Verified Compliance Facts
Cited and timestamped — every claim traceable to an official vendor source.
Enterprise Verdict
conditional_proceed
Critical Security Vulnerability: Sandbox Escape
Live Signals This Week
Detected by daily monitoring — captured outside the weekly scrape window.
Anthropic AI Vulnerability Scanner in Enterprise Beta: IBM Joins Glasswing After 10,000 Flaws Found - Tech Times
1 signal(s) detected: vulnerability
Risk Assessment
Seven-category enterprise risk analysis derived from community and vendor signals. Each card shows the evidence tier and the underlying finding.
Public documentation buyers may want to verify availability of specific uptime commitments or reliability history.
Enterprises should negotiate fixed-rate contracts and monitor pricing changes for overage risks.
Data export supported. Integration score: 60/100. Webhooks available, reducing lock-in risk.
Insufficient public community reviews to verify support quality. Standard support channels (email/documentation) are assumed.
Compliance score: 96/100. GDPR status: unknown. Encryption at rest: unknown.
SOC 2: type_ii. ISO 27001: certified. Overall compliance score: 96/100.
Vendor may train on user data. Users retain code/output ownership. Legal/ToS risk score: 45/100.
Due Diligence Alerts
Priority reviews, recommended inquiries, and verified strengths — based on 0+ community data points
A reported sandbox bypass vulnerability in Claude Code could allow for data exfiltration, posing a significant risk to sensitive corporate data and intellectual property. This is a recurring issue, as indicated by community reports from May 2026.
Anthropic experienced an accidental leak of Claude Code's source code, which could expose internal workings and potential vulnerabilities to malicious actors. This incident was reported in May 2026.
The vendor's total liability for loss or damage is capped at the greater of the amount paid in the preceding six months or €100, which is extremely low for enterprise-level engagements and could leave the customer significantly exposed to financial losses.
While an opt-out for model training is available, user inputs and outputs may still be used for model improvement if flagged for safety review or explicitly reported as feedback, potentially exposing proprietary or sensitive data.
Several moderate severity vulnerabilities, including insecure default file permissions and path validation race conditions, were identified and patched in the Claude SDKs for TypeScript and Python in April 2026. While patched, this indicates a need for continuous vigilance in SDK security.
Security & Compliance
External Registry Verification
Data Security
Legal & IP Risk
IP Ownership
As between you and Anthropic, and to the extent permitted by applicable law, you retain any right, title, and interest that you have in such Inputs.
We may use Materials to provide, maintain, and improve the Services and to develop other products and services, including training our models, unless you opt out of training through your account settings.
Liability & Indemnification
Except as otherwise set out in No Limitation above, our total liability to you for any loss or damage arising out of or in connection with these Terms, whether in contract (including under any indemnity), tort (including negligence) or otherwise will be limited to the greater of: (a) the amount you paid to us for access to or use of the Services in the six months prior to the event giving rise to the liability, and (b) €100.
Exit Terms
You may write to us in accordance with your legal rights and ask to switch to another service provider or port all your exportable data and digital assets to an on-premise ICT infrastructure (“Switching Request”).
after the end of the Transitional Period, you shall have 30 calendar days to retrieve all exportable data and digital assets (“Retrieval Period”) and after the switching process is complete and unless otherwise agreed, at the end of the Retrieval Period we shall erase all exportable data and digital assets generated by you or data relating to you directly except to the extent that other laws requires or permits us to retain data.
Enterprise Contract Intelligence
DPA availability, data residency, and contract risk signals for procurement teams
DPA availability for Claude Code is not publicly documented. Request a signed Data Processing Agreement directly from the vendor before contract execution — this is a contractual requirement under GDPR Article 28.
Data residency options for Claude Code are not publicly documented. EU-regulated buyers should request written confirmation of data storage location and applicable transfer mechanisms (SCCs/adequacy decision) before signing.
⚠ 1 contract risk flag — click to review
Full contract terms for Claude Code require direct vendor engagement. Ensure data portability on exit, notice period, and pricing lock clauses are negotiated before execution.
Security Certifications
| Certification | Status | Auditor | Valid Until | Source |
|---|---|---|---|---|
| ⏳ Scanning in progress — check back after next weekly audit. | ||||
Data Privacy Documents
| Document | Status | URL | AI Assessment |
|---|---|---|---|
| Sub-processors | ✅ Active | Link | ❌ Not found |
| AI/Model Training Policy | ❌ Not Found | — | — Unclear |
| Data Retention Policy | ❌ Not Found | — | ❌ Not found |
| Data Flow Diagram | ❌ Not Found | — | — |
| GDPR Compliance Statement | ❌ Not Found | — | ❌ Not found |
| KVKK Compliance Statement | ❌ Not Found | — | ❌ Not found |
| CCPA Compliance Statement | ❌ Not Found | — | ❌ Not found |
Legal Contracts
See Legal & IP Assessment section above for full analysis of ToS, DPA, MSA, SLA, EULA, and AUP.
Operational Readiness
| Document | Status | URL | AI Assessment |
|---|---|---|---|
| Business Continuity Plan (BCP) | ❌ Not Found | — | ❌ Not found |
| Disaster Recovery Plan (DRP) | ❌ Not Found | — | ❌ Not found |
| Incident Response Plan | ❌ Not Found | — | ❌ Not found |
| 3rd Party Penetration Test | ❌ Not Found | — | ❌ Not found |
Technical Transparency
| Document | Status | URL | AI Assessment |
|---|---|---|---|
| SBOM | ❌ Not Found | — | ❌ Not found |
| OSS License Inventory | ❌ Not Found | — | ❌ Not found |
| Vulnerability Management Policy | ✅ Active | Link | ❌ Not found |
| Patch Management Policy | ❌ Not Found | — | ❌ Not found |
| Offboarding / Data Export Guide | ❌ Not Found | — | ❌ Not found |
| SIG Questionnaire | ❌ Not Found | — | — |
| CAIQ | ❌ Not Found | — | — |
Financial Resilience
| Item | Status | Details |
|---|---|---|
| Cyber Liability Insurance | ❌ Not Found | ❌ Not mentioned |
| TCO Disclosed | ❌ Not found | Not publicly disclosed |
Community Intelligence
Recurring issues and curated signals from GitHub, Hacker News, Reddit, Stack Overflow, web sources, and enterprise review platforms.
Recurring Issues
Enterprise Impact: Unpredictable operational costs, reduced productivity due to hitting limits, budget overruns.
Clearer pricing models and better in-app usage monitoring are needed to provide enterprises with predictable costs and prevent unexpected overages.
Enterprise Impact: Loss of work, reduced developer productivity, integrity risks in collaborative environments, and issues with sandboxed environments.
Improve session management, worktree isolation, and sandbox path handling to ensure robust persistence and multi-session stability.
Enterprise Impact: Hindered adoption, reliance on manual workarounds, reduced ROI from integrated workflows due to inconsistent or failing integrations.
Enhance integration stability, error handling, and documentation for third-party plugins and core integrations like GitHub and OAuth.
Enterprise Impact: Significant data exfiltration risk, intellectual property compromise, reputational damage due to sandbox bypasses and source code leaks.
Implement more robust sandbox security, conduct regular third-party penetration testing, and improve incident response transparency and speed.
Source Signals
Financial Impact Panel
Cost intelligence and pricing signals for enterprise procurement decisions
Pricing data from public sources — enterprise rates differ. Verify with vendor.
TCO Calculator
Pricing Not Available
Enterprise pricing information could not be obtained for this vendor. This may be due to custom/private pricing models or limited publicly available data.
Estimated Annual TCO — 100 Users ±20% confidence band
Assumptions
- Pricing not publicly disclosed — contact vendor for quote.
Assumptions
- Pricing not publicly disclosed — contact vendor for quote.
Assumptions
- Pricing not publicly disclosed — contact vendor for quote.
Pricing data not available — all estimates undisclosed.
Synthesized from 20+ independent public sources: developer forums & repositories, security databases, vendor disclosures, regulatory filings, and community review platforms. Not affiliated with any vendor. Corrections?
Download PDF Report
Create a free account to download the full enterprise audit PDF.
Sign up — it's free →Already have an account? Log in