Claude Enterprise
Enterprise-Ready
The vendor is rated Enterprise-Ready with a score of 94 out of 100. Independent certifications, including ISO 27001 and SOC2 TYPE2, are confirmed via the vendor's trust portal, with audit reports available under NDA. A recent change includes the disclosure and fix of CVE-2026-22561, which is already addressed by the vendor. The buyer's next step is to confirm they are running a current version of the product.
Readiness Breakdown deterministic · evidence-only
- Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
- Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
- Data Processing Agreement A Data Processing Agreement is published and tracked.
- Breach History No known breaches in Have I Been Pwned.
- Vulnerability Exposure No known CVEs against the mapped product identity.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy Publishes a security.txt disclosure policy (RFC 9116).
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 8 legal/policy documents publicly tracked.
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| BAA Available (HIPAA) | Stated by vendor | https://support.claude.com/en/articles/13296973-hipaa-ready-enterprise-plans |
| GDPR | Stated by vendor | https://www.anthropic.com/legal/privacy |
| HIPAA | Stated by vendor | https://support.claude.com/en/articles/13296973-hipaa-ready-enterprise-plans |
| ISO 27001 | Stated by vendor | https://trust.anthropic.com/ |
| SOC 2 | Stated by vendor | https://trust.anthropic.com/ |
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| Data Processing Agreement (DPA) |
View document →
“This Data Processing Addendum ( “DPA” ) is incorporated into and forms part of the Anthropic Commercial Terms of Service or other agreement between Customer and Anthropic that references this DPA and governs Customer’s use of the Services (the “Agreement” ), and applies to Anthropic’s processing…”vendor's exact wording |
https://www.anthropic.com/legal/data-processing-addendum |
| IP / Content Ownership key clause |
True
“As between you and Anthropic, and to the extent permitted by applicable law, you retain any right, title, and interest that you have in such Inputs. Subject to your compliance with our Terms, we assign to you all our right, title, and interest (if any) in Outputs.”vendor's exact wording |
https://www.anthropic.com/legal/consumer-terms |
| Limitation of Liability key clause |
False
“Nothing in these Terms excludes or limits our liability for: death or personal injury caused by our negligence; fraud or fraudulent misrepresentation; and any matter in respect of which it would be unlawful for us to exclude or restrict our liability.”vendor's exact wording |
https://www.anthropic.com/legal/consumer-terms |
| Sub-processors (published list) | View document → | https://trust.anthropic.com/subprocessors |
| Trains on Customer Data key clause |
Free / Pro:
trains on data
Free/Pro (claude.ai): inputs/outputs may be used to train unless you opt out.
cited →
Enterprise:
does not train
Commercial/API terms: Anthropic may not train models on Customer Content.
cited →
|
see per-tier citations |
Security Posture authoritative · cited
Certifications Available Under NDA / Trust Center attested · report gated
| Certification | Status | Trust Center |
|---|---|---|
| ISO 27001 | Available via Trust Center | https://trust.anthropic.com/ |
| SOC2 TYPE2 | Available via Trust Center | https://trust.anthropic.com/ |
Common compliance questions
Tracked Legal & Policy Documents
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Sub-processor List | Trust portal / on request | A public sub-processor list was not found. Many vendors publish it behind a trust-portal login or send it on request. Request access through the trust center or from the vendor's privacy/security team. Trust center → |
| Business Associate Agreement (BAA) | On request (HIPAA only) | A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center → |
| Master Services Agreement (MSA) | Negotiated per contract | The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center → |
| Service Level Agreement (SLA) | Enterprise tier | A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center → |
Continuous Monitoring change-tracking active
5 legal & policy documents under change-monitoring since 2026-06-11. 1 tracked change detected since baseline.
| Detected | Change | Detail |
|---|---|---|
| 2026-06-08 | CVE / Security Incident |
1 new CVE (published from 2026-03-31): CVE-2026-22561. A fix is available from the vendor for all of these.
What this means: Disclosed and already fixed by the vendor — no action needed beyond confirming you run a current version. Tracked as part of the vendor's security-response cadence, not an active exposure.
|
Search the Legal Documents verbatim · cited
Search Claude Enterprise's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.
Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.
Monitor Claude Enterprise — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Claude Enterprise changes something that affects your risk. Built for procurement & security teams.