enterprise can support GDPR-compliant use, but the answer depends on the use case, legal basis, processor setup, transfer mechanism, retention model, and internal controls. There is no useful one-word answer at platform level.
Does Claude Enterprise include EU data residency?
No. Claude Enterprise does not include EU data residency. The plan uses US-based infrastructure by default. If EU-only data residency is a procurement requirement, the only architecturally confirmed paths are AWS Bedrock EU profiles or Google Vertex AI EU regions — both require a separate cloud provider setup outside the Claude Enterprise contract. See our Claude EU Hosting guide for full deployment options.
When do German companies need extra review before using Claude?
Extra review is typically needed for employee data, sensitive customer content, special-category data, regulated sectors, high-impact outputs, or workflows involving monitoring, profiling, or confidential strategic documents.
How does Claude Enterprise compare to ChatGPT Enterprise?
Claude Enterprise is particularly strong for document-heavy analysis because supported newer Claude chat models can reach a 500K context window, while the standard paid-plan window remains 200K. That makes it well-suited for long contracts, multi-document due diligence, and research workflows involving large corpora. ChatGPT Enterprise offers a broader plugin ecosystem, built-in code interpreter for data analysis, and the option to use OpenAI fine-tuning. Microsoft Copilot is the strongest option for organizations embedded in the Microsoft 365 ecosystem, offering native integration with Word, Teams, and Outlook.
For GDPR-compliant use in Germany, all three vendors require the same core legal review: DPA quality, transfer mechanism, data residency model, subprocessor commitments, and retention logic must be verified for each specific deployment — regardless of which vendor you choose.
What security certifications does Claude Enterprise have?
Anthropic’s current commercial-products certification page lists SOC 2 Type I, SOC 2 Type II, ISO 27001, and ISO/IEC 42001, along with a HIPAA-ready configuration for eligible sales-assisted customers. ISO 42001 is an AI management system standard and is directly relevant for EU AI Act governance documentation. SOC 2 Type II and ISO 27001 are the certifications most commonly required by enterprise procurement teams. Current certification documentation is available via Anthropic’s trust portal.
What can law firms and legal teams use Claude Enterprise for?
Law firms and in-house legal teams primarily use Claude Enterprise for contract review and redlining, due diligence document analysis, legal research across large corpora, and compliance documentation drafting. For large matters, the standard 200K context window is already useful, and supported newer models can extend chat context to 500K for larger document sets. With ZDR enabled, sensitive deal and client materials can be processed without persistent storage — directly relevant for professional secrecy and confidentiality obligations.
How do I get Claude Enterprise, and how long does procurement take?
Claude Enterprise is available both self-serve and sales-assisted. Self-serve is the faster route for organisations that meet Anthropic’s current seat threshold and can buy online in USD; sales-assisted is the route for invoicing, a BAA, multi-currency billing, trials, or tailored support. For organisations requiring full legal and privacy review of the DPA and commercial terms, the negotiated path can still take several weeks. German companies should involve legal and privacy teams at the DPA review stage. For guidance on what to review in the Claude DPA before signing, see our Claude DPA guide.
