Book Free Call
Claude data processing agreement review for companies in Germany
tools

Claude Data Processing Agreement: GDPR, EU Hosting, and Legal Checks

Can German companies use Claude Enterprise lawfully?

Yes, but only after a structured GDPR review. German companies should verify the Anthropic DPA, processor role, transfer setup, retention settings, and whether the planned Claude use case involves customer data, employee data, trade secrets, or special-category data.

  • Anthropic says its commercial DPA with SCCs is incorporated into the commercial terms, but buyers still need to review role allocation and retention.
  • Claude Enterprise can fit low-risk workflows, but customer support, HR, regulated advice, and sensitive data uses require closer review.
  • If strict EU-only hosting matters, confirm the exact deployment and transfer model in writing instead of relying on generic sales language.

Claude data processing agreement questions matter because German buyers are not really asking whether Claude Enterprise is “good at privacy” in the abstract. They are asking whether Claude Enterprise can be used lawfully under the GDPR in Germany, whether Anthropic offers a workable DPA, and whether the product setup is acceptable for customer data, employee data, trade secrets, and international transfers. The short answer is yes, sometimes, but only after a concrete contract and use-case review. For context on how Claude Enterprise fits into the broader enterprise AI landscape, see the AI tools assessed by Compound Law.

Short answer

Claude Enterprise can be used by companies in Germany, but not on autopilot.

  • Review Anthropic’s Data Processing Addendum (DPA), SCCs, retention controls, and security commitments.
  • Confirm whether Anthropic acts as a processor for your deployment and whether any third-country transfer remains relevant.
  • Restrict higher-risk use cases involving employee data, sensitive customer content, or high-impact outputs until legal and privacy review is complete.

Which Claude plan includes a DPA?

For German buyers, the first practical question is often: which Claude tier actually includes an AVV/DPA? The table below reflects Anthropic’s commercial terms effective January 1, 2026.

PlanDPA/AVV includedSuitable for GDPR/DSGVO business use
Claude FreeNoNo — consumer terms only
Claude ProNoNo — consumer terms only
Claude TeamYes (automatic)Yes — minimum 5 users
Claude EnterpriseYes (automatic)Yes
Anthropic APIYes (automatic)Yes

Three points worth noting before procurement:

  • Free and Pro tiers do not include a DPA. Any business processing personal data on these tiers is non-compliant with Article 28 GDPR. Consumer terms do not substitute for a processor agreement.
  • The DPA is incorporated automatically into Anthropic’s commercial terms — no separate signature is required for standard deployment.
  • The current DPA version is effective January 1, 2026. Confirm the applicable version in writing at time of contract.

For German companies, the minimum compliant tier for business use is Claude Team (minimum 5 users, approximately €25 per user per month on annual billing). Claude Free and Claude Pro are consumer products — using them for business data processing involving personal data is not a defensible GDPR setup.

This page is general information, not legal advice for a specific implementation. If you are comparing LLM vendors for a German rollout, it also helps to review our pages on OpenAI API, AWS Bedrock, Perplexity, and our broader AI legal expertise.

Can German companies use Claude Enterprise lawfully?

In many cases, yes. But the legal answer depends on how you use Claude Enterprise, not just on the vendor name.

Under the GDPR, the relevant questions are familiar:

  1. What personal data goes into Claude?
  2. What is the legal basis under Article 6 GDPR?
  3. Is there a valid Article 28 GDPR processor agreement?
  4. Are there international transfers under Chapter V GDPR?
  5. Are the technical and organizational measures under Article 32 GDPR sufficient?
  6. Does the workflow create added labor-law, confidentiality, or DPIA risk?

For businesses in Germany, Claude Enterprise is often easiest to justify for lower-risk internal productivity use, such as drafting, summarization, research support, or structured knowledge work where teams avoid sensitive source material. Common deployment patterns — including internal chatbots and writing assistance — require review against AI chatbot compliance under GDPR and AI writing assistant compliance frameworks. The position changes once the deployment touches:

  • customer communications containing broad personal data
  • employee data or manager-facing analytics
  • trade secrets and confidential deal documents
  • regulated advice or high-impact decision support
  • special categories of personal data under Article 9 GDPR

That is why the better procurement question is not “Is Claude GDPR compliant?” but “Is our Claude deployment contractually and operationally defensible?” Claude Enterprise is frequently adopted by professional services companies and legal services firms in Germany where confidentiality and professional-secrecy obligations demand a higher standard of vendor scrutiny.

Does Anthropic offer a DPA and what needs review?

Anthropic states in its help documentation for commercial products that its DPA with Standard Contractual Clauses is automatically incorporated into the commercial terms. Anthropic also states that this answer applies to products such as Claude for Work and the Claude API, while use through a third-party platform is governed by that platform’s own terms instead.

That distinction matters in practice:

  • if you buy Claude directly from Anthropic, the Anthropic commercial terms and DPA are the starting point
  • if you access Claude through another vendor, such as a cloud platform, you also need to review that vendor’s contract stack

Anthropic’s public help materials also indicate that, for commercial products, the customer organization controls user data and Anthropic processes that data to provide the service on the customer’s behalf. That is generally helpful for an Article 28 GDPR analysis, but it is still not the end of the review.

Before rollout, legal and privacy teams should verify at least the following:

IssueWhy it mattersWhat legal should verify
Processor roleYour GDPR obligations depend on whether Anthropic acts as processor, controller, or a mixed-role providerMatch the DPA and service terms to the actual workflow and data types
Article 28 termsA DPA is required where Claude processes personal data on your behalfCheck instructions, confidentiality, deletion, audit language, and subprocessor commitments
International transfersEven with strong enterprise controls, a transfer review may still be requiredReview SCCs, transfer wording, access scenarios, and any supplementary measures
Retention and deletionPrompt, output, and admin logs can persist longer than business teams expectConfirm retention defaults, deletion controls, and whether exceptions apply
Security and incidentsSecurity promises matter for procurement and vendor-risk sign-offReview certifications, TOMs, breach-notification terms, and internal escalation steps

If your use case includes customer-facing automation, internal policy drafting, or knowledge workflows, compare the Claude contract review against your wider AI stack rather than assessing it in isolation. That is why buyers often evaluate Claude together with OpenAI API or AWS Bedrock.

EU hosting, international transfers, and subprocessors

This is the part many German buyers care about most. A search for claude eu hosting or claude data processing agreement usually reflects one core procurement concern: “Will our data stay in the EU, and if not, what is the transfer logic?”

The safe legal answer is: do not assume more than the contract and vendor documentation clearly support.

Anthropic’s current public materials are helpful on DPA availability and certifications, but they should not be treated as a blanket promise that every Claude Enterprise workflow is automatically EU-only. Buyers should distinguish between:

  • where data is stored
  • where data is processed
  • which subprocessors are involved
  • whether support or security access can occur from outside the EEA
  • whether the deployment runs directly with Anthropic or through another platform

This is especially important because companies often confuse three different commercial paths:

  1. Claude Enterprise or Claude for Work directly from Anthropic
  2. Anthropic API
  3. Claude models accessed through a third-party platform such as Amazon Bedrock

The legal review can differ across those paths. If strict residency is essential, the deployment architecture may matter as much as the model itself.

EU hosting paths: what each deployment model means

The table below maps the main Claude deployment paths to their data location and EU-only possibilities:

Deployment pathData locationEU-only possible?
claude.ai / Claude.com directUS by defaultNo dedicated EU option
Anthropic API directUS by defaultNo dedicated EU option
Claude via AWS BedrockConfigurableYes — Frankfurt (eu-central-1), Ireland, Paris
Claude via Google Vertex AIConfigurableYes — Belgium, Netherlands, Poland, and other EU regions

If EU-only data residency is a hard requirement, the only architecturally confirmed paths are AWS Bedrock EU profiles or Google Vertex AI EU regions. Direct claude.ai or API purchases do not guarantee EU-only storage or processing.

One important caveat: the Microsoft 365 Copilot + Claude integration is explicitly excluded from the Microsoft EU Data Boundary as of January 2026. Companies relying on Microsoft 365 for GDPR geographic compliance should not assume that Claude accessed through M365 is covered by that boundary.

For procurement teams in Germany, the practical checklist is:

  • ask for the current subprocessor information and compare it with your vendor register
  • verify whether any support, logging, or security operations create a third-country exposure
  • confirm the applicable transfer mechanism, usually SCCs, if EEA data may leave the EEA
  • document whether your internal policy allows the chosen setup for customer or employee data

If your company needs especially strong geography control, a deployment via AWS Bedrock may deserve separate evaluation because the contract path, infrastructure location, and cloud governance model can differ from a direct SaaS purchase.

Training, retention, and confidentiality questions buyers ask

Anthropic’s commercial privacy documentation is useful here. Anthropic states that commercial customer data is not used to train its models by default, and its privacy materials also describe retention controls for commercial products. That is helpful, but a legal review should still go one layer deeper.

The key buyer questions are usually:

Is Claude trained on our prompts and outputs?

For commercial products, Anthropic states that customer data is not used to train models by default. That is a strong procurement point, especially for companies handling confidential documents, board materials, or product plans.

How long is data retained?

Retention is not a side issue. Prompt data, output data, usage logs, admin logs, and shared workspace content can each have different retention logic. Legal teams should verify:

  • default retention periods
  • configurable deletion options
  • whether backups or security logs follow a different schedule
  • whether shared chats or workspace exports create separate copies

Zero-Data-Retention (ZDR) for Enterprise customers

Beyond standard retention controls, Anthropic offers an optional Zero-Data-Retention (ZDR) add-on for Enterprise customers:

  • With ZDR enabled, inputs and outputs are not stored after the request is complete — they are processed in memory and discarded immediately.
  • ZDR is particularly relevant for high-sensitivity workflows: M&A preparation, legal privilege communications, patient data processing, or board-level strategic documents.
  • ZDR applies at the API level and requires explicit activation — it is not on by default.

For procurement teams, ZDR changes the retention risk picture materially. Companies operating in regulated sectors or handling trade secrets should ask specifically whether ZDR is available for their deployment path and whether it is compatible with their audit-log and incident-response requirements.

Who can access the data?

Buyers should not stop at the statement that access is limited. They should ask which categories of Anthropic staff, subprocessors, or support personnel may access data, under what conditions, and how that access is documented and controlled.

Are certifications enough?

No. Anthropic publicly lists certifications and assurance frameworks such as SOC 2 Type II, ISO 27001, and ISO 42001. These are relevant and helpful, but they do not replace the legal questions around purpose, data minimization, transfer risk, and internal governance.

For many German businesses, the real confidentiality control is not only the vendor contract. It is also the internal rule that employees must not paste unnecessary personal data, secrets, or regulated content into Claude in the first place.

When Claude can be used for customer, employee, or sensitive data

This is where the legal analysis becomes use-case specific.

Customer data

Claude can sometimes be used for customer data, for example in carefully designed support, success, or drafting workflows. But that depends on how much content is sent to the model, whether free text includes unnecessary personal data, and whether customers are informed appropriately.

The safer cases usually involve:

  • limited metadata
  • pseudonymized or redacted text
  • non-sensitive operational workflows
  • human review before any customer-facing output is used

The harder cases include large-scale ticket ingestion, complaint handling, or contract analysis involving identifiable individuals.

Employee data

Employee data requires stricter scrutiny in Germany. If Claude is used in ways that affect hiring, evaluation, productivity analysis, or workplace monitoring, the issue is no longer only GDPR. Co-determination rights under section 87(1) no. 6 BetrVG may become relevant, and some deployments can raise DPIA or labor-law concerns even if the tool is marketed as a productivity assistant.

Special-category data

Where the workflow involves health data, biometric data, union-membership data, or other Article 9 GDPR categories, companies should assume a significantly higher threshold for lawful deployment. In many cases, a standard enterprise rollout process is not enough.

Trade secrets and highly confidential documents

Not every legal risk is a privacy risk. Founders and management teams often want to use Claude for due diligence, term sheet drafting, M&A preparation, or internal investigations. Those uses can be attractive, but they need a separate review of confidentiality, access control, document classification, and internal approval rules.

If your team needs an operational decision path, start with these steps:

  1. Map the exact deployment path. Confirm whether you are buying directly from Anthropic or using Claude through another platform.
  2. Classify the intended data. Separate low-risk productivity content from customer data, employee data, sensitive contracts, and special-category data.
  3. Review the DPA and commercial terms. Check processor language, SCCs, subprocessor controls, deletion terms, and security commitments.
  4. Verify transfer and residency assumptions. Do not rely on sales shorthand such as “EU hosting” without confirming the precise processing model.
  5. Set internal usage restrictions. Define what employees may and may not upload, who can approve exceptions, and how high-risk use cases are escalated.
  6. Assess labor-law and DPIA risk. If the workflow affects employees or systematic monitoring, involve HR, privacy, and where relevant the works council early.
  7. Document the decision. Record the approved use case, safeguards, owner, review date, and fallback plan.

This structured review is often more important than the headline question of whether Anthropic offers a DPA. The contract matters, but the workflow design usually decides whether the deployment is defensible.

When extra review is required

General guidance is usually not enough where the Claude deployment:

  • processes large volumes of customer communications
  • supports HR, recruiting, or workforce decisions
  • touches financial, insurance, or health-related data
  • is used in regulated advice or high-impact decision-making
  • handles board, fundraising, or M&A material with strict confidentiality demands

At that point, the right question is no longer “Does Claude Enterprise have a DPA?” It is whether your exact deployment can be defended under the GDPR, your vendor contracts, your labor-law setup, and your internal security rules.

Compound Law advises businesses, founders, and in-house teams in Germany on GDPR, commercial contracts, employment law, and AI procurement. If you want to review a Claude rollout, compare vendor contracts, or pressure-test an AI policy before procurement, contact us.

FAQ

What is the Claude data processing agreement?

It is the contractual framework Anthropic provides for its commercial products to address controller-processor requirements, including DPA terms and SCC language. For German companies, the real task is to verify whether those terms fit the exact Claude deployment and the categories of data involved.

Is Claude Enterprise GDPR compliant in Germany?

Claude Enterprise can support GDPR-compliant use, but the answer depends on the use case, legal basis, processor setup, transfer mechanism, retention model, and internal controls. There is no useful one-word answer at platform level.

Does Claude Enterprise guarantee EU-only hosting?

Do not treat that as a default assumption without written verification. If strict EU-only processing is essential for procurement, confirm the actual architecture, transfer path, and subprocessor setup before rollout.

When do German companies need extra review before using Claude?

Extra review is typically needed for employee data, sensitive customer content, special-category data, regulated sectors, high-impact outputs, or workflows involving monitoring, profiling, or confidential strategic documents.

Related Tool Guides

Claude data processing agreement Article 28 GDPR review for Germany
tools

Claude Data Processing Agreement: Does Anthropic Offer a DPA?

Claude DPA review for German companies: does Anthropic offer an Article 28 GDPR data processing agreement, what does it cover, and when is it sufficient?
Datadog AI GDPR compliance Germany Bits AI
tools

Datadog AI in Germany: GDPR, AI Act, and Works Council Compliance Guide

Deploying Datadog AI (Bits AI) in Germany: DPA review, AI Act risk classification, works council requirements, and data processing.
Figma DPA and GDPR compliance for German companies
tools

Figma DPA: Does Figma Have a Data Processing Agreement for GDPR?

Figma offers a DPA for Organization and Enterprise plans. Learn what German companies must check before using Figma and Figma AI under GDPR.
Miro GDPR and DPA compliance for German companies
tools

Miro GDPR Compliance: DPA for German Companies

Is Miro GDPR compliant? How to review the Miro DPA, manage data transfers, and use Miro lawfully in Germany.
Grammarly GDPR compliance and data processing agreement for German businesses
tools

Grammarly GDPR Compliance in Germany: DPA, AVV, and Data Privacy

Grammarly offers a DPA for Enterprise customers. Learn what German businesses must assess before deploying Grammarly under GDPR and DSGVO.
HubSpot GDPR compliance and data processing agreement for German businesses
tools

HubSpot GDPR Compliance for German Businesses: DPA, AVV, and AI Act Guide

HubSpot offers a Data Processing Agreement for all customers. Learn what German companies must sign and verify before using HubSpot under GDPR.

Browse More AI Tools

Frequently asked questions

Does Anthropic offer a data processing agreement for Claude Enterprise?

Yes. Anthropic states that its commercial Data Processing Addendum with SCCs is incorporated into its commercial terms, but companies should still review whether the contract fits their concrete Claude deployment and data flows.

Is Claude Enterprise GDPR compliant for companies in Germany?

Claude Enterprise can support GDPR-compliant use, but compliance depends on the use case, legal basis, DPA terms, transfers, retention, subprocessors, and the categories of data your teams put into the system.

Does Claude Enterprise provide EU hosting or EU-only processing?

That question needs precise verification. Buyers should not assume that a Claude Enterprise purchase automatically means EU-only processing for every workflow. If strict residency matters, confirm the deployment model and any transfer path contractually.

Can Claude Enterprise be used for customer or employee data?

Sometimes, yes, but the review becomes stricter for employee data, confidential customer content, special-category data, and workflows that create monitoring, profiling, or high-impact decisions.

Book Free Call