Security & Compliance

Last verified: 13 February 2026 | Applies to: Team, Enterprise

In 30 seconds

Enterprise Claude deployments require clear understanding of data handling, compliance frameworks, and security controls. This page covers what Team and Enterprise admins need to know — from data processing locations to regulatory considerations. For a general overview of how data flows, see Security & Privacy.

Data handling

Where data is processed

• Chat conversations are processed on Anthropic’s servers
• Cowork runs in a sandboxed environment on the user’s computer. Files stay local. Instructions and context are sent to Anthropic for processing.
• Connectors use OAuth tokens. Queries and responses flow through Anthropic’s servers.

Data retention

• Paid plans — Anthropic states that conversations are not used to train models
• Enterprise — custom data retention policies available. Contact Anthropic for specifics.
• Cowork history — stored locally on the user’s machine, not on Anthropic’s servers

Training data

On paid plans (Pro, Max, Team, Enterprise), Anthropic does not use your conversations to train models. On Free plans, conversations may be used unless you opt out.

Security controls by plan

Control	Team	Enterprise
Conversations not used for training	✓	✓
Admin controls	✓	✓
Plugin provisioning	✓	✓
Connector management	✓	✓
SSO (SAML)	—	✓
SCIM provisioning	—	✓
Audit logs	—	✓
Compliance API	—	✓
Data exports	—	✓
Custom data retention	—	✓
Dedicated support	—	✓

Known gaps

Known gap: Cowork audit trail

Cowork conversation history is stored locally on users’ machines. It is not captured in Audit Logs, the Compliance API, or Data Exports — even on Enterprise plans. This is a significant gap for organisations that require comprehensive logging of all AI interactions.

Implications for regulated industries:

• If your compliance framework requires audit trails for all AI-generated content, Cowork sessions create a blind spot
• Consider restricting Cowork access or requiring users to copy outputs into tracked systems
• Chat conversations are captured in Enterprise audit logs — prefer Chat for auditable work

Compliance considerations

SOC 2: Anthropic maintains SOC 2 Type II compliance. Request the report from Anthropic’s security team.

GDPR: For EU operations, review Anthropic’s Data Processing Agreement. Key considerations:

• Where data is processed (Anthropic’s servers are primarily US-based)
• Sub-processor list and management
• Data subject rights implementation

HIPAA: Contact Anthropic’s enterprise team for healthcare-specific guidance. Standard deployments are not HIPAA-compliant out of the box.

Industry-specific: For financial services, legal, government, or other regulated sectors, engage Anthropic’s enterprise team early to review your specific compliance requirements.

Practical recommendations

1. Map your data flows. Before deploying, document which Claude features your team will use and where data travels for each (see Security & Privacy).
2. Use Chat for auditable work. Prefer Chat over Cowork when you need outputs in the audit trail.
3. Review connector permissions. Audit which tools are connected and at what permission level. Read-only is safer as a default.
4. Set organisation-wide guidelines. Use the admin setup to establish what’s acceptable and what’s not (see Admin Setup).
5. Monitor and review. Use Enterprise audit logs to monitor usage patterns and compliance.

Related

• Security & Privacy — general overview for all users
• SSO & Access Controls — authentication and provisioning
• Audit & Compliance — logging and compliance tools
• Admin Setup — setting up your deployment

---

Something wrong or outdated? Let us know →

Get weekly workflows — subscribe to the newsletter.